Victoria’s courts and tribunals have been rocked by a cyber security incident which disrupted in-court technology and potentially exposed video and audio recordings to suspected Russian hackers.
Court Services Victoria (CSV) – an administrative body which supports court operations in Victoria – was alerted to the incident during the leadup to the holiday break, marking the first reported cyber attack on Australia’s justice system.
According to the ABC, staff were suddenly locked out of their computers as messages reading “YOU HAVE BEEN PWND” forcefully appeared on their screens.
In a statement issued 2 Jan, CSV chief executive officer Louise Anderson explained the incident involved “unauthorised access” which led to “disruption” of the audio visual in-court technology network.
Anderson further confirmed video recordings, audio recordings and transcription services were impacted during the incident, with recordings for some hearings potentially being accessed.
“Recordings of some hearings in courts between 1 November and 21 December 2023 may have been accessed,” said Anderson.
“It is possible some hearings before 1 November are also affected.”
While CSV became aware of the incident on 21 December, the breach first occurred on 8 December, and was reportedly contained to a single system dedicated to managing audio-visual recordings for all courts.
At least four courts in Victoria were impacted by the incident, including the Supreme Court, the County Court, the Magistrates’ Court, and the Coroners Court.
While the Supreme Court saw potential unauthorised access of hearings between 1 December and 21 December, the County, Magistrates’ and Coroners courts are facing potential impacts between 1 November and 21 December.
Notably, CSV revealed the impact on the County Court may extend to all criminal and civil hearings recorded on the network during the specified date range, while the Coroners Court is facing potential unauthorised access for all hearings during the same period.
Meanwhile, CSV reports only one October hearing may have been impacted in the Children’s Court, while no VCAT hearings have been impacted whatsoever.
While Anderson offered scant information on the precise volume of information impacted during the incident, the chief executive assured “no other court systems or records”, including employee or financial data, were accessed.
Finger being pointed at Russian hackers
CSV has kept tight-lipped regarding the identity of those behind the incident – stating it does not “provide information or details on cyber threat actors” and neglecting to confirm whether it has received a ransom demand – though reports suggest Russia-affiliated actors may have been involved.
According to the ABC, cyber security expert Robert Potter said the court system was “almost certainly” hit by a Russian phishing attack employing an increasingly prominent ransomware named Qilin.
“It's a double extortion approach," said Potter.
"They take the data out, and then encrypt it. If you don't pay, they leak your data, and you will never access it."
The ransomware gang behind Qilin first launched its criminal operations in August 2022 under the name “Agenda” and has since been known for targeting large enterprises and organisations in healthcare and education.
In November last year, the group further claimed responsibility for a particularly notable attack against one of the world’s largest automotive parts suppliers, Yanfeng Automotive Interiors.
While Qilin’s motivations for its suspected attack against Victoria’s courts are unclear, the group could stand to benefit from obtaining sensitive information for leverage in later ransomware attacks.
Russia-affiliated hacks have been a frequent concern for Australia over recent years.
Last June, the Australian government formed a crisis group following a Russia-linked hack against law firm HWL Ebsworth which raised fears over potential theft of Commonwealth data.
So great was the concern that Australia joined multiple international partners to express “serious concerns” over Russia-based cyber operations which aim to interfere in democratic processes.
CSV said it understands the attack against Victorian courts would be “unsettling” for those involved in hearings, and apologised for any distress caused.
The administrative body immediately isolated the affected network after it discovered the incident and has taken steps to ensure operations continue into January.
“Maintaining security for court users is our highest priority,” said Anderson.
“Our current efforts are focused on ensuring our systems are safe and making sure we notify people in hearings where recordings may have been accessed.”
Victoria Police’s cyber crime squad is currently investigating the incident, with CSV working closely alongside cyber security experts in the Victorian Department of Government Services.
