Full Report
A third-party file secure sharing supplier for the Reserve Bank of New Zealand was breached in a cyberattack.
Analysis Summary
# Incident Report: Accellion File Transfer Application Compromise Affecting RBNZ
## Executive Summary
A third-party secure file sharing supplier, Accellion, used by the Reserve Bank of New Zealand (RBNZ) experienced a cyberattack resulting in a security incident involving the RBNZ's File Transfer Application (FTA). The attack was not specific to RBNZ, as multiple other users of the application were also compromised. The compromised data may include both commercially and personally sensitive information.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the RBNZ issued an official statement on January 12, 2021.
- **Incident Date:** Attack occurred prior to the January 12, 2021 disclosure.
- **Affected Organization:** Reserve Bank of New Zealand (RBNZ) and other entities using Accellion FTA.
- **Sector:** Central Banking / Financial Regulation.
- **Geography:** New Zealand.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Prior to Jan 12, 2021).
- **Vector:** Exploitation of the Accellion File Transfer Application (FTA).
- **Details:** The FTA supplied by Accellion was illegally accessed by threat actors.
### Lateral Movement
- **Details:** Not specified in the available data. Movement likely occurred within the Accellion vendor environment, affecting data stored there.
### Data Exfiltration/Impact
- **Details:** Commercially sensitive and personally sensitive information stored on the RBNZ's FTA system may have been accessed or exfiltrated.
### Detection & Response
- **Details:** The RBNZ was advised of the breach by the third-party provider (Accellion).
- **Response Actions:** The RBNZ began working with affected stakeholders directly and withheld further details to protect the ongoing investigation.
## Attack Methodology
*Note: Specific technical details regarding the attacker's methodology against the RBNZ's system are largely unavailable as the RBNZ deferred to the vendor investigation.*
- **Initial Access:** Exploitation of the third-party Accellion File Transfer Application (FTA).
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown (Likely lateral movement within the compromised Accellion infrastructure).
- **Collection:** Collection of commercially and personally sensitive data.
- **Exfiltration:** Data theft occurred, leading to the scope of the breach.
- **Impact:** Unauthorized access and potential exposure of sensitive data.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Potentially includes commercially sensitive information and Personally Identifiable Information (PII). Volume and exact nature not disclosed.
- **Operational:** The RBNZ's ability to securely share specified data was compromised via the third-party tool.
- **Reputational:** Public disclosure required, impacting trust in the RBNZ's third-party management processes.
## Indicators of Compromise
*No specific IoCs (IPs, domains, hashes) were provided in the source text.*
- **Network indicators:** None provided (Defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Unauthorized access to the Accellion FTA platform.
## Response Actions
- **Containment measures:** The RBNZ began working directly with affected stakeholders impacted by the breach.
- **Eradication steps:** Not specified, likely handled by Accellion for remediation of the FTA platform.
- **Recovery actions:** Not specified other than working with stakeholders.
## Lessons Learned
- The reliance on third-party vendors introduces significant supply chain risk, as a vendor compromise can directly lead to multiple consequential breaches (similar to the SolarWinds incident mentioned).
- Attackers are actively targeting third-party service providers to gain access to multiple downstream clients simultaneously.
- Vendor security posture management is critical, evidenced by the necessity to strengthen the overall security posture of the vendor network.
## Recommendations
- Conduct comprehensive due diligence and continuous monitoring of security controls for all critical third-party vendors processing sensitive data.
- Review contractual agreements to ensure liability and incident response transparency from vendors like Accellion.
- Limit third-party application access solely to the necessary data required for their function to minimize the blast radius of a vendor breach.