Lockheed F-35, P-8 And C-130 Classified Data Stolen During Defense Contractor 'ALF' Hack

Late last year a hack was perpetrated on what is called a "partner organization" that worked with the Australian Signals Directorate (ASD). The unnamed organization notified the ASD that it was hacked in November of 2016, and that outside parties gained access to its network. The small organization has only 50 employees and is a subcontractor to the Department of Defense, providing aerospace engineering assistance.


The data that was stolen in the hack contained information that is protected under the International Traffic in Arms Regulations (ITAR) and included details on the F-35 Lightning II fighter, P-8 Poseidon maritime patrol aircraft, C-130 transport aircraft, Joint Direct Attack Munition (JDAM) smart bomb kit and information on some Australian naval vessels. ITAR is a U.S. system that was designed to control the export of defense data and military tech.

Investigator Mitchell Clarke, an incident response manager for the ASD, worked on the investigation and states that one of the stolen pieces of data was a wireframe diagram of "one of the navy's new ships." Clarke said someone looking at the diagram could, "zoom in down to the captain's chair and see that it's, you know, 1 metre away from nav chair."

The theft of the data in the hack was reported publicly as part of the 2017 Threat Report issued by the Australian Cyber Security Centre (ACSC).

ASD has dubbed the hacker in the case "APT ALF", which sadly isn't named after the cat-eating Alien from '80s U.S. TV, but after a character in an Australian soap called "Home and Away." The investigation found that the hacker was inside the company's network starting in mid-July 2016 and that data theft had started about two weeks after that date. The ASD appears to have a sense of humor about the breach, dubbing the three months when the hacker had unfettered and unknown access to the network "Alf's Mystery Happy Fun Time."

The network reportedly had no protective DMZ, no regular patch schedule, and common local admin passwords on all servers and the hosts had internet-facing services. The exploit used to gain access to the network was an exploit on a vulnerability in the company's IT helpdesk portal.

Adding insult to injury, the internet-facing services on the hosts had default passwords in service of admin:admin and guest:guest. "One of the learning outcomes from this particular case study for at least the Australian government is that we need to find a way to start to be a little bit more granular in our contracting to mandate what type of security controls are required," Clarke said. Ya think?