Citrix bug forced Defence to pull recruitment database offline

Concerns over a critical Citrix vulnerability that first emerged in December forced the Department of Defence to pull its Defence Force Recruiting Network (DFRN) offline for ten days last month.

But the database containing the personal details of recruits, which has since been given a clean bill of health, was only shut down a month after the potential flaw was originally discovered.

This was despite the Australian Cyber Security Centre (ACSC) first issuing general advice about the flaw affecting Citrix Application Delivery Controller and gateway appliances in December.

The ABC on Wednesday revealed the outsourced DFRN system was taken offline and quarantined for ten days in February over fears the database had been compromised.

The database, which is external to the department and operated by ManpowerGroup, contains biographical details on Defence recruits, including some psychological and health information.

Defence chief information officer Stephen Pearson told senate estimates on Wednesday that the decision to pull the network offline was related to the Citrix (Netscaler) vulnerability.

“Yes, that component was a piece of it,” he said.

“The patches were applied by the vendor, but as part of the potential risk mitigation exercises it was taken down to make sure there had been no compromise.”

He also stressed the DFRN was external to Defence’s network.

However, Pearson was unaware of when the patch was applied, which he said was done by ManpowerGroup’s service provider DXC Technology.

“I do not know the date they [DXC] applied their patch,” he said.

Australian Signals Directorate (ASD) director-general Rachel Noble, who appeared at estimates later in the day, said the ACSC had directly advised Defence of the potential flaw on January 24 after a tip off.

“We – through sensitive other sources – had a concern that the Department of Defence and its contractor running the DFRN may have been vulnerable to a malicious actors as a result of the Citrix issues,” she said.

But it wasn't until February 2 that Defence shut down the system and carried out a security assessment as a precaution.

Noble said the ten day delay to pull the system offline was normal for agencies, and would have followed an in-depth assessment.

“It can take, and this is normal and we see this all the time, organisations a week or so to understand what’s really happen on their network and get to the detail,” she said.

“I think in this instance, on the second of February, the decision by Defence with its contractor was taken through an abundance of caution.”

Noble said there was no evidence to suggest data had been compromised, which was also confirmed by numerous other Defence representatives including, secretary Gregory Moriarty.

She did, however, indicate that it was likely that other Australian government agencies had been targeted in the weeks after the vulnerability came to light.

“We saw a huge number of all sorts of actors then try to exploit that vulnerability with a large number of companies and government departments,” Noble said.

Labor senator Penny Wong has asked Defence to detail on notice what action was taken to secure its systems when the vulnerability was first uncovered.

“Given this was known before the advice provided by ACSC, did Defence do anything,” Labor senator Penny Wong asked Moriarty.

“Does Defence have its own processes to deal with this or do they simply rely on ASD to give them advice?”