Mystery hacker steals ‘sensitive’ data on Australian F-35s & newest spy jets
The hacker, nicknamed “Alf” after the ‘Home and Away’ character played by Ray Meagher, breached a defense contractor’s database containing 30GB of files on some of the West’s most secretive and modern military programs, an official of the Australian Signals Directorate (ASD), the government's main cyber intelligence agency, said on Wednesday, the Sydney Morning Herald reports.
The story was initially reported by a freelance journalist nicknamed Stilgherrian and published on the website zdnet.com.
Michael Clarke, an ASD incident response manager, told an information security conference in Sydney the perpetrators hacked into a small aerospace engineering company with about 50 employees, in July 2016.
He said the company “had a significant amount of data stolen … and most of that data was defense-related.” Some of the files related to the US International Traffic in Arms Regulations (ITAR), which control the transfer of military-use technology and verify defense exports.
Describing the breach, the official claimed it was “extensive and extreme,"ABC reports.
That respective ITAR data “included information on the [F-35] Joint Strike Fighters, the C-130, the P-8 Poseidon, the JDAM – that's a smart bomb – and a few Australian naval vessels,” Clarke said, according to a copy of a recording provided by Stilgherrian.
The ASD official noted that they “found one document [that] was like a Y-diagram of one of the Navy's new ships and you could zoom in down the captain's chair and see that it's one meter away from the nav [navigation] chair and that sort of thing.”
Australia is set to receive 72 F-35 fighter jets in the coming years, replacing the ageing F-18 Hornets, according to manufacturer Lockheed Martin. The P-8 Poseidon is the Australian Air Force’s newest surveillance aircraft.
The hackers had “full and unfettered access” to the subcontractor’s systems and infiltrated emails of the chief engineer, the finance officer and a contracting engineer.
The subcontractor reportedly had just one IT specialist who worked there for nine months. It had also used primitive default logins and passwords such as “admin” and “guest.”
The ASD was informed about the data breach by "a partner organization" in November last year.
Christopher Pyne, the defense industry minister, said earlier on Thursday the hack attack was a “salutary reminder” for private businesses to step up their cybersecurity.
Pyne said that while the data was commercially sensitive, it was not classified. “It could be one of a number of different actors, it could be a state actor, a non-state actor, it could have been someone who was working for another company, so I would not want to speculate on that at this stage,” he added, as cited by the Australian.
In the meantime, he tried to downplay the significance of the hack: “I don’t think you can try and sheet the blame for a small enterprise having lax cybersecurity back to the federal government. I mean, that is a stretch.”
“You don’t know that we tendered a major defense contract to a small enterprise with poor cybersecurity protections,” the official said.