The NSW Rural Fire Service (RFS) is investigating a cybersecurity incident after a hacker gained access to its information and communications technology systems.
In a statement to Information Age, an RFS spokesperson said the agency was working to determine “what information may have been accessed or obtained”.
Information Age understands the incident may have involved a third-party vendor supporting NSW Rural Fire Service radio and telecommunications infrastructure.
An RFS spokesperson confirmed the incident was “initiated from a compromised account and involved our remote access system”.
The threat actor claimed the data was stolen via Citrix which offers remote access solutions.
Information Age understands the group was unable to successfully deploy its ransomware and encrypt any data for extortion purposes, but some data may have been exfiltrated.
RFS did not specify to Information Age whether the incident constituted a data breach, but a separate email to RFS members reportedly confirmed some data may have been compromised.
“Investigations to date indicate many of the files are historical,” commissioner Kelly Quandt reportedly wrote in an email.
Quandt reportedly confirmed RFS had performed a number of password resets and restricted access to “some websites from RFS computers” as a precautionary measure.
“Some operational passwords, including those used to access Bureau of Meteorology registered user services, have been updated,” Quandt told RFS members.
“We will continue to keep members informed of any significant developments.”
RFS confirms incident after hacker claims refuted
The alleged data breach was originally declared by ransomware gang Nova in mid-June.
The Russian-speaking threat actor at the time shared some samples of purportedly stolen data to the dark web.
Though Nova said it had exfiltrated over 200GB in “sensitive data” from a NSW Government network, NSW chief cybersecurity officer Marie Patane initially told Information Age there was “no evidence of any sensitive information being accessed”.
“The only sample files provided are publicly available and historical information,” Patane said on 17 June.
Nova did not originally specify which government agency it had targeted, but it later named RFS explicitly.
The group also updated its dark web post to include more sample files and published a zip file which allegedly contained over 200GB of stolen data.
When asked to confirm whether a data breach had occurred, an RFS spokesperson said the agency was “responding to a cybersecurity incident involving unauthorised access to its information and communications technology systems”.
“There is no operational impact to firefighting activities,” they said.
No 'sensitive' personal data stolen
An RFS spokesperson told Information Age “at this stage, there is no evidence to suggest sensitive personal information has been obtained”.
Quandt likewise told RFS members there was no evidence to suggest any information had been obtained that could “adversely affect individuals” if disclosed.
“Should it be determined that there has been any significant impact on an individual’s personal information, affected members will be contacted directly,” the acting commissioner said.
Notably, the framing has shifted from earlier government statements to specify no sensitive “personal information” appeared to be affected rather than “no sensitive information” whatsoever.
Nova’s alleged leak sample includes files related to “emergency response projects” and fire behaviour calculations in the early 2010s, as well as a range of PDFs depicting topographic maps.
“The RFS is working closely with cybersecurity experts including Cyber Security NSW and NSW Police,” a spokesperson said.
“The investigation remains ongoing.”
