Full Report
The Australian Security and Investments Commission has been impacted by Accellion's data breach
Analysis Summary
# Incident Report: Accellion Third-Party Breach Affecting ASIC
## Executive Summary
The Australian Securities and Investments Commission (ASIC) detected unauthorized access to one of its servers hosted on the Accellion file-sharing platform, which exposed documents related to recent Australian credit license applications. The incident, a third-party breach originating from the compromise of the vendor Accellion, resulted in the potential exposure of sensitive application information and a temporary disruption to ASIC's credit licensing submission process. Response actions focused on isolating the affected server and initiating forensic investigation.
## Incident Details
- **Discovery Date:** On or around January 22, 2021 (Implied, as ASIC published a statement 10 days after the incident occurred/was discovered).
- **Incident Date:** Prior to January 22, 2021.
- **Affected Organization:** Australian Securities and Investments Commission (ASIC). (The initial vector was through third-party vendor Accellion, which also impacted Reserve Bank of New Zealand and Westpac).
- **Sector:** Financial Regulator/Government Services.
- **Geography:** Australia.
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated, but prior to January 22, 2021.
- **Vector:** Compromise of ASIC's file-sharing solution provided by third-party vendor, Accellion.
- **Details:** Unauthorized access was gained to a specific server hosting documents associated with recent Australian credit license applications.
### Lateral Movement
- **Details:** The specific details regarding internal lateral movement within ASIC’s systems are not detailed in the summary. The compromise appears focused on the server utilized by the Accellion platform.
### Data Exfiltration/Impact
- **Details:** Limited information suggests that some information from recent Australian credit license applications may have been viewed or compromised by the threat actor. Credit license application processes were disrupted.
### Detection & Response
- **Details:** Incident was discovered when unauthorized access on the Accellion-supported server was identified.
- **Response actions taken:** ASIC completely isolated the impacted server to prevent further compromise and engaged IT teams and cybersecurity advisors to conduct a detailed forensic investigation. They are working on providing a safe alternative submission method for credit license applications.
## Attack Methodology
- **Initial Access:** Exploitation of vulnerability within the third-party vendor's software/system (Accellion file sharing solution).
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified, but the attacker accessed documents on the compromised server.
- **Lateral Movement:** Not specified beyond accessing the targeted server.
- **Collection:** Gathering of documents associated with recent Australian credit license applications.
- **Exfiltration:** Implied, as the data was "viewed by the threat actor."
- **Impact:** Exposure and potential compromise of sensitive financial regulatory application data.
## Impact Assessment
- **Financial:** Not estimated/disclosed.
- **Data Breach:** Sensitive information related to recent Australian credit license applications. The volume and exact nature of the compromised data are under investigation.
- **Operational:** Disruption to the submission process for Australian credit license applications until alternative submission methods were established.
- **Reputational:** Negative impact due to the high-profile nature of the breach involving a key financial regulator.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (No specific network IOCs provided).
- **File indicators:** N/A (No specific file hashes provided).
- **Behavioral indicators:** Unauthorized access to the Accellion server containing credit license application documentation.
## Response Actions
- **Containment measures:** The impacted server/system utilizing the Accellion solution was completely isolated to prevent further compromise.
- **Eradication steps:** Forensic investigation initiated with cybersecurity advisors.
- **Recovery actions:** Working to bring systems back safely online and establishing a safe alternative submission channel for credit license applications.
## Lessons Learned
- **Key takeaways:** Third-party vendor risk is a significant and clearly overlooked vector, where a supply chain compromise can immediately impact multiple high-profile clients.
- **What could have been done better:** The necessity for robust third-party risk management (TPRM) programs that deeply vet the security posture of vendors providing critical file-sharing or data handling services.
## Recommendations
- Immediately review and, if possible, cease use of the compromised Accellion platform until vendor security is verified.
- Implement enhanced segmentation and monitoring around all third-party solutions handling sensitive regulatory data.
- Accelerate the implementation of a comprehensive TPRM framework to assess inherent and residual risks associated with all critical data processors and software providers.