A mystery hacker who was given the alias of an Australian soap opera character has stolen sensitive information about Australia’s warplanes and navy ships from a Defence subcontractor.
About 30 gigabytes of data was stolen, including information on Australia’s $17 billion Joint Strike Fighter program, and $4 billion P-8 surveillance plane project.
Information about the ageing Collins Class submarines and Australia’s largest warships HMAS Canberra and HMAS Adelaide was also successfully hacked.
Defence sources insist all the compromised material was “low level”, and was already widely shared among defence companies and contractors.
As first reported by ZDNet, the hacker infiltrated the system July 2016 and authorities were only alerted in November.
The Federal Government said it was a “stretch” to blame it for the incident and defended not yet knowing who stole the information.
Experts at the Australian Signals Directorate (ASD) spy agency codenamed the hacker “Alf” after the Alf Stewart character from the television drama Home and Away.
Government cyber officials started fixing the system in December and referred to the period before they responded as “Alf’s Mystery Happy Fun Time”.
ASD incident response manager Mitchell Clarke told a Sydney conference on Wednesday “the compromise was extensive and extreme”.
“A significant amount of data was stolen from them, and most of the data was defence related,” he told the Australian Information Security Association.
Data on the F-35 Joint Strike Fighter, P-8 Poseidon surveillance aircraft and C-130 transport plane was stolen, along with information on “a few Australian naval vessels”.
“To the point where we found one document … it was like a wire diagram of one of the Navy’s new ships, you could sort of zoom in down to the captain’s chair and see that it’s one metre away from the navigator’s chair,” Mr Clarke said in a recording provided by freelance technology writer Stilgherrian.
“So, very good exfil [exfiltration] from the actor and great job Alf for pulling that out,” he said.
The cyber criminal had access to “pretty much every server” and was reading emails of the chief engineer and a contracting engineer.
‘We had no credentials to show them’
Mr Clarke said the “very small” aerospace engineering firm subcontracts to the Defence Department and had one person managing its IT functions for about 50 staff.
He said attackers exploited a weakness in software that had not been updated for 12 months, but also could have used the username-password combinations “admin admin” and “guest guest” to access the company’s web portal.
When the ASD and another agency arrived at the business, Mr Clarke said: “They didn’t believe who we were because we had no credentials to show them.”
The Government has emphasised that the information was commercially sensitive, but not classified.
“While presenting at a conference in Sydney, an ASD official disclosed information about the theft of data from an Australian company,” a spokesman for the Australian Cyber Security Centre said.
“While the Australian company is a national security-linked contractor and the information disclosed was commercially sensitive, it was unclassified.
“The Government does not intend to discuss further the details of this cyber incident.”
The Government still doesn’t know who ‘Alf’ is
Defence Industry Minister Christopher Pyne said ASD was working on finding out who was behind the hack, but had not been successful, almost a year after authorities were alerted to the incident.
“I’m sure there is work being done on finding out who did it. It could be a number of different actors, it could be a state actor, a non-state actor, it could’ve been someone who was working for another company,” Mr Pyne said.
The Prime Minister’s cyber security adviser Alastair MacGibbon said the data was commercially sensitive, but not classified national security information.
He said the hack demonstrated Australia’s need to increase its digital security.
“It’s a salient lesson for any industry, and of course governments, that we will be subject to attention from both nation states and criminal groups, even if the information that we’re holding, that goes to our homes as well, doesn’t have national security information in it,” Mr MacGibbon told the ABC.
Mr Pyne said the incident was a wake-up call for the 4,000 defence industry businesses in Australia.
“If they want to work with the Government, their cyber security has to be certainly better than this incident that we’ve seen. In some respects, this is a reminder to people about the importance of their cyber security.”
Minister announced breach days ago
The minister responsible for cyber security, Dan Tehan, earlier this week announced the breach, without providing details.
Mr Tehan said it was unclear who launched the incursion, but the Government was not ruling out a foreign government.
“It could have been a state actor, it could have been cyber criminals, and that’s why it was taken so seriously,” he said.
Mr Clarke said his team was getting “busier and busier as time goes on and we have less and less people”.
He said ASD was desperate to employ more staff, and the security clearance level for some roles had been dropped from “top secret” to “protected” to accelerate recruitment.