Lockheed Martin F-35B Joint Strike Fighter. (Photo: Derek Finch, via Flickr/CC)
The Australian government has revealed that a hacker last year breached a small, domestic national security contractor and stole data relating to military projects.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The government says it does not know who perpetrated the hack. “We’re not 100 percent sure, and that’s one of the difficulties of this area,” Dan Tehan, the government’s assistant minister for cybersecurity, tells Australia’s ABC. “It could have been a state actor, it could have been cybercriminals, and that’s why it was taken so seriously.
The government has not said how long hackers had remote access to the contractor’s network, but it says the intrusion has been remediated and additional defenses put in place with the help of the Australian Signals Directorate. The government agency is responsible for foreign signals intelligence collection and also houses the country’s Australian Cyber Security Center.
“Fortunately the data that has been taken is commercial data, not military data … it’s not classified information,” Defense Industry Minister Christopher Pyne tells ABC Radio.
‘Extensive and Extreme’ Breach
But Mitchell Clarke, incident response manager at the Australian Signals Directorate, has described the hack as being “extensive and extreme.” He says the stolen data stretched to 30 GB and included information about Australia’s F-35 Joint Strike Fighter program, C130 transport plane and P-8 Poseidon surveillance aircraft, and “a few” naval vessels.
Clarke described the breach Wednesday at an information security conference in Sydney, saying only one person managed all IT-related functions at the small business and had only been in the position for nine months as staff turnover was high, ZDNet reports.
Clarke added that hackers breached the company’s IT help desk portal, which had default credentials – including the username/password combinations “admin/admin” and “guest/guest.” But he said the attackers gained entry by exploiting a 12-month-old vulnerability in the software that the contractor had failed to patch.
“This isn’t uncommon,” Clarke told the audience, ZDNet reported. “Only about 12 months old, if you look at government, that’s not that out of date, unfortunately.”
Hackers’ ‘Mystery Happy Fun Time’
Clarke says the ASD began helping the company respond to the intrusion in December 2016. The government has not revealed the duration of hackers’ remote access to the contractor’s network, but Clarke revealed that investigators have dubbed that period as being “Alf’s mystery happy fun time.”
The reference is not to the title of the American sitcom, short for “alien life form,” that launched in the mid-1980s, but rather for a domestic television obsession. “For those visitors overseas to Australia, Alf is Alf Stewart from a horrific Australia soap opera called Home and Away. It’s just a thing we do,” Clarke told the audience, BuzzFeed reports.
4 Essential Information Security Defenses
The location and manner of the intrusion is ironic, given many information security experts’ longstanding recommendation that however organizations approach information security, they should always ensure they comply with the ASD’s top 4 information security mitigation strategies.
First published in 2011, the ASD lists those top 4 mitigation strategies as:
Patching applications and operating systems;
Using the latest versions of applications and operating systems; and
Minimizing administrative privileges.
Path of Least Resistance
The reason so many security experts recommend always ensuring that those four mitigation strategies are in place is because they help shut down the leading ways so many attackers gain unauthorized access to remote networks.
“Even in highly regulated environments, we still find default credentials and a lack of patching being one of the top root causes for system insecurity,” says incident response expert David Stubley, who heads cybersecurity consultancy 7 Elements in Edinburgh, Scotland.
“Threat actors will always use the path of least resistance,” he tells Information Security Media Group. “If you have default credentials, then you are basically rolling out the red carpet and issuing an invitation.”
String of Contractor Breaches
This isn’t the first time that F-35 data has been stolen. In 2014, the FBI blamed Chinese nationals for hacking into networks run by Boeing and other military contractors and stealing plans relating to the C-17 transport and Lockheed Martin’s F-22 and F-35 fighter jets, among other information.
In the case of Boeing, hackers had been accessing its networks for at least a year before the intrusion was detected and blocked, according to court documents.
In 2014, the FBI filed an international arrest warrant for Su Bin, a Canadian businessman who allegedly directed two Chinese accomplices to perpetrate the hacks. In 2016, he was extradited, pleaded guilty to related charges and received a 46-month U.S. prison sentence.
“Su Bin admitted to playing an important role in a conspiracy, originating in China, to illegally access sensitive military data, including data relating to military aircraft that are indispensable in keeping our military personnel safe,” John P. Carlin, then the U.S. assistant attorney general for national security, said at the time.
Breached Contractor Blues
Breached contractors have also allegedly figured into some of the most damaging and embarrassing breaches to have hit the U.S. National Security Agency. In recent years, contractors Harold T. Martin III and Reality Leigh Winner have been arrested and charged with mishandling top-secret information, which may subsequently have gotten into other people’s hands. Edward Snowden was also an NSA contractor when he left the United States in 2013 and began leaking U.S. intelligence establishment secrets.
Stubley suggests that all contractors, and especially those handling national security secrets, be subjected to far more information security scrutiny and regular tests to prove that they have proper information security processes and procedures in place. Especially with contractors, he says, “don’t trust, do verify.”