Skip links

Court hearings become ransomware concern after justice system breach

The court system of Victoria, Australia, was subject to a suspected ransomware attack in which audiovisual recordings of court hearings may have been accessed.

Louise Anderson, CEO at Court Services Victoria (CSV), confirmed this week that a “cybersecurity incident” was detected on December 21 targeting CSV’s audiovisual network.

The incident began on December 8 and attackers may have accessed hearings between November 1 and December 21, with a small number of recordings generated before this range also potentially compromised.

Different courts within the system were affected to varying degrees. The Supreme Court of Victoria, aside from two regional hearings in November, only had recordings accessed between December 1 and 21, for example.

Others like the County Court, Magistrates’ Court, and Coroners Court may have had recordings accessed starting from November 1. 

The Children’s Court had no recordings accessed other than one hearing from October that may have remained on the affected network.

CSV’s audiovisual network is independent of its other systems, meaning employee and financial data are unaffected, and there was no impact on the running of the courts.

Concerns exist over the potential leaking of information from particularly sensitive cases heard during the last two months of 2023.

Anderson also suggested that at least some of the recordings that cybercriminals may have accessed could have compromised those who have had their identity protected by court orders or legislation.

“CSV has been working with justice system agencies to identify sensitive matters,” she said. “Courts are notifying parties whose hearings may have been affected and those parties can discuss any specific concerns at that time. CSV has also partnered with IDCARE, Australia’s national identity and cyber support community service, to work with people to address their concerns.

“CSV is not currently aware of any recordings being released but will notify the relevant authorities should this occur. Maintaining security for court users is our highest priority and we recognize and apologize for the distress this incident may cause.”

In addition to contacting affected individuals directly, CSV has established a contact center for anyone to request further support about the break-in.

The restoration of the affected systems, which were taken offline after detecting the intrusion, is ongoing but will also include additional improvements to the security of the courts’ IT infrastructure, we’e told.

Cybersecurity experts from the Victorian Department of Government Services are involved, while the Victoria Police, Victoria Legal Aid, and the Office of Public Prosecutions are also helping to investigate the most sensitive aspects.

Ransomware’s involvement

The CSV hasn’t yet commented on who or what group may be behind the attack, nor has it confirmed it to be ransomware in nature. However, the wording of the incident disclosure, coupled with statements from experts, suggest ransomware may have been deployed.

Responding to a pre-empted question concerning how CSV was alerted to the incident, Anderson said the computers dedicated to controlling audiovisual recordings “were disrupted.”

Speaking to ABC News, security expert Robert Potter said the attack is likely the work of the Russia-based Qilin ransomware group.

Potter, who has reportedly seen evidence of the assault, confirmed the attackers are adopting a double extortion approach. Qilin is yet to claim the attack on its leak site, but double extortion scenarios involve the group threatening to leak the stolen data if a ransom demand isn’t met.

If the incident is playing out as Potter says, it means the court recordings may be leaked online if CSV refuses to meet the attacker’s demands.

Given the potentially sensitive nature of the hearings affected by the incident, it’s also not unheard of for ransomware leaders to intervene and prevent the leaking of data on moral grounds. This is by no means a certainty, however.

Like many countries, Australia officially advises against organizations paying ransoms. The country is also part of the International Counter Ransomware Initiative (CRI), which is working toward a joint pledge to refuse ransom payments at the government level.

In its 2023-2030 National Cyber Strategy published in November, the country dropped its plans to ban ransomware payments using legislation after the idea was initially floated in 2022, although the plans will be revisited in two years.

High-profile attacks on organizations such as Medibank and Optus are thought to have inspired the plans to ban ransom payments, while also prompting the Australian government to set its sights on becoming a world leader in cybersecurity by 2030. ®

Source