Australian government officials reported on Wednesday that a hacker stole approximately 30GB of data from a Department of Defense contractor.
According to the Sydney Morning Herald, the compromised data included sensitive information on Australia’s next-generation spy planes, naval warships and its $14 billion Joint Strike Fighter program.
A spokesperson for the Australian Cyber Security Centre (ACSC) said that while the stolen data was commercially sensitive, the information was not classified.
Mitchell Clarke, incident response manager at the foreign intelligence collection agency Australian Signals Directorate (ASD), described the compromise as “extensive and extreme.”
At the Australian Information Security Association (AISA) national conference in Sydney this week, Clarke noted that the stolen information revealed details on the F-25 Joint Strike Fighter, P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft and the Joint Direct Attack Munition (JDAM) smart bomb kit, as well as other naval vessels.
According to a separate report by ZDNet, the ASD was initially alerted back in November 2016 by a “partner organization” that an attacker had gained access to the network of the DoD contractor.
Clarke stated that the attacker had been in the network since mid-July 2016, with data exfiltration starting about two weeks later.
The affected contractor was identified as a 50-person aerospace engineering firm, which had one employee managing all IT-related functions. The employee had been on the job for nine months.
Meanwhile, the attacker is said to have exploited a software vulnerability that went un-patched for 12 months, although the firm’s web portal was also accessible using default logins, such as “admin admin” and “guest guest.”
Lateral movement using those same credentials eventually gave the attacker access to the domain controller and the remote desktop server, in addition to email and other sensitive information, reported ZDNet.
“One of the learning outcomes from this particular case study for at least the Australian government is that we need to find a way to start to be a little bit more granular in our contracting to mandate what type of security controls are required,” Clarke said.