Updated: Cryptolocker malware hits IRD, locks 3500 files
- 26 February, 2018 05:30
Malware was executed within IRD after it fell victim to a phishing attack
Thousands of Inland Revenue files were locked up after New Zealand's tax department became the target of a cryptolocking attack.
IRD said that in addition to the phishing emails targeting customers, the department also regularly receives phishing emails attempting to obtain money or information or to compromise the Inland Revenue environment.
"In November 2017, a link in a phishing email was clicked on resulting in a cryptolocker malware executing within Inland Revenue which encrypted 3500 files," a statement to Parliament's Finance and Expenditure Committee said.
IRD has since told Reseller News the attack occurred in November 2016, not 2017 as it told the committee.
The files were recovered from back-up and no Inland Revenue data was lost or compromised, IRD said in response to questions during the department's annual review.
"The cryptolocker variant we were dealing with was called Locky," a spokesman told Reseller News. "The affected files were isolated, removed and backed up within 24 hours of the ransomware being discovered."
The attackers behind Locky have pushed the malware aggressively, using massive spam campaigns and compromised websites.
Locky, which encrypts files on victims’ computers and then demands a ransom of between 0.5 to 1 bitcoin, was unleashed in aggressive spam campaigns in February 2016, according to Symantec.
"One of the main routes of infection has been through spam email campaigns, many of which are disguised as invoices.
"Word documents containing a malicious macro are attached to these emails."
Since this incident, IRD has established a three-year awareness programme to further educate staff about cyber security, the spokesman said.
"The activities undertaken to date include: security awareness presentations at nearly all IR sites; instructional videos hosted on our intranet coinciding with 2017 Cyber Smart Week; a series of simulated phishing exercises for randomly selected staff; and regular blogs, updates and articles about information security hosted on internal communications channels."
Additional controls around anti-virus updates and updates to IRD's email and web proxy services have also been implemented to reduce the likelihood of a reccurrance, the department told the committee.
There have been a series of such attacks over the last five years, culminating in last year's NotPetya attack.
The Government Communications Security Bureau condemned that attack this month and joined other such agencies in attributing the attack to Russia.
"While there were no reports of NotPetya having a direct impact in New Zealand, it caused disruption to some organisations while they updated systems to protect themselves from it," said Andrew Hampton, director general of GCSB.
The Locky attack appears to have been the only data security issue to strike IRD during the year, marking improved performance from earlier years. Nine security issues were reported in 2013, eight in 2014, six in 2015 and four in 2016.
Furthermore, no laptops or tablets went missing during the year, compared with two in 2016.
In all of the reported instances IRD said access to information was restricted "based on the implementation of standard device authentication security protocols, including hard drive encryption and strong password policies.
The document also reveals that out of a total of $133.7 million paid to contractors on its business transformation programme during the year, Accenture was paid $41.4 million and Deloitte $12 million, while Fast Enterprises, the outfit delivering IRD's new tax administration system was paid $35.7 million.
It also discloses IRD's software licensing costs, which continue to grow, more than doubling from $3.2 million in 2013 to $7.2 million in 2017.