On 2 November 2016, the NCSC was made aware that a targeted spearphishing campaign against a New Zealand Health Sector organisation had been successful. This has resulted in the membership information of the organisation being released to a likely malicious actor. The information included first and last names, email addresses, an indication of current member status, and an anonymised identifier about place of employment. At this point, it is unclear who the actors involved are, and no information is known about their intentions or motivations. Based on previous experience, the NCSC assess that the most likely motivation for this compromise is financial; however this is only one of several possible explanations. The NCSC considers it likely that these email addresses could be used for a range of malicious or criminal purposes.
At this stage there has been no successful compromise leveraging the disclosed credentials reported to the NCSC. Even though it is unclear exactly what purpose the disclosed credentials will be used for, there are actions that your organisation can take to reduce exposure to their malicious usage. The NCSC recommends the following:
Ensure staff remain vigilant in dealing with emails that contain links, attachments, or that attempt to solicit information. Users should verify any unexpected request for information with a phone call to the sender before replying. The NCSC recommends referring staff to the ConnectSmart resources on phishing, which are available at: https://www.connectsmart.govt.nz/assets/Uploads/Tip-Sheet-4-Phishing.pdf
Given this release, it is prudent to make an immediate backup of critical data. This will mitigate the effects of any potential compromise, particularly ransomware, by allowing critical data to be restored in a timely manner. Further information on ransomware can be found on the ConnectSmart resource at https://www.connectsmart.govt.nz/assets/Uploads/Tip-Sheet-5-Ransomware.pdf
This includes implementing the use of two factor authentication, and considering limiting remote access to only New Zealand IP addresses where practicable. This will reduce the risk of leaked credentials being used to carry out brute force attacks.
This should include complexity, length and maximum password age requirements. Once again this will significantly reduce the risk of a brute force attempt succeeding.
The NCSC assesses that completion of the above steps will help to mitigate against likely attack vectors. The NCSC recommends that affected entities and organisations remain vigilant for any indication of suspicious emails and activity. The New Zealand Ministry of Health is the lead agency on this incident, and the NCSC urges any affected entities to contact the Ministry should they have any further information about this incident, or their IT provider for assistance and support.