Australia’s defence was significantly compromised in November 2016 by incompetent aerospace defence contractor, according to a report released by the Australian Cyber Security Centre.
Mitchell Clarke, a cyber security expert from the Australian Signals Directorate (ASD) told the Australian Information Security Association national conference a few days ago that the breach was significant.
‘The compromise was extensive and extreme.’
The defence contractor who possessed significant critical defence data, was ‘hacked’ into by an as yet unknown attacker who stole detailed information, which included data on the F35 Joint Strike Fighter project.
The attacker, designated ‘Alf’, was identified by the ASD as an advanced persistent threat (APT) and remained active inside the contractors’ network for ‘an extended period of time’, beginning July 2016.
The theft of data from the contractor also included information on Australia’s Joint Direct Attack Munition (JDEM) capability, and the P8 Poseidon Maritime Patrol project.
The P8 Poseidon project is yet to be completed, with 14 of a planned 15 aircraft still to be delivered. These aircraft, which will replace the RAN’s (Royal Australian Navy) current Orion fleet of maritime patrol aircraft, are expected to have a life span of 30 years. Any sensitive information which is leaked regarding their capabilities, may significantly compromise Australia’s maritime defence.
The contractors network was accessed via a 12-month-old weakness in the company’s helpdesk software, a vulnerability that could have been fixed by applying a simple security patch. The contractors’ IT demands were managed by a single staff member who’d only been in the role for nine months.
The hacker’s efforts eventually gave them the ability to access the emails of the chief engineer, the CFO and a senior contractor.
The hacker was also able to easily penetrate the company’s servers, as the administrator’s passwords were common across network.
A Zdnet report mentions that some of the network’s passwords were as simple as ‘admin’ and ‘guest’.
Mitchell Clarke, an incident response manager at the ASD, believes that this event represents a ‘learning opportunity’ for the Australian Government.
‘We need to find a way to start to be a little bit more granular in our contracting to mandate what type of security controls are required,’ Clarke told the Australian Information Security Association conference a few days ago.
‘This isn’t uncommon,’ Clarke said