Defence puts week between Citrix security notice and assessing recruitment network

New timeline means Defence had a month before being told by ASD that it could be vulnerable.
Written by Chris Duckett, Contributor
Image: Asha Barbaschow/ZDNet

The Australian Department of Defence has said it began assessing the network of Defence Force Recruiting (DFR) on December 24, a week after Citrix put out a vulnerability notice impacting its Application Delivery Controller (ADC).

The possibility of the vulnerability being used led to it being quarantined for ten days over February.

According to a response to a Senate Estimates Question on Notice, Defence said Citrix issued its notice on 17 December 2019, but Defence was only aware of it a week later.

"On 24 December 2019, Defence became aware of the vulnerability through normal monitoring of open source reporting and commenced assessments with the DFR hosting provider to ascertain the relevance of this vulnerability to Defence," Defence said.

"The Australian Cyber Security Centre (ACSC) issued public advice on 25 December 2019 that notified of the vulnerability and mitigations strategies.

Defence said on December 27 that it began monitoring for "external reconnaissance and scanning attempts" against Citrix assets in its environment.

"On 6 January 2020, a Vulnerability Alert was issued to all identified system owners within Defence, and to our Managed Service Providers," it said.

"Between 6 January 2020 and 19 January 2020 Defence continued working with system owners and managed service providers to ensure mitigations were applied."

For the next five days until January 24, Defence said Citrix released a number of patches, and these were "appropriately applied" to all ADCs, whether owned by Defence or managed providers.

See also: Aussie Parliament's sad cyber espionage saga is a salient lesson for others

In another answer, Defence reiterated that no data was taken.

"Extensive forensic analysis conducted by Defence and the Australian Cyber Security Centre (ACSC) has determined from evidence available, no data was taken," it said.

"There is no link between the Defence Force Restricted Network event and the ANU data breach.

"For operational reasons, Defence does not provide attribution of this activity."

The Defence timeline shows the department had a month before the Australian Signals Directorate (ASD) stepped in.

"On 24 January, we then, through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious actor as a result of the Citrix issue," director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates last month.

"We advised them about that directly on 24 January."

As reported by the ABC, the DFRN was offline and quarantined for 10 days from February 2 to February 12. A source told the ABC that the issue was detected before Christmas and crisis meetings were held twice a day over the issue. The database was run by ManpowerGroup, the ABC reported.

Under questioning from ALP Senate leader Penny Wong, Noble said that while Defence was notified of the issue on January 24 and only took down the network in February, she was not concerned by the one-week delay in taking the database offline.

"We see this all the time for organisations, a week or so to understand what's really happened on their network and get to the detail," Noble said.

"I think in this instance, on the second of February, the decision by Defence with its contractor was taken through an abundance of caution."

The ASD said the database was full of personal information such as health information, medical exams, and psychological information.

"This particular network that we are talking about here for the Defence Force recruiting is an external network, not part of the Defence network," Defence CIO Stephen Pearson said.

At the time of the hearing, Pearson was unaware if DXC, ManpowerGroup's service provider, ever applied the patches issued by Citrix.

Defence added in its answer it was also "further developing the sharing of cyberthreat intelligence and capabilities across the Five Eyes partners".

Related Coverage

Australia on the cyber offence to bring down COVID-19 scammers

Cracking down on offshore cyber criminals who are targeting Australian households and businesses through devious scams and attacks amid the coronavirus outbreak.

Labor wonders how Australia would handle a cyber-corona outbreak

If instead of a physical virus, the infection was instead in our computer networks, how would Australia handle it?

COVID-19 stalls Australia's Data Availability and Transparency Act

National Data Commissioner instead releases draft data sharing agreement template to help agencies share data in a way that is 'safe, timely, and transparent'.

No Commonwealth access to Australia's COVID-19 contact tracking app

The prime minister has said only state and territory health 'detectives' will see the data stored within.

Seeking diversity in Australia's intelligence and cybersecurity workforce

As analysts call for a review of Australia's intelligence agency staffing, aimed at increasing diversity, CyberCX sets up a cyber scholarship for women.

Editorial standards