Arq Group, formerly known as Melbourne IT, has issued a statement regarding speculation it was involved in a state-sponsored hacking attack.
The company issued a filing (pdf) to the Australian Stock Exchange (ASX) on Thursday afternoon, titled "ARQ Group Response to Alleged Hijacking of Domain Names".
In the document company secretary Anne Jordan explained that the statement was a response to the United States Department of Justice last week releasing an indictment as part of an investigation into supposedly-China-sponsored hacking against aerospace companies in 2013.
The indictment said the attack involved “Domain Hijacking, the compromise of domain registrars in which one or more members of the conspiracy redirected a victim company’s domain name at a domain registrar to a malicious IP address in order to facilitate computer intrusions”. The indictment also says that the hackers knew of and used the same techniques applied by the Syrian Electronic Army (SEA) in a 2013 phishing attack.
As it happens, as CRN reported at the time, a 2013 attack by the SEA involved a “compromised … reseller account that had access to the IT systems of Australian registrar, Melbourne IT.”
The indictment does not mention Melbourne IT, instead naming "Company L" as having been used to hijack domain names.
Arq Group said its statement was issued to address speculation that it is Company L.
The company, therefore, said in the statement it "has no knowledge of the events described in the indictment" and "was never contacted by the US Justice Department, or any other agency, regarding the events described in the indictment".
That is not, however an outright denial. CRN can imagine two reasons why Arq has stopped short of a definitive statement.
One is that domain name registrars operate networks of resellers that have the ability to change the IP addresses associated with domains. As our 2013 report mentions a compromised reseller, Arq/Melbourne does not need to deny the attack as the SEA exploit is not alleged to have involved a compromise of its own infrastructure.
The second is that Arq may not have been aware of the unauthorised access at the time of the hack and cannot definitively state knowledge of the incident. Arq Group chief executive Martin Mercer is quoted in the statement expressing confidence in security controls put in place during 2014 and 2015 - after the incident is alleged to have taken place.
Mercer did add that his company regularly worked with third parties to perform testing and assurance activities to review the company’s security posture and access controls, and also follows a schedule of external audit programs.