New Zealand's three government buildings including circular landmark known as Beehive showing ransomware attack on IT provider

A Ransomware Attack on a Small Managed IT Provider Disrupts Government Agencies in New Zealand

Several New Zealand government agencies were impacted by a ransomware attack on a small IT provider that serves dozens of public and private organizations in the country.

According to the Office of the Privacy Commissioner, the attack targeted Mercury IT, a 25-employee firm providing IT infrastructure, telecoms, cybersecurity, tech support, and consultation services, with offices in Wellington and Auckland, NZ. New Zealand’s Ministry of Justice and Health New Zealand (Te Whatu Ora) have confirmed being impacted by the cyber incident.

Ransomware attack on IT provider triggers a compliance investigation

The IT provider reported the ransomware attack on November 30, 2022, and hired an external specialist after detecting unauthorized access to its server environment. New Zealand’s National Cyber Security Centre (NCSC), assisted by CERT NZ, and New Zealand Police also took part in the incident response.

On December 6, 2022, the Office of the Privacy Commissioner disclosed that the incident was a ransomware attack, adding that authorities were working with the IT provider to determine the scope of the attack.

“Urgent work is underway to understand the number of organizations affected, the nature of the information involved, and the extent to which any information has been copied out of the system,” the Privacy Commissioner said.

The agency also disclosed it was planning to launch a “compliance investigation” to allow for the “full use of its information gathering powers,” urging the IT provider’s clients who had “not already been in touch with us to contact the Office of the Privacy Commissioner.”

Meanwhile, the commissioner’s office advised any unauthorized individual receiving the stolen information to report it to New Zealand Police and refrain from sharing it to avoid causing anxiety and distress. The commissioner also reminded organizations they had the responsibility to protect the information they hold under the Privacy Act or face “compliance and enforcement action” and be required to “put things right” for the victims.

The identity of the ransomware gang responsible for the attack remains a secret. Mercury IT has also not disclosed whether the group has made any ransom demands.

Ransomware attack on a New Zealand IT provider impacts health services

The Ministry of Justice said the ransomware attack prevented it from accessing 14,500 coronial files relating to the transportation of deceased individuals and 4,000 post-mortem examinations.

According to Chief Operating Officer Carl Crafar, the Justice Ministry was concerned that threat actors could monitor public commentaries on such incidents.

“We acknowledge that this incident has affected information that is sensitive. We will continue working to understand the extent of the incident,” Crafar said.

The Health Ministry also could not access 8,500 records on bereavement care services and another 5,500 records from cardiac and inherited disease registry in Auckland, Nelson, Tauranga, Wellington, and Waikato. However, the ministry reported the ransomware attack had not disrupted Te Whatu Ora health services, and no evidence suggests that unauthorized entities had accessed or downloaded the files.

However, Te Whatu Ora disclosed that the ransomware attack had impacted at least six health regulatory authorities that depended on the IT provider’s services. These include the Dietitians Board, the Chiropractic Board, the Podiatrists Board, the New Zealand Psychologists Board, the Physiotherapy Board, and the Optometrists and Dispensing Opticians Board of New Zealand.

The ransomware attack on the small IT provider also impacted the New Zealand National Association of Nurses.

Accuro, a non-profit health insurance provider, was also affected by the ransomware attack. The 34,000-member organization said the ransomware attack disrupted its daily operations, but no evidence suggested that the attackers had accessed any data.

“This attack follows in the footsteps of other high-profile attacks against healthcare organizations, including an attack against French hospital André-Mignot that forced the organization to shut down its phone and computer systems earlier this week,” said Stephan Chenette, Co-Founder and CTO at AttackIQ.

According to Chenette, government agencies were attractive targets for cybercriminals because of their limited cybersecurity resources and the troves of sensitive information they hold.

He advised MSPs, governments, and healthcare organizations to study threat actors’ common tactics, techniques, and procedures (TTPs) and build resilient detection, prevention, and response programs mapped to threat actors’ behaviors.

“Organizations should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to better prepare for the next threat.”