The New South Wales Rural Fire Service (RFS), one of Australia's largest government emergency agencies, has confirmed a cybersecurity incident affecting its IT systems, and the ransomware group Nova has claimed responsibility. Nova listed the RFS on its data leak site and says it stole 300 GB of data. The agency stressed that emergency response operations were not disrupted, though it acknowledged a data breach is likely. The claim was reported by Comparitech and corroborated by an email from the RFS commissioner obtained by Cyber Daily.
What Happened
The RFS publicly reported a cybersecurity incident impacting its IT systems, and one day later the criminal group Nova took credit on its data leak website. According to the commissioner's email, emergency response capabilities were unaffected, but the agency conceded that a data breach is probable. The RFS has not formally acknowledged Nova's specific claim, and independent verification of the group's assertions remains pending. Many of the files involved appear to be historical, per the agency's early investigation, and the commissioner stated there is no evidence so far that sensitive personal information was accessed.
This marks Nova's second known attack on a government entity. The first was the May 2025 incident at Comune di Pisa in Italy, which refused to pay a $2 million ransom. For Australia, this is the first confirmed ransomware attack on a government agency in 2026.
What Was Taken
Nova claims to have exfiltrated 300 GB of data from the RFS. The exact contents, sensitivity, and number of affected individuals are not yet known. The agency's preliminary assessment indicates many files are historical and that no sensitive personal information appears to have been accessed. Key unknowns remain: whether a ransom was demanded or paid, the size of any demand, and the precise nature of the compromised data. These details typically surface only as forensic investigation progresses or if Nova publishes samples to pressure the victim.
Why It Matters
Emergency services sit at the intersection of public safety and high-value data, making them attractive targets. Even when operational response is preserved, the reputational and privacy fallout from a breach at a fire and emergency agency can be severe, particularly if volunteer, staff, or community records are exposed. Comparitech researchers have logged 78 confirmed ransomware attacks on government agencies worldwide in 2026 to date, underscoring that public-sector bodies remain firmly in the crosshairs. This incident signals that Australian government entities are not immune and that ransomware-as-a-service operators like Nova are willing to target critical public institutions regardless of mission sensitivity.
The Attack Technique
The initial access vector used against the RFS has not been disclosed. Nova, also known as RALord, emerged at the start of 2025 and runs a ransomware-as-a-service operation: affiliates pay to use Nova's malware and infrastructure to launch attacks and collect ransoms. The group's ransomware both steals files and locks down systems until payment is made, a double-extortion model. Nova has claimed 143 attacks in total, with 12 confirmed by targeted organizations. In 2026, Comparitech has verified four Nova claims, including data breaches at Universitat de Valencia in Spain and website defacements at LTI Services and Larick Towing in the USA and Aspire Hospitals in India.
What Organizations Should Do
- Maintain offline, immutable, and regularly tested backups so encrypted systems can be restored without negotiating with attackers.
- Enforce phishing-resistant multi-factor authentication on all remote access, VPN, and administrative accounts to blunt the common initial-access routes affiliates exploit.
- Segment networks to isolate operational technology and emergency-response systems from general IT, limiting lateral movement and blast radius.
- Patch internet-facing systems and remote-access services promptly, as RaaS affiliates routinely weaponize known vulnerabilities.
- Deploy endpoint detection and response with monitoring for large outbound data transfers, an early indicator of exfiltration before encryption.
- Prepare and rehearse an incident response and breach-notification plan, including legal, communications, and regulatory obligations, before an incident occurs.
Sources: Cybercriminals say they hacked New South Wales Rural Fire Service - Comparitech