Adelaide defence firm hacked for F35 data

| October 13, 2017

The embarrassing loss of 30 gigabytes of defence data relating to Australia’s air force and navy procurement programmes has highlighted the need for mid-sized Australian firms to improve their computer security. The Adelaide based aerospace firm was hacked in July 2016, although the Australian Signals Directorate was not informed until November of that year. The company, which has 50 employees and was subcontracted four levels down from prime defence contracts, was using default passwords on its web portal and internal systems and had not updated its software for a year.

The breach was initially alluded to in Tuesday’s Australian Cyber Security Centre annual threat report which revealed a “small Australian company with contracting links to national security projects” had been penetrated by an attacker who enjoyed “sustained access to the network for an extended period of time” and had stolen a “significant amount of data”. The identity of the hacker, nicknamed ‘Alf’ after a character on Home and Away by government officials, remains undisclosed, however in an interview with the ABC, Australia Defence Procurement Minister Christopher Pyne could not rule out action by a hostile foreign government. While Minister Pyne played down the threat posed to national security, maintaining the data was commercially sensitive rather than classified, the ASD’s incident response manager Mitchell Clarke admitted the hack had been ‘extensive and extreme’ in his address to the national conference of the Australian Information Security Association in Sydney on Wednesday.

Mr Clarke revealed the hacker exploited flaws in unpatched software to steal information on Australia’s A$17bn purchase of 72 F-35 Joint Strike Fighters, its C130 transport and P-8 Poseidon surveillance planes, JDAM smart bombs and a range of naval vessels. While ASD officials strengthened the company’s system in December, officials reportedly referred to the 3 months before their intervention as “Alf’s mystery happy fun time”. Mr Clarke described the security breach as “sloppy admin” and revealed the organisation only had one IT employee. The firm used the username-password combinations “admin admin” and “guest guest” for access to its web portal, according to ZDNet, which first reported the story, but the culprit used software nicknamed the ‘China chopper’ to infiltrate the firm. This software package is commonly used by Chinese hackers to attack western firms, research bodies and government agencies.

The Adelaide firm’s IT officer had only been in their role for 9 months at the time of the breach, following a high rate of staff turnover. The company lacked a protective DMZ network, had no regular patching regime and a common Local Administrator account password was used on all servers. The attacker exploited a 12-month-old vulnerability in the company’s IT Helpdesk Portal to access the company’s file server and the Domain Administrator account. The hacker soon had access to “pretty much every server” according to Mr Clarke and was able to read the email of the firm’s chief engineer and a contracting engineer. Mr Clarke warned that such lax procedures were not “uncommon” and that, by Government standards, software left unpatched for a year would not seem “that out of date, unfortunately.”

Despite the inadequacy of its IT security and the importance of the data it held, the company still managed to obtain and hold ITAR certification. Clark admitted that the application for ITAR certification is usually only “two or three pages” and asks for only the most basic information regarding a company’s security protocols. Clark said that “One of the learning outcomes from this particular case study for at least the Australian government is that we need to find a way to start to be a little bit more granular in our contracting to mandate what type of security controls are required.” Clarke emphasised the importance of following best practices to secure company computer networks, including the ASD’s ‘Essential Eight’ cyber protection strategies.

Minister Pyne called the incident a “salutary reminder” about cyber security, while Labor’s Bill Shorter criticised government complacency, but Australia is not the only country to have suffered attacks on F 35 contractors. In 2016, a Chinese citizen, Su Bin, was prosecuted in California for his role in stealing data on the sophisticated attack planes and passing it to the Chinese military. Su Bin pled guilty in a Californian court, after fighting extradition from Canada for more than two years, and admitted his connivance with two Chinese military officers to steal secrets from American defence firms.

The Chinese officers sent phishing emails to people at the target companies, posing as work colleagues or industry peers, and lured them to a booby trapped website they controlled. The site silently installed malware on the victim’s computer, giving the Chinese hackers remote access to company directories containing trade secrets and other sections of the company’s network. The Chinese officers copied the file directories and sent their details to Su Bin, who told them which files to steal, translated them into Chinese and wrote reports on their contents which were picked up and delivered to state-run Chinese defence firms in person. Su Bin was motivated by money rather than patriotism and his emails revealed his haggling for extra funds. His reports claimed the stolen information had made “important contributions to our national defense scientific research development” over the course of a year while other notes argued hacked data on America’s F-22 Raptor would let China “rapidly catch up with US levels” and “stand easily on the giant’s shoulders.” Other classified information revealed details of the C-17 cargo plane which is also flown by Australia.

Su’s indictment revealed he stole 630,000 files from Boeing’s computer system, some 65 gigabytes of data, beginning in 2010. The Chinese hackers also targeted the Taiwanese military, obtaining “military maneuvers, warfare operation plans, strategic targets and espionage activities” according to Su’s emails. China still regards Taiwan as part of its territory and has made repeated threats towards it. Emails sent between the Chinese military officers boasted of stealing 20 gigabytes of data from one company’s FTP server, harvesting classified information on drones from the emails of targeted personnel and obtaining the password of the firm’s customer management system. The Chinese hackers used servers in the United States, Korea, Singapore and other countries to mask their own IP address and employed work stations in Hong Kong and Macao to “avoid diplomatic and legal complications.

While the identity of ‘Alf’ remains a mystery, in public at least, Australia’s defence build up in the face of increased Chinese military power is clearly of interest to that nation. After decades of copying purchased examples of Soviet fighter jets at a derisory rate of development, China has recently developed its own “fifth-generation” fighters – the Chengdu J-20 and the Shenyang J-31 – with remarkable alacrity. These planes embody the design information stolen from the United States, with documents released by the Snowdon leaks revealing China had stolen data on the F 35’s radar systems, engines and cooling systems. China’s rapid economic growth and unrelenting espionage efforts have empowered a rapid increase in its military sophistication which, allied to growing numerical superiority, is eroding the technical edge enjoyed by allied air and naval forces in the increasingly contested South China Sea.