Cybercriminals targeting Australian health sector

Edward Kost
Edward Kost
November 27, 2020

There's a disturbing increase in cyber attacks targeting the Australian Health sector. This trend was observed by the Australian Cyber Security Centre (ACSC), a government agency tasked with monitoring Australia’s cyber threats.

The ACSC has flagged two threats under high alert - SDBBot Remote Access Tool (RAT) and CI0p.

The SDBBot is an insidious remote access weapon that grants attackers unmitigated remote control of an infected system. Once installed, the SDBBot will autonomously download additional components to establish remote access. The SDBBot will then move throughout the network of the compromised system and exfiltrate data.

The ACSC has not identified any cyber crime groups linked to these attacks, however, the SDBBot RAT is an attack method almost exclusively used by cyber crime group Hive 0065 (also known as TA505).

According to the ACSC, the SDBBot is a precursor to CI0p ransomware. CI0p ransomware is used to target high profile companies, it’s operatives refer to themselves as “Clop.” The ransomware attempts to disable WIndows Defender and remove Microsoft Security Essential to evade detection.

Cyber attackers install the CI0p ransomware in the final phase of a SDBBot - CI0P attack. Once enough sensitive data has been breached, it’s encrypted and held hostage. If victims fail to pay the ransom price, the breached data is published on the dark web.

The cybercrime group behind CI0p ransomware attacks follow through with their threat of publishing breached data if victims don’t pay. On October 3, CI0p breached German tech company Software AG and demanded a ransom payment of $20 million.

To prove sensitive data was compromised, the cyber crime group published a screenshot displaying Software AG employee emails, financial records, a passport and ID scans.

software ag ransomware proof
Evidence of Software AG data beach provided by cyber criminals - source:
software ag ransom note
Software AG ransom note - source:

The software giant failed to pay and their breached data was published online, as promised.

But the threat of a ransomware attack against the health sector is of much greater concern than the software industry. Ransomware attacks completely lock victims out of their internal systems and in a hospital this could result in the death of patients relying on networked systems.

The ACSC observed that the health industry was the highest targeted sector in the 2019-2020 financial year


Cyber criminals are not just targeting the Australian health industry. On September 27, one of the largest healthcare providers in the United States, Universal Health Services, fell victim to a ransomware attack.

The health sector in Australia, and globally, needs to desperately improve its security posture to protect patients from the pernicious threat of ransomware.

How secure is The Australian Government Department of Health?

The Department of Health is a department of the Government of Australia charged with overseeing the running of Australia's health system.
  • Check icon
    View our free preliminary report on The Australian Government Department of Health’s security posture
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Security ratings
Abstract shape
Deliver icon

Sign up for our newsletter

Stay up-to-date on everything UpGuard with our monthly newsletter, full of product updates, company highlights, free cybersecurity resources, and more.
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

Protect your organization

Get in touch or book a free demo.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating