Toll Group justifies ASD engagement times following ransomware attacks – Security


Toll Group has justified its incident response to two cyber attacks last year, while rebuffing alleged criticism that it acted too slowly in keeping the government informed.

In June, Australian Signals Directorate chief Rachel Noble revealed an unnamed company had been slow to respond to requests during a cyber attack of “national impact”.

Noble told the joint committee on intelligence and security that ASD was only alerted to the incident through media reports and it took two weeks for meaningful engagement to occur.

While the company was not named, the description that it was “nationally known company” that was reinfected three month later led to widespread speculation it was Toll Group.

The company was hit by Mailto ransomware in January 2020, which took six weeks to recover from, before suffering a second attack in May 2020 that used the Nefilim malware.

Under questioning from Liberal senator and PJCIS chair James Patterson last month, Qantas, Toll and AGL all denied that they were the company in question.

“Certainly not from the Toll perspective,” Toll Group’s global head of information security Berin Lautenbach said at the time.

But despite that assurance, Patterson later follow up with a question on notice, which led to a response [pdf] published on Monday in which Toll said it had worked with ASD, although potentially not at ASD’s preferred pace.

“We are very grateful for the ASD’s support during the two cyber attacks Toll experienced in 2020,” the company said.

“Toll is not in a position to know which company [ASD] is referring, and while indeed it may be Toll, we note that the ASD has never raised any formal concerns with our response to date.

“Following further internal discussions, we continue to be of the opinion that Toll acted transparently and collaboratively with the ASD.

“However, we recognise that we may not have responded at the pace the ASD may have expected due to the crises we were experiencing.”

While companies are not currently required to engage with ASD during cyber attacks that will change if the Security Legislation Amendment (Critical Infrastructure) Bill passes in its current form.

The bill will give the ASD the power to defend networks and systems of critical infrastructure providers against cyber attacks in exceptional circumstances, as well introduce new information sharing requirements.

Noble has argued that the unnamed company’s unwillingness to work with ASD is evidence of the need for the laws.

But tech companies are alarmed by the so-called ‘step in’ powers that could see ASD install software; access, add or delete data; and alter how hardware functions.

Amazon Web Services and Google Cloud have, for instance, argued that ASD intervention could make an incident worse for companies with complex systems.

“That’s exactly what we hope their position is – that they don’t need us to help them defend their networks, that they do have that in hand,” Noble said.

“Our operational experience is we would only install software… when [an] entity doesn’t have the capability to provide the technical telemetry or system information that we need to assist them.

“So this sort of idea that ASD runs around and puts software willy-nilly is a bit of a caricature that doesn’t occur.”