Cyber Incident Victim: Isaac Regional Council

On or around April 1, 2023, the Isaac Regional Council, a local government body servicing nearly 21,000 residents in central Queensland, Australia, discovered it was the victim of a cybersecurity incident. The council's internal team identified the event, which was subsequently characterized as a ransomware attack. Upon discovery, the council's ICT department took immediate precautionary action by shutting down its internal systems to contain the threat and begin an investigation. This system-wide shutdown resulted in significantly reduced customer service capabilities across the council's operations. Specialist cybersecurity experts were flown in to assist on-site over the weekend following the discovery.

The council's chief executive officer, Jeff Stewart-Harris, publicly confirmed the ransomware incident, stating the council became aware of it on April 1. He emphasized that safeguarding customer and employee information was a top-tier priority for the organization. The initial investigation, conducted in partnership with external experts from Dell Incident Response and Recovery Services and the Australian Cyber Security Centre (ACSC), aimed to determine the source of the attack and its full impacts. At this early stage, the council stated it did not have any evidence to suggest that large volumes of data had been uploaded or exfiltrated from its systems, though this aspect remained under active investigation and could not be guaranteed. The exact source of the malware was unknown, with officials noting that such attacks can originate from a range of vectors including emails with malicious links or attachments, non-corporate devices connecting to the network, long-term targeted attacks, or exploitation of security vulnerabilities.

The council is responsible for managing several pieces of critical infrastructure, including waste disposal, sewerage services, local roads, and water supply. As a result of the containment measures, internal systems were widely affected. However, the council reported that some separate and isolated systems continued to operate normally. These included landfill operations, library services, and the Scada system used for monitoring the regional water supply. This partial operational continuity was crucial for maintaining essential public services. For customer-facing operations, the council's ability to process payments was maintained, albeit through manual methods; the council confirmed it could still process payments via EFTPOS and issue manual receipts. Residents were advised that they could visit council offices and libraries in person during business hours for assistance, though they were urged to contact the council via a designated phone number, (07) 2104 5417, for emergent issues only while the situation was being resolved.

Communication with the public was primarily handled through the council's official Facebook page and a dedicated section on its website. The council committed to providing ongoing updates through these channels as the investigation evolved and more information became available. The FAQs published on the council website underscored the seriousness with which the matter was being treated and the uncertainty surrounding the timeline for a full resolution. The council explicitly stated it was unknown when the investigation would be completed. In its public communications, the council also directed residents to best practice cybersecurity guidance published by the ACSC, stressing the need for heightened vigilance from both businesses and individuals in the face of such threats.

The incident highlighted the broader cybersecurity risks faced by local government entities across Australia. Industry research from 2021 had previously suggested local government was one of the sectors least likely to be targeted by malicious actors, a perception experts warned led to complacency. However, several high-profile attacks on councils, such as one targeting Stonnington City Council in Melbourne, had since shifted attention to their potential vulnerabilities. A 2022 report from the Australian Cyber Security Centre had raised concerns about the propensity to allocate cyber defense resources to larger utilities at the expense of smaller, council-run operations, which posed a serious security risk. This risk was further exacerbated by the prevalence of legacy systems within local governments, which often could not be updated due to a lack of technical skills and financial resources. A capability maturity assessment conducted by the Western Australia Auditor General's office in 2022 across 12 local governments found that none met expectations across six broad cybersecurity criteria and none met the benchmark for information security, representing a considerable risk to the confidentiality, integrity, and availability of their information systems.

Throughout its response, the Isaac Regional Council maintained that it was taking the incident extremely seriously. CEO Jeff Stewart-Harris expressed confidence in the team handling the situation, stating, "We have a strong IT team who are working with the best cybersecurity experts in the field." He described the meticulous due diligence being undertaken as the cornerstone of the recovery process from a cybersecurity incident and asked for the public's patience. The council's systems remained intentionally locked down as a precautionary measure to safeguard data while the forensic investigation continued to determine if any personal information of residents or employees had been accessed or compromised. The overarching priority, as repeatedly stated, was the protection of customer and employee information as the council and its partners worked to understand the full nature and scope of the ransomware attack.