Singapore-based router used in malicious hack attack on Australia e-census, says IBM

IBM Australia and New Zealand Managing Director Kerry Purcell has blamed two domestic Internet providers for the security lapse.
IBM Australia and New Zealand Managing Director Kerry Purcell has blamed two domestic Internet providers for the security lapse. PHOTO: REUTERS

SYDNEY (REUTERS) - International Business Machines Corp (IBM) apologised to Australia on Tuesday (Oct 25) for what the government has described as a "malicious" cyber-attack that shut down a national census, but blamed two domestic Internet providers for the security lapse.

IBM was the lead contractor for the five-yearly Aug 9 household survey by the Australian Bureau of Statistics (ABS) which went offline that day after four distributed denial of service (DDoS) attacks, caused by the website being flooded with clicks.

At a Senate inquiry into the matter, IBM Australia and New Zealand Managing Director Kerry Purcell said that attacks were launched through a router in Singapore, and blamed Australian ISP Vocus Communications Ltd, a sub-contractor of NextGen Networks Pty Ltd, for failing to shut it down.

The Cyber Security Agency of Singapore (CSA) issued a statement on Tuesday rebutting IBM Australia's statement that the attacts originated in Singapore.

The statement said: "We are surprised at media reports on IBM Australia’s assertions that the majority of international traffic which caused the crash of the Australian Bureau of Statistics (ABS) Census website originated from Singapore. 

"For matters of such nature, it is usual practice for national Computer Emergency Readiness Teams (CERTs) to make inquiries and seek assistance from one another. In this instance, our SingCERT was not informed of any such attack by CERT Australia. We were also not approached at any point. As such, it is strange that IBM Australia reached such a conclusion.

"The Cyber Security Agency of Singapore (CSA) has contacted CERT Australia for more information.  According to CERT Australia, some internal ABS infrastructure was hosted in Singapore. There may have been possible  misunderstanding in the news reporting of this issue, which incorrectly attributed the DDoS attack source to Singapore." 

The breach embarrassed a government that has sought to impress voters with its cyber security credentials.

Mr Purcell said he apologised "unreservedly" for the inconvenience and added that he is negotiating a settlement with the government for failing to fulfil the A$10 million (S$10.61 million) contract.

Mr Purcell also said IBM was helping a police investigation, and declined to say who he suspected was behind the attack.

"We had repeated assurances from the ISP that the appropriate protocol was in place," Mr Purcell told the inquiry. "The primary root cause was through a router that was outside Australia."

In a written submission to the inquiry, IBM said its preferred anti-DDoS measure, which it calls "Island Australia", involves "geoblocking" or getting the company's ISPs to shut down offshore traffic coming into the country.

In a written submission to the inquiry, Nextgen said IBM told it about "Island Australia" six days before the census website went live in July, and that IBM declared a test of the strategy four days before the census a success.

It said Nextgen followed IBM's instructions, but noted that IBM rejected Nextgen's offer of additional anti-DDoS detection measures.

Vocus said in a submission that it told Nextgen the week before the census that it "did not provide geoblocking" and that"Vocus was in fact requested to disable its DDoS protection product covering the e-Census IP space".

It did not specify who gave that instruction.