Staff at the Reserve Bank of Australia (RBA) were targeted by emails linking to a malicious payload in November 2011, a freedom of information request has revealed.
The attack is believed to have been aimed at stealing sensitive information that included Group of 20 negotiations, according to the Guardian.
The RBA has refused to comment on media reports that the virus used in the attack was of Chinese origin.
According to an internal incident report, the targeted emails managed to bypass security controls in place at the time because the malicious content was in the form of an embedded link, not an attachment.
An email titled Strategic Planning FY2012 was sent to several RBA staff up to department heads and was opened by six of them, potentially compromising their workstations.
According to the incident report, the email appeared to come from a senior staff member at the bank and originated from a "possibly legitimate" external account. It also included a legitimate email signature and had a plausible subject title and content.
Read more about targeted attacks
- Study finds spear phishing at heart of most targeted attacks
- Custom, targeted malware attacks demand new malware defense approach
- Beebus virus targets aerospace and defence
- Security Think Tank: Are companies too confident about targeted attacks?
- Phishing attacks cast wider nets in businesses
As soon as analysis revealed that the emails linked to a compressed Zip file with an executable malware application, the PCs of the six staff who opened the application were removed from the network.
The incident report noted that the six workstations affected did not have local administrator rights, so the virus could not spread.
The impact assessment was that “bank assets could have been potentially compromised, leading to service disruption, information loss and reputation."
The RBA asked all its security providers to update its defences, including scanning for hyperlinks in emails and automatically blocking them.
However, the incident report noted: “While users are aware of the need for caution with suspicious attachments, such awareness is unlikely to protect the Bank from credible-looking emails and attachments.”
In addition to the attempted hacking, the RBA incident report contains a wide range of potentially embarrassing incidents, including lost laptops and smartphones, sensitive documents emailed out by mistake and the loss of a personal iPad containing sensitive bank information.