Jump to content

Australian Signals Directorate gives computer hacker codename 'Alf'


Old H&A Fan

Recommended Posts

Posted

The ASD has codenamed a computer hacker, trying to infiltrate government computer systems and stealing sensitive data, after the flamin' town hat from Home And Away, because of the characteristics of this hacker's behaviour.

Article follows below:

 

Hacker codenamed in honour of 'Alf' from Home and Away stole sensitive data about Australian military projects

Commercially sensitive information on the $14 billion Joint Strike Fighter program, Australia's next fleet of spy planes and several of its naval warships have been stolen by hackers who breached a Department of Defence contractor, a government official has revealed.

A manager at the Australian Signals Directorate – the government's main national security cyber spies – told a conference in Sydney on Wednesday that the hackers stole 30 gigabytes of data including on the Defence projects.

ASD incident response manager Mitchell Clarke told the Australian Information Security Association conference that the ASD had codenamed the hacker 'Alf' after the Home and Away character played by Ray Meagher.

A spokesperson for the Australian Cyber Security Centre, for which Mr Clarke works, said the data was commercially sensitive but was not classified.

Mr Clarke told the conference that "the compromise was extensive and extreme". Dan Tehan, the Minister Assisting the Prime Minister for Cyber Security, had on Tuesday highlighted the case as a significant breach, though he did not provide details.

Mr Clarke also didn't rule out that a foreign government was behind the incident.

He said the company "had a significant amount of data stolen … and most of that data was defence-related" and that some of it related to the US International Traffic in Arms Regulations, which verifies the security credentials of firms dealing in US military and defence exports.

"That ITAR data included information on the the [F-35] Joint Strike Fighters, the C-130, the P-8 Poseidon, the JDAM –that's a smart bomb – and a few Australian naval vessels," Mr Clarke said, according to a copy of the audio provided by freelance technology journalist Stilgherrian, who first reported the story.

"We found one document [that] was like a Y-diagram of one of the Navy's new ships and you could zoom in down the captain's chair and see that it's one metre away from the nav [navigation] chair and that sort of thing."

The P-8 Poseidon is the RAAF's soon-to-arrive fleet of new spy planes.

Mr Clarke described the hack as "a very good exfil [exfiltration] for the actor".

He indicated the hackers could have been a criminal group or state-sponsored hackers. He said they used a hacking tool called China Chopper, which is reportedly widely used by Chinese hackers.

The small aerospace engineering firm of about 50 employees, which had contracts on a number of Defence projects, had just one IT staff member who had been in the job nine months, which Mr Clarke described as "sloppy".

"There's no way this one IT person could have done everything perfectly across the whole domain."

The firm had used default logins and passwords "admin" and "guest".

The hackers had "full and unfettered access" to the system and read emails of the chief engineer, the finance officer and a contracting engineer.

The ASD was tipped about the breach by "a partner organisation" in November last year. The hack occurred in July 2016.

He said that the company didn't believe ASD and national Computer Emergency Response Team investigators when they arrived because they don't carry credentials. The company rang both the ASD and CERT hotlines but both organisations said they were not aware that their representatives were approaching the company.

Mr Clarke also said ASD's incident response team was "getting busier and busier as time goes on and we have less and less people so it's getting difficult for us and we're seeing I guess a really large workload".

 

Source: Canberra Times/Fairfax Media. Original article here.
Posted

So they:

  • Compromised a machine used by people who worked in the IT department
  • Connected to the main server, extracted the password file and presumably were able to obtain the passwords
  • Used to originally comprised machine with the passwords to access a public facing web server
  • Used the web server to connect to another machine with the sensitive data
  • Copied the sensitive data onto the web server and presumably downloaded the files straight from the internet

It sound pretty sophisticated when you look at the diagram above so it doesn't surprise me that they believe it was state sponsored.  However I can't believe a defense company handling highly sensitive data would use logins like "admin" and "guest".

Doesn't really surprise me that they think the Chinese did it as they were also suspected of sponsoring a hack of a large security company a few years ago.  And in that case one of the clients of the security company in question was a large defense/aerospace company.  Flammin Galahs.

  • 2 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.