The Australian Signals Directorate (ASD) and the UK Government Communications Headquarters (GCHQ) were involved in an operation to crack down on stolen credit card numbers.
Contained in an opening statement that was accepted into Hansard rather than read out by newly installed director-general of ASD, Rachel Noble, on Wednesday evening last week, ASD said the operation was undertaken with powers it gained in July 2018 to prevent overseas cybercrime.
"ASD, in collaboration with our UK counterpart GCHQ, identified over 200,000 stolen credit cards globally, including over 11,000 stolen Australian cards. These stolen credit cards represent potential losses of over AU$90 million globally, and over AU$7.5 million domestically," Noble said.
"This case also demonstrates how our intelligence actions offshore, can directly impact online safety and security here at home."
Noble said it was an example of criminals selling credit card details on the dark web.
"That's an example where we have used our powers to look into the dark web to understand the nature of activity by criminals," she said.
"We are working with the private sector -- in this case, Visa and Mastercard -- to start to prevent that criminality by helping them work through the cancellation of those cards and the management of their customers."
In its annual report released in October, GCHQ said it had undertaken Operation Haulster, which "automatically flagged fraudulent intention against more than one million stolen credit cards".
Noble noted that GCHQ has powers to prevent cybercrime onshore, whereas ASD does not. However, an exchange with Senator Jacqui Lambie revealed ASD had used its powers domestically.
"ASD is prohibited via legislation from producing intelligence on Australian persons except in rare circumstances. Have any of those rare circumstances occurred in the last 12 months?" Lambie asked.
"Yes," replied Noble, who added that to give an example would involve classified material.
The opening statement also said Toll Group had called in the Australian Cyber Security Centre (ACSC) following an infestation of Mailto ransomware that saw the logistics giant fall back to manual processes.
"Our assistance has included providing technical experts to identify the nature and extent of the compromise, and provide Toll with tailored mitigation advice," Noble said.
ACSC has used its Cyber Incident Management Arrangements (CIMA), which handles co-ordination between governments in Australia during "national cyber incidents", twice since July 2019, with one instance being when Emotet malware re-emerged.
"The ACSC coordinates CIMA activations through its role on the National Cyber Security Committee," Noble's statement said.
"Partnership with our state and territory counterparts is essential to the successful detection and response to multi-jurisdictional cybersecurity incidents."
"On the 24th of January ... through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious act as a result of the Citrix issue," Noble said.
ASD believed no data was compromised, but it did see attempts to access the network related to the vulnerability.
"Given the global nature of the vulnerability which affected companies worldwide, I don't think they would have been the only one," Noble said.
Australia's Parliament downplayed a leaked report saying its cybersecurity was 'at a low level of maturity', claiming it's OK now. But parliaments and politicians are high-value cyber espionage targets.