Data Stolen in Fire Rescue Victoria Cyber-Attack Now on Dark Web

Written by Staff Writer.

An IT outage resulting from a cyber-attack at Fire Rescue Victoria (FRV) is entering its second month, with the emergency services agency this week confirming that hackers stole data during the cyber-attack. The stolen data includes personally identifiable information of former, prospective, and current employees. A ransomware group has since claimed responsibility for the data heist.

On January 11, 2023, FRV released a statement saying that hackers had download data during the December 15 cyber-attack and some of that data was now available on the dark web.

“Given the nature of the cyber-attack, we have reasonable grounds to believe that personal information of current and former employees, individual contractors and secondees of FRV and the former Metropolitan Fire and Emergency Services Board (as well as job applicants and other individuals) may have been accessed or stolen by the criminals,” the statement read.

On the same day as the FRV statement, the Vice Society ransomware group claimed responsibility for the attack and released a data set to substantiate its claims. Internal and external analysts retained by FRV are now analysing the data to authenticate it.

“It is a complex task to analyse the data that has been shared on the dark web, and we have cyber security specialists assisting with this analysis. As we identify what information may have been released, we will provide further information,” the FRV statement added. Last week, FRV informed the Office of the Australian Information Commissioner (OAIC) that the data breach likely included personally identifiable information.

Often overshadowed by higher-profile ransomware groups, Vice Society gained a degree of notoriety in 2022 when it launched a series of ransomware attacks on entities outside its typical healthcare and education industry targets in the Northern Hemisphere. At the same time as claiming responsibility for the FRV attack, Vice Society also claimed responsibility for a similar cyber-attack on San Francisco’s Bay Area Rapid Transit system. They released a trove of data stolen in that attack late last week.

US cybersecurity firm SentinelLabs last month reported that Vice Society had used a new custom-branded ransomware payload in recent intrusions. That payload is called PolyVice and “implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms.” SentinelLabs also believes the Vice Society is making the software available to other ransomware groups.

Once Vice Society has the data, the cybersecurity firm says the group uses the double extortion technique. In 2022, as they expanded away from their traditional target industries, Vice Society took a more opportunistic approach, looking at a broader range of entities with potential vulnerabilities.

The FRV’s website says that the agency continues to feel the fallout of the December cyber-attack. They are reportedly still using offline resources to manage and perform day-to-day activities such as dispatching crews from the FRV’s 85 fire stations. However, the cyber-attack never impacted emergency response services.

“FRV will attempt to contact anyone who might be affected by the incident to alert them to these tips and the support available,” this week’s statement noted. “We encourage those who may be affected to remain vigilant with all online communications, validate any information they receive and follow other cyber security tips.”