As explained by Mitchell Clarke, ASD incident response manager, hackers targeted a small aerospace engineering company with about 50 employees in July last year.
As reported by News.com.au, Dan Tehan, the minister in charge of cyber security, said that hackers spent months downloading sensitive information about Australia’s warplanes, navy ships and bomb kits.
(This article by Dario Leone originally appeared on The Aviation Geek Club in 2017.)
Forensic investigations by the Australian Signals Directorate (ASD) found the company was using default passwords on its internet facing services.
But the hackers gained access by exploiting a vulnerability with the firm’s IT helpdesk portal.
As explained by Mitchell Clarke, ASD incident response manager, hackers targeted a small aerospace engineering company with about 50 employees in July last year. He said the firm was subcontracted four levels down from defence contracts. “The compromise was extensive and extreme,” Mr Clarke told the Australian Information Security Association national conference in audio obtained by a freelance journalist called Stilgherrian.
“It included information on the (F-35) Joint Strike Fighter, C-130 (Hercules aircraft), the P-8 Poseidon (surveillance aircraft), joint direct attack munition (JDAM smart bomb kits) and a few naval vessels.”
According to Clarke the information hacked on the new Navy ships included a diagram in which you could zoom in down to the captain’s chair and see that it was one metre away from the navigation chair. He also described the security breach as “sloppy admin:” in fact the organisation not only had just one IT person but also that the person was new to the job.
An Australian Cyber Security Centre spokesperson said the information released by the ASD staffer, who actually works for the centre, was commercially sensitive but unclassified. “While the Australian company is a national-security linked contractor and the information disclosed was commercially sensitive, it was unclassified,” they said in a statement. “The government does not intend to discuss further the details of this cyber incident.”