Toll Group justifies ASD engagement times following ransomware attacks

The Toll Group has justified its response to the incident of two cyber attacks last year, while rejecting alleged criticism that it acted too slowly to keep the government informed.

In June, Australian Signals Directorate Director Rachel Noble revealed that an unidentified company had been slow to respond to requests during a “national impact” cyberattack.

Noble told the joint intelligence and security committee that ASD was only alerted to the incident through media reports and that it took two weeks for a significant compromise to occur.

Although the company was not named, the description that it was a “nationally known company” that was reinfected three months later led to widespread speculation that it was the Toll Group.

The company was attacked by Mailto ransomware in January 2020, from which it took six weeks to recover, before suffering a second attack in May 2020 using Nefilim malware.

When questioned by Liberal Senator and PJCIS President James Patterson last month, Qantas, Toll and AGL denied they were the company in question.

“Certainly not from Toll’s perspective,” Toll Group global chief information security officer Berin Lautenbach said at the time.

But despite that assurance, Patterson then followed up with a question on notice, leading to an answer. [pdf] posted Monday in which Toll said he had worked with ASD, although potentially not at ASD’s preferred pace.

“We are very grateful for ASD’s support during the two cyberattacks that Toll experienced in 2020,” the company said.

“Toll is not in a position to know which company [ASD] is concerned, and while it may indeed be Toll, we note that the ASD has never raised formal concerns with our response to date.

“After further internal discussions, we remain of the opinion that Toll acted in a transparent and collaborative manner with the ASD.

“However, we recognize that we may not have responded at the pace that ASD expected due to the crises we were experiencing.”

While companies are not currently required to engage with ASD during cyberattacks, that will change if the Security legislation amendment bill (critical infrastructure) happens in its current form.

The bill will give ASD the power to defend critical infrastructure providers’ networks and systems against cyberattacks in exceptional circumstances, as well as introducing new information sharing requirements.

Noble has argued that the unwillingness of the anonymous company to work with TEA is evidence of the need for the laws.

But tech companies are alarmed by so-called “step-in” powers that could cause ASD to install software; access, add or delete data; and alter the operation of the hardware.

Amazon Web Services and Google Cloud, for example, have argued that ASD’s intervention could make an incident worse for companies with complex systems.

“That is exactly what we hope their position will be: that they don’t need us to help them defend their nets, that they have it in hand,” Noble said.

“Our operating experience is that we would only install software … when [an] entity does not have the ability to provide the technical telemetry or system information that we need to assist them.

“So this kind of idea that ASD runs and places software anyway is a kind of cartoon that doesn’t happen.”

Leave a Comment