Secret F-35, P-8, C-130 data stolen in Australian defence contractor hack

In November 2016, the Australian Signals Directorate (ASD) was alerted by a “partner organisation” that an attacker had gained access to the network of a 50-person aerospace engineering firm that subcontracts to the Department of Defence.
Restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and “a few Australian naval vessels” was among the sensitive data stolen from a small Australian defence contractor in 2016.
The secret information was restricted under the International Traffic in Arms Regulations (ITAR), the US system designed to control the export of defence- and military-related technologies, according to Mitchell Clarke, an incident response manager at the ASD who worked on the case.
One document was a wireframe diagram of “one of the navy’s new ships”. A viewer could “zoom in down to the captain’s chair and see that it’s, you know, 1 metre away from nav chair”, Clarke said.
The data theft was first reported on Tuesday as part of the 2017 Threat Report from the Australian Cyber Security Centre (ACSC). Little information was given at the time. The victim was described as a “small Australian company with contracting links to national security projects”. The attacker had “sustained access to the network for an extended period of time” and had stolen a “significant amount of data”.
Clarke provided significantly more detail in his presentation to the national conference of the Australian Information Security Association (AISA) in Sydney on Wednesday.
ASD named this advanced persistent threat (APT) actor “APT ALF”, after a character in the long-running Australian TV soap opera Home and Away.
The attacker had in fact been in the network since at least mid July 2016, with data exfiltration starting around two weeks later. ASD refers to the three months between the attacker gaining access, and the ASD becoming aware of it, as “Alf’s Mystery Happy Fun Time”.
The attacker would have had little trouble gaining access.
The victim’s network was small. One person managed all IT-related functions, and they’d only been in the role for nine months. High staff turnover was typical.
There was no protective DMZ network, no regular patching regime, and a common Local Administrator account password on all servers. Hosts had many internet-facing services.

建议企业进行严密的安全设置和全程的技术监控,形成预防与打击泄露客户信息行为的有效机制;强化对行业不良行为的监管力度。
Access was initially gained by exploiting a 12-month-old vulnerability in the company’s IT Helpdesk Portal, which was mounting the company’s file server using the Domain Administrator account. Lateral movement using those same credentials eventually gave the attacker access to the domain controller and the remote desktop server, and to email and other sensitive information.
“This isn’t uncommon,” Clarke said. “Only about 12 months old, if you look at government, that’s not that out of date, unfortunately.”
The attacker needn’t have bothered with that, however. The ASD’s investigation found that internet-facing services still had their default passwords, admin::admin and guest::guest.
An important aspect of this incident is that a small company, with resources that were clearly inadequate given the sensitivity of the data they held, still managed to obtain and hold ITAR certification.
According to Clarke, an application for ITAR certification is usually only “two or three pages”, and asks only basic questions about organisations’ security posture.
“One of the learning outcomes from this particular case study for at least the Australian government is that we need to find a way to start to be a little bit more granular in our contracting to mandate what type of security controls are required,” Clarke said.
“That’s not for my team to answer, but that’s going to be an outcome of this sort of thing.”
Clarke emphasised the importance of following best practices to secure networks, including the ASD’s Essential Eight strategies to mitigate cybersecurity incidents.
Latest Australian news
ACSC Threat Report highlights deplorable ignorance
​Australian banks and fintechs weigh in on open banking regime
谈谈IPv6带来的安全挑战及应对之策
AGD releases critical infrastructure national security Bill
Cyber attribution isn’t so important, even for nation states
ACCC leaves CVC decision to NBN and retailers
小心行得万年船!互联网服务商提供的终端安全方案并不完全适用于大中型组织!

猜您喜欢

2017世界物联网博览会信息安全高峰论坛成功举办 密切关注物联网新…
公司员工信息安全意识教育动画视频
网络安全法普法宣传 004《网络安全法》的突出亮点
乔老爷捐700万美元建两所诊所 惠及3.5万人
ALTRACING VITOSPIZZABARRINGTON
职业健康、环境保护、安全生产