Major Australian Pension Funds Targeted in Coordinated Cyber Attacks

A coordinated series of credential stuffing attacks last week targeted major pension funds in Australia, compromising thousands of user accounts and resulting in the theft of at least AU$500,000 from four superannuation accounts. Cybercriminals exploited the vulnerability of these financial institutions to execute their attack, leading to a significant security breach affecting 20,000 accounts across multiple funds.

According to the Australian Financial Review, the cyberattacks were simultaneously launched against some of the country’s largest superannuation funds. AustralianSuper, Australia’s largest fund managing AU$360 billion in assets, reported that it detected suspicious activity that compromised approximately 600 member accounts, although it indicated there was no financial loss associated with this incident.

In response to the breach, AustralianSuper disabled certain functionalities within its mobile app and online portal to safeguard member accounts. This action restricted members from updating bank details or personal information during the investigation. The fund reassured its members that fluctuations in account balances may be attributed to market volatility rather than illicit activities; however, the response did little to assuage the concerns of those affected.

Calls flooded into AustralianSuper’s customer service centers as apprehensive members sought clarification and support regarding the ongoing cybersecurity incident. The fund reported a surge in traffic to its online platforms, which caused intermittent outages, necessitating maintenance efforts to manage the load.

Similarly, Hostplus, another major superannuation fund, acknowledged experiencing hacking attempts without resulting in financial loss, highlighting the effectiveness of its security measures, including multi-factor authentication and continuous system monitoring. However, increased member inquiries prompted simultaneous login attempts that strained its digital services.

The Association of Superannuation Funds of Australia confirmed the cyberattacks, noting that they affected various member accounts, and pledged to keep members informed about their account status. National Cybersecurity Coordinator Michelle McGuinness acknowledged the heightened threat landscape, indicating a coordinated effort among government bodies and financial regulators to bolster defenses.

Reports indicate that malicious actors successfully accessed sensitive personal information from about 8,000 members of Rest Super, including names and email addresses. Luckily, no funds were removed from these accounts. The recent breach has drawn sharp criticism toward the AU$4 trillion superannuation sector, underscoring a perceived lack of adequate cybersecurity measures.

Reflecting on the urgency of enhanced protections, Xavier O’Halloran, CEO of Super Consumers Australia, expressed deep concern over the vulnerabilities inherent in the superannuation system. He called for immediate governmental action to extend protections for Australians’ retirement savings against fraudsters and cybercriminals.

This breach exemplifies the potential adversary tactics from the MITRE ATT&CK framework, including initial access through credential stuffing and the subsequent persistence in system exploration. As the superannuation industry navigates this breach and works toward improved security measures, the incident highlights the pressing need for organizations to fortify their cybersecurity practices in an increasingly perilous environment.