A ransomware gang claims to have stolen almost 300GB of data from Australian immigration consultancy Aussizz Group, including countless payslips, visa details, and documents containing passport information.
The purported leak popped up on the dark web blog ‘Dragonforce’, a ransom gang which first appeared in early December 2023.
Among other victims, the gang’s dark web leak site currently lists an entry for Aussizz Group – an Australia-based global education consultancy and immigration firm which offers visa and citizenship applications for Australia, New Zealand, Canada, US, and UK.
At the time of writing, the Dragonforce leak page yields thousands upon thousands of seemingly legitimate stolen data records – including visa details, passport information, employment agreements, skill assessments, union consultations, and much more.
The purported leak is sized at 278.91GB and formatted as though a direct pull of stolen personal records – sporting droves of folders organised by victim names, alongside items such as “Payslips summary.pdf”, “Entertainment Visa”, “Student Visa”, “Education records” and “Wedding and Reception Photos_compressed.pdf”.
While the sensitive nature of the data could enable attackers to commit further attacks – such as identity fraud and targeted phishing scams – Dragonforce’s claims have not been publicly verified by Aussizz.
A lacklustre response
In a statement issued 19 April, Aussizz said it was “responding to a cyber security incident” and would “notify affected individuals and provide the necessary support in accordance with our obligations” should its investigations reveal the impacted dataset includes personal information.
The company claims it has launched an investigation into the incident, engaged cyber security specialists, and set up a “Cyber Security Resources Hub” to support its customers – offering “general in nature” advice on monitoring financial accounts and avoiding use of public Wi-Fi.
In said resource hub, Aussizz further urged customers to consider whether replacing their identification documents “is a necessary step”, stating “unauthorised access to identification information generally does not affect its validity”.
When asked whether any of the files on Dragonforce’s dark web page are legitimate, Aussizz referred Information Age to its existing statements.
Nilesh Nandan, immigration lawyer and special counsel at national migration practice MyVisa Lawyers, told Information Age that until it is clear what data was unlawfully accessed, anyone who has shared data with Aussizz or its sub-agents “should assume the worst”.
“Unlike an Optus or a Dan Murphy’s breach, any migration practice data breach is ‘next level’,” said Nandan.
“Migration breaches can potentially expose extremely sensitive information – for example details of protection claims, intimate relationships, family violence, health, criminality, Home Affairs investigations, and national security assessments.”
“One would expect a world-class migration firm to have provided a lot more information about this breach on its website and across its social media channels – and to share this information directly with all industry stakeholders, so that others might also take immediate action to contain the breach.”
While Dragonforce’s leak site does not publicly demand a ransom from Aussizz Group, threat intelligence company Falconfeeds.io shared an early screenshot of the site which displayed a publication timer counting down to 19 April 2024 – implying the ransom gang had at least made contact.
When asked by Information Age, Aussizz did not confirm whether Dragonforce has approached the company with any ransom demands.
At the top of the gang’s dark web page is a header reading “companies that refused to cooperate”.
Connection with notorious Lockbit gang
While Dragonforce is a relatively young outfit, its exploits have already made big waves in cyber security circles.
In December, the group claimed an attack on probiotic company Yakult Australia, on Christmas Eve it claimed another on US lottery organisation Ohio Lottery which forced the company to shut down some key systems, and in April the group clashed with the government of Palau after threatening to publish a collection of stolen data.
According to threat intelligence firm Cyble, Dragonforce has been observed using a leaked ransom builder from notorious ransom gang Lockbit, likely to create its own ransomware tool.
Lockbit – which is often described as the world’s most harmful cybercrime outfit – has spent the bulk of 2024 in a game of cat-and-mouse with global authorities, suffering major server takedowns, member arrests, and jail-sentences, yet still managing to continue its criminal exploits as recently as April.
While Cyble did not observe an operational connection between Dragonforce and Lockbit, the firm said Dragonforce’s use of Lockbit’s ransom builder “underscores the growing threat posed by the abuse of leaked malware-building tools in cyberattacks.”
“The accessibility of such tools enables threat actors to customise and deploy ransomware payloads with ease, amplifying the risk landscape for organisations globally,” wrote Cyble.
Aussizz said it had reported its potential data breach and engaged relevant government agencies, with ID Support NSW acknowledging the incident as of 30 April.
“Aussizz have reported a potential data breach claim that cyber criminals have stolen and published company data,” wrote ID Support NSW.
“Regular updates are being provided to the National Cyber Security Coordinator, with collaborative efforts underway involving the National Office of Cyber Security, relevant Commonwealth, state, and territory agencies, and Aussizz Group to manage the incident.
“The Australian Federal Police is informed of the situation.”