Your Weekly Cybersecurity Update (04 April 2025)

• Australian Court System Breach Exposes Thousands of Sensitive Legal Documents, Including Restraining Orders

• Nine Newspapers Subscribers Have Data Exposed Online in Breach

• Sydney Tools Hammered by Massive Customer Data Exposure

• Russian Phishing Sites Target Citizens Seeking to Join Anti-Kremlin Forces

• Cybersecurity Expert Troy Hunt Falls Victim to Sophisticated Mailchimp Phishing Attack

Australian Court System Breach Exposes Thousands of Sensitive Legal Documents, Including Restraining Orders

Cybercriminals Target NSW Online Registry, Stealing Data That Could Endanger Domestic Violence Victims

Australian authorities have launched an investigation into a serious cyber attack on the New South Wales Online Registry website (ORW), which has resulted in the theft of approximately 9,000 sensitive legal files. The breach, discovered on Tuesday, has prompted immediate action from cybercrime detectives and the Department of Communities and Justice (DCJ).

Among the compromised data are affidavits and apprehended violence orders (AVOs), which are restraining orders designed to protect victims of domestic violence, child abuse, assault, harassment, stalking, and sexual assault. Security experts are particularly concerned about the theft of these documents, as they contain names and addresses of both victims and alleged offenders, potentially putting vulnerable individuals at risk if released publicly.

"I've been advised by the Department of Communities and Justice about a significant cyber breach affecting the NSW Online Registry Website," said Michael Daley, NSW's attorney general, in a press statement. "The NSW government is taking this incident seriously. I am assured that DCJ is working with Cyber Security NSW and the NSW Police to ensure the ongoing integrity of the system."

Law enforcement officials have begun contacting individuals they believe may be affected by the breach. They have also urged anyone concerned about their data being compromised to file a report through ReportCyber, Australia's official cybercrime reporting service.

The incident raises serious concerns about potential extortion, as the stolen AVOs would provide cybercriminals with powerful leverage against victims who may pay to prevent the public release of sensitive information about their cases. The full extent of the data theft is still being determined as the investigation continues.

This breach follows a similar incident in Victoria's court system just a year ago, where a suspected ransomware attack resulted in the theft of various audio-visual files from the network, with compromised data spanning from 2016 to late 2023.

While officials described the ORW as "a secure online platform," the successful exfiltration of thousands of sensitive legal documents raises questions about the effectiveness of cybersecurity measures protecting Australia's judicial information systems.

Nine Newspapers Subscribers Have Data Exposed Online in Breach

A cybersecurity breach has exposed the personal data of thousands of subscribers to Nine newspapers, including the Sydney Morning Herald, The Age and The Australian Financial Review.

Approximately 16,000 print subscribers' names, postal addresses, and email addresses were left exposed online following what the company described as "an unauthorised change" to a third-party supplier that had access to subscriber details. Nine emphasized that payment details and passwords were not affected in the breach.

Nine was first alerted to the data exposure by a security researcher who discovered that subscriber information held by the third-party supplier was not protected according to Nine's internal data protocols. The company stated that there was no breach of its internal technology infrastructure and that the exposed data is no longer visible online.

"While there has been no breach of Nine's internal technology infrastructure, Nine treated this matter seriously and worked with the third party to resolve the issue," a spokesperson for the company said. "The customer personal information that was held by the provider was limited to name, postal address and/or email address."

Nine is contacting all impacted subscribers, though security experts warn that the exposed information could put thousands of users at risk of targeted cyber attacks.

This marks the second major cybersecurity incident reported in Australia within days, following a separate breach last week in which 9,000 sensitive court files were downloaded from the NSW Courts' online registry.

Sydney Tools Hammered by Massive Customer Data Exposure

A significant data breach at Sydney Tools has exposed sensitive information from tens of millions of online orders, including customer names, home addresses, and other personal details.

The professional tools wholesaler and retailer left a Clickhouse database unprotected, leaking data on employees and customers. According to cybersecurity researchers, the exposed database contained over 5,000 entries with information about past and present employees, including names, branches of employment, salaries, and sales targets.

Even more concerning, the leak includes over 34 million online order records containing customer names, email addresses, home addresses, phone numbers, and details about items purchased. Despite attempts to contact the company, researchers report that the exposed database remains accessible, meaning sensitive data continues to leak.

"Information Sydney Tools is leaking can aid cybercriminals in the surprisingly common crime of tool theft, as well as more standard cybercrimes such as identity theft, phishing, or spam campaigns," the researchers noted.

The breach creates multiple security risks. Employees, particularly high earners, are more vulnerable to spear phishing attacks. Customers could be tricked into revealing additional information by cybercriminals who craft highly convincing fraudulent messages referencing specific tools they purchased.

The disparity between Sydney Tools' reported workforce of approximately 1,000 employees and the nearly 5,000 employee records in the database suggests that information about former staff members has also been compromised.

Researchers have contacted Sydney Tools for an official comment and are awaiting a response. Meanwhile, the database remains unsecured, highlighting that DIY expertise should extend beyond physical tools to digital security measures.

Russian Phishing Sites Target Citizens Seeking to Join Anti-Kremlin Forces

Sophisticated Campaign Could Lead to Imprisonment or Worse for Victims

A dangerous network of phishing websites is targeting Russians seeking to join Ukrainian paramilitary groups, potentially leading to severe consequences, including lengthy prison sentences or worse for victims, according to new research released by cybersecurity firm Silent Push.

The investigation uncovered dozens of phishing domains impersonating recruitment websites for anti-Putin organizations, including the "Freedom of Russia Legion," a Ukrainian paramilitary unit comprised of Russian citizens opposing the Kremlin regime. These sophisticated phishing sites are nearly identical to legitimate recruitment pages, using interactive Google Forms to collect personal information from potential recruits.

Security researcher Artem Tamoian, who first identified several of these domains, noted significant differences in search results between Google and Russia's Yandex search engine, with the phishing sites often appearing as top results in Russian searches. The fake websites have also been found ranking highly in DuckDuckGo and Bing search results.

"I started looking into those phishing websites because I kept stumbling upon news that someone gets arrested for trying to join the Ukrainian Army or for trying to help them," said Tamoian, a Russian native who left the country in 2019.

What distinguishes these phishing operations from typical scams is the severity of consequences for victims. Russia's Supreme Court designated the Freedom of Russia Legion as a terrorist organization in March 2023, meaning Russians caught communicating with the group could face between 10 and 20 years in prison.

Technical analysis linked some of the phishing domains to Stark Industries Solutions Ltd, a known "bulletproof hosting" network that materialized shortly before Russia's invasion of Ukraine. This hosting provider has previously been tied to infrastructure used for DDoS attacks, malware distribution, and disinformation campaigns associated with Russian intelligence agencies.

Rather than being distributed through traditional phishing emails, these fraudulent websites appear to be promoted primarily through search engine manipulation, creating a dangerous trap for Russians searching for ways to oppose the Putin regime.

"All observed campaigns had similar traits and shared a common objective: collecting personal information from site-visiting victims," Silent Push stated in their report. "Our team believes it is likely that this campaign is the work of either Russian Intelligence Services or a threat actor with similarly aligned motives."

The ongoing campaign represents a stark reminder that in regions of geopolitical conflict, falling victim to phishing can have consequences far beyond financial loss or data theft – it can put lives at risk.

Cybersecurity Expert Troy Hunt Falls Victim to Sophisticated Mailchimp Phishing Attack

Renowned cybersecurity expert Troy Hunt has fallen victim to a sophisticated phishing attack that compromised his Mailchimp account and led to the unauthorized export of his blog's mailing list of approximately 16,000 subscribers.

In a transparent blog post, Hunt detailed how he received what appeared to be a legitimate email from Mailchimp warning about unusual login activity. While suffering from jet lag in London, he clicked the link to a convincing but fraudulent site at "mailchimp-sso.com" where he entered his credentials and a one-time password. The attack was highly automated, with the hackers immediately exporting his subscriber list before he could take preventative action.

"I'm enormously frustrated with myself for having fallen for this, and I apologise to anyone on that list," Hunt wrote. He noted that despite having identified numerous similar phishing attempts in the past, a combination of fatigue and a well-crafted email that triggered fear without seeming overly urgent led to his momentary lapse in judgment.

The breach exposed subscriber email addresses and additional data Mailchimp automatically collects, including IP addresses and approximate geolocation information. Hunt expressed concern that the export included 7,535 email addresses of people who had previously unsubscribed from his newsletter and questioned why Mailchimp retained this information.

As the founder of "Have I Been Pwned," a service that alerts users when their information appears in data breaches, Hunt promptly added the compromised data to his database and notified affected individuals. He also immediately changed his Mailchimp password and deleted an API key created by the attackers.

Hunt highlighted that the incident reinforces the importance of phishing-resistant authentication methods like passkeys, noting the irony that he had been discussing this very topic with the UK's National Cyber Security Centre just before falling victim to the attack. In response, he has registered "whynopasskeys.com" to build awareness about services that don't support unphishable second factors.

Cloudflare took down the phishing site approximately two hours after Hunt fell victim to it. Hunt is communicating with Mailchimp regarding the incident and has asked them about their roadmap for implementing passkeys and their policy on retaining unsubscribed user data.