lolloj - Fotolia
The Australian defence ministry is trying to downplay the 2016 hacking of a contractor that exposed data about Australia’s Joint Strike Fighter programme.
The aerospace engineering firm was compromised in July 2016, but the Australian Signals Directorate (ASD), only became aware of the breach four months later, reports tech website ZDNet Australia.
The breach exposed about 30GB of technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and some Australian naval vessels.
An ASD intelligence agency official Mitchell Clarke described the compromise as “extensive and extreme” in an audio recording of a conference presentation in Sydney made by a ZDNet journalist and broadcast by the ABC Radio.
The hackers used a tool that is widely used by Chinese hacking groups, and had gained access via an internet-facing server, he said.
More specifically, Clarke said initial access was gained by exploiting a 12-month-old vulnerability in the sub-contractor’s IT Helpdesk Portal.
The hacker was then able to capture the administrator credentials and use them to access to the domain controller, the remote desktop server, and email and other sensitive data.
The sub-contractor also had no protective DMZ [de-militarised zone] network and no regular patching process.
In other parts of the network, the subcontractor also used internet-facing services that still had their default passwords “admin” and “guest”.
Clarke said the “methodical, slow and deliberate,” choice of target suggested a nation-state actor could be behind the attack, according to Reuters.
But according to Australian defence industry minister Christopher Pyne, the data was “commercial” not “military”.
The data was not classified, he told ABC Radio, in an attempt to downplay the seriousness of the breach and gloss over the fact that the Australian defence supply chain is far from secure. Pyne also said the hacker is still unknown.
The Australian Cyber Security Centre (ACSC) said the government would not release further details about the cyber attack.
The ACSC said in a report on 9 October 2017 that it responded to 734 cyber attacks on “systems of national interest” for the year ended 30 June, and that defence industry was a major target.
An intrusion from foreign intelligence
In 2016, the agency said it responded to 1,095 cyber attacks over an 18-month period, including an intrusion from a foreign intelligence service on the weather bureau, attributed at the time to China.
Stephen Burke, founder and CEO at training firm Cyber Risk Aware said the incident is another example of IT admin not carrying out IT security best practices.
“But, more importantly, this is an example of other large firms not carrying out adequate third-party risk assessments.
“Of course, the same rule applies for companies who carry sensitive data because it is not a question of ‘if’ but ‘when’ you will be breached, and I don’t accept making it easy either,” he said.
According to Burke, basic IT controls such as not using the same local admin username and password across all servers, patching vulnerabilities on servers and applications that are found by running regular vulnerabilities assessments, monitoring network traffic and key asset process activities would have gone a long way in preventing this intrustion.
“This is not rocket science, but does require resources. One IT admin who had only been in the job for nine months speaks for itself, and if the large company had carried out a valid third-party risk assessment in the first place, they would not have sent the data at all,” he said.
Read more about supply chain security
- Business is increasingly recognising the importance of information security, but security within supply chains is still widely overlooked.
- A comprehensive security strategy must include the supply chain.
- The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essentials Scheme.
- A new mobile Trojan dubbed DeathRing is being pre-loaded onto smartphones somewhere in the supply chain, warn researchers.
Paul German, CEO at security firm Certes Networks said the incident highlights fundamental flaws in current security models.
“This is a classic example of where rigid security, tied into an infrastructure that extends beyond the organisation (the Australian government) has led to weakened cyber security.
“Given that hackers were able to roam the network long enough to siphon off 30GB of sensitive data, it highlights that there is a fundamental element of cyber security missing. Breach detection times are not reducing.
“With breach detection typically taking between 120 and 150 days, organisations need a way to limit the damage in the meantime. Collectively, the industry needs to embrace a new approach to security,” said German.
Adopting a zero trust security model
“We need to decouple security from infrastructure and adopt a zero trust security model: to achieve access, a user needs to both see an application and be permitted to use it,” he said.
“Taking this model and securing it with cryptographic segmentation allows an organisation to embrace zero trust irrespective of infrastructure, of datacentre locations, or new cloud deployments
“Moreover, with trust built on the users and applications – rather than the infrastructure – it becomes possible for organisations to embrace a security model built on breach containment, rather than prevention and detection alone,” said German. “This means that, in the inevitability of a breach occurring, the data to which hackers can gain access is constrained.
“Security thinking needs to change; organisations need to move away from the concept of owned and unowned networks or infrastructure and consider only users, applications and secure access – and the security industry must facilitate that shift.”