US Weapons Data Stolen During Raid of Australian Defense Contractor's Computers

phalse phace writes: Another day, another report of a major breach of sensitive U.S. military and intelligence data. According to a report by The Wall Street Journal (Warning: source may be paywalled; alternative source), "A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' and exploiting a vulnerability in the company's help-desk portal, the attacker roved the firm's network for four months. The identity and affiliation of the hackers in the Australian attack weren't disclosed, but officials with knowledge of the intrusion said the attack was thought to have originated in China."

The article goes on to state that "Alf obtained around 30 gigabytes of data on Australia's planned purchase of up to 100 F-35 fighters made by Lockheed Martin, as well as information on new warships and Boeing-built P-8 Poseidon maritime-surveillance aircraft, in the July 2016 breach." The stolen data also included details of the C-130 Hercules transport aircraft and guided bombs used by the U.S. and Australian militaries as well as design information "down to the captain's chair" on new warships for Australia's navy.

No problemo

[nospam007]

"A cyberattacker nicknamed 'Alf' gained access to an Australian defense contractor's computers and began a four-month raid that snared data on sophisticated U.S. weapons systems. Using the simple combinations of login names and passwords 'admin; admin' and 'guest; guest' "

Wow, much sophistication in the Australian loginname/password scheme,

Re:No problemo

[godel_56]

That's kind of what happens when the Australian Signals Directorate wants brilliant hackers to work for them, but only offers to pay them entry-level Help Desk wages.

It wasn't the Australian Signals Directorate but some dickhead project sub-contractor. According to someone on TV last night it's a 50 person company and they only have one man doing IT functions, which includes things like fixing printers. I wonder what happens if this person goes on holidays?

While this company deserves to burn in hell, we also need to look at the idiots which gave them the job. Was no due diligence done to see if the sub-contractors were capable, and why did they need this kind of information in the first place? Balls should roll.

Re:

[Swave An deBwoner]

Was no due diligence done to see if the sub-contractors were capable ...

Gov't Decision Maker: "This one's the cheapest, take them."

In the US that's more or less the requirement, after taking things like Equal Opportunity and Small Business into account, provided the bidder claims that they have the basic competence to do the job. Privatization is the way to go! </s>

Summary tells half the story

[TapeCutter]

The most important detail is AWOL in this discussion - none of the data stolen was classified information.

Re:

[michaelredux]

No problem, as long as the warship plans don't include any exposed ventilation shafts that are vulnerable x-wing fighters.

In fact there is nothing to see there

[tinkerton]

Well what do we have
* the stolen information was commercially sensitive rather than “classified” military information.
* the firm was subcontracted four levels down from defence contracts.

In other words a nonevent not worth discussing, but he catchy title and summary are made up to sell it anyway.

Re:

[tehcyder]

* the firm was subcontracted four levels down from defence contracts.

It doesn't matter whether it was subcontracted one hundred levels down, ultimately those at the top are responsible for not having proper security in place. Like making sure that sub-contractors check on the security of sub-sub-contractors, and so on.

Re:

[deviated_prevert]

Yes as we all know only Australia uses that default username/password combo.

Either that or something easy to remember and guess like waltzingmatilda or the likes. I would think that one could break into most of the infrastructure of .au with that one.

Allowing user set passwords to administration rights that are global and are accessible over the internet to critical data that is not locked down and encrypted is inherently stupid. About as smart as allowing remote admin priviledge to a website from the assholes claiming over the phone to be from microsoft windows security division

Re:

[sehlat]

Wow, much sophistication in the Australian loginname/password scheme.

The article left out 'mate; mate' and 'That's not a knife;THAT's a knife'

Re:

[Pseudonym]

In case you were curious, this is the cultural reference. [wikipedia.org]

Re:

[Pseudonym]

Pull your head in, mate. Anonymous Drongo thinks there's only ever been one TV character named "Alf".

Re:

[rtb61]

I would tend to lean to this Alf https://www.youtube.com/watch?... [youtube.com], heh heh, bloopers so apt. The security breach, even unclassified still really bad. New tender requirements, companies computer network security specifications, staffing, security system in place, parrallel networks (internal connections vs external connections) et al. Most places are quite secure because they do not want competitors who are meant to be on their side, stealing proprietary data and also of course publicly humiliating their co

Re:

[Pseudonym]

ASD incident response manager Mitchell Clarke told the Australian Information Security Association conference that the ASD had codenamed the hacker 'Alf' after the Home and Away character played by Ray Meagher.

Source [theage.com.au]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[arglebargle_xiv]

Wow, much sophistication in the Australian loginname/password scheme,

I was expecting at least username = fosters, password = xxxx.

Australia's "navy" *rolls eyes*

[xxxJonBoyxxx]

Australia's "navy" *rolls eyes*

http://www.navy.gov.au/fleet/ships-boats-craft/current-ships

Re: Australia's "navy" *rolls eyes*

[Anonymous Coward]

That's ok.

Piles of dead Germans, Japanese, Koreans, Vietnamese (and others) made the same mistake.

They underestimated too.

I doubt the US Navy did much eye rolling when their aircraft carriers got "blasted" out from underneath them during joint exercises.

Same as has always been

[dunkindave]

This reminds me of the US patent debate. It is the same type of spying that has been happening since forever, except with "over the Internet" attached. Yes, the Internet makes the remote access attacks easier, but really it is just a different form of the same type has has always existed. Countries have been stealing the weapon plans of other nations, and will continue to do so using whatever mechanisms are available, and no one should be surprised.

Yup

[RightwingNutjob]

Back in the good old days, spies couldn't sit on their couches in their PJs watching soap operas while their scripts downloaded stuff in the background. They actually had to go out to do their jobs.

Computers make everyone stupid.

Re:Yup

[PPH]

sit on their couches in their PJs watching soap operas

Why? Is Pornhub down?

Re:

[RightwingNutjob]

Please, do post for all to see.

how - foreign contractors == different standards?

[Anonymous Coward]

Doesn't the DoD audit and require proof of security protocols when handing over Secret information to both domestic and foreign contractors? How could having passwords of admin/admin and guest/guest miss even the simplest of tests?

Pathetic and ridiculous to even classify stuff if this is how they run the show.

Re:

[Bert64]

Having protocols and policies in place is one thing, actually adhering to and enforcing them is quite another...

Re:

[RightwingNutjob]

Then there's the fact that the more protocols and policies you have, the fewer of them are actually going to be implemented. Good security is just the right amount. Not so little that your passwords are left on default, no so much that no one gets around to changing the default passwords because they're busy checking all the other boxes and figuring out ways to get their work done despite them.

Re:

[TapeCutter]

I hate to dampen anyone's outrage but it wasn't a secret, none of the data stolen was classified.

Re:

[gravewax]

despite the articles insinuation none of that information is considered secret.

100 F-35?

[110010001000]

Australia is buying 100 F-35 aircraft? That must have been a huge bribe.

Re:

[caviare]

No no, it's just doing what it perceives as its duty as the 52nd state of the US. I understand the UK is the 51st.

Re:

[Anonymous Coward]

... buying 100 F-35 aircraft?

I think the original order was 48 aircraft but then we got a national leader who wanted to enact Reagan-era policies of welfare-bashing, gifts to the rich and a big military. So he ordered another 52 aircraft and a maintenance contract. He was demoted from leadership before he could enact other far-right policies but we're still fighting the deluded ideologues he left behind. We still hear him in the background, proclaiming he knows better than his own boss.

Re:

[AHuxley]

Less of a bribe more of trying to lean from history.
"Australia 'cracked top-secret US jet fighter codes'" http://www.news.com.au/nationa... [news.com.au] (March 17, 2009)
"The Americans kept saying they'd provide the codes, but never did."
The new thinking is to spend big with the USA and everything will be so much better this generation.

Those "sophisticated weapons" are irrelevant

[gweihir]

Or fast becoming so. Sure, they still appeal to cave-men that like to kill wholesale and make things go "boom". In the actual conflicts to come, they will just be extremely expensive historic artifacts, nothing else. The age of "big weapons" (with small brains behind them) is coming to an end.

'admin; admin' and 'guest; guest'

[Rick Schumann]

'facepalm; facepalm'

Re:'admin; admin' and 'guest; guest'

[RightwingNutjob]

You know, back before I switched over my ssh servers to nonstandard ports, I'd see daily attempts to log in as 'guest' or 'admin' as well as a dictionary of common usernames. People wouldn't try if it didn't work occasionally.

Re:

[Rick Schumann]

Sure. But you'd think they'd be smarter than this. Whatever happened to basic OpSec?

Re:

[Frederic54]

I switched my SSH port to non standard but always see login attempts... less than before but still, some people do insane port scanning

Re:

[Rick Schumann]

less than before but still, some bots do insane port scanning

I took the liberty of fixing that for you. ;-)

Old-fashioned notions of combat.

[whoever57]

I believe that these things occur because of an old mentality amongst the military that is still true on a physical battlefield: "the best defence is a strong offence".

The thing is that, in "the cyber", offence and defence are mostly unrelated. Hacking another country does not stop that country from hacking back.

This leads to the ridiculous situation where the NSA leaves the US government vulnerable so that it can hack Russia.

The secure cloud is not

[WillAffleckUW]

In the old days, penetration exploits like this would be noticed, as large file transfers flooded routers going to unusual IPs, and someone literally would pull the plug on the router or swap in a honeypot.

Nowadays, there is no such oversight, and the weakest point in any system is any weak point, be it someone not following basic security protocols or the NSA and other groups (there are more than you think) leaving exploit holes everywhere, including in your mouse, keyboard, monitors, and so on.

It's like v

ALF is a ref. to ALf Stewart and his rape dungeon

[Anonymous Coward]

yep.

My guess is this was a "false flag" organised by the DSD to force the government into policy changes to make things more secure. Australian government is full of dinosaurs with little or no knowledge of IT and they really make idiotic descions (see the recent fuck up of the NBN).

No sensitive data was lost, and they have released ALOT of info about this breach which is unusual.

Therefore.. I call bullshit.

Re:

[AHuxley]

Re "No sensitive data was lost, and they have released ALOT of info about this breach which is unusual"
Every document and file would have had a checksum. The new NSA buddy system and more contractor security than ever would now be in place in 5 eye nations.
Every access down a pipe or tube to any contractor has always been watched. Staff have all their home/work networks watched.
The entry of any intruder would have been detected in real time. The files copied and what was of interest examined.
The code

One would hope

[Snotnose]

the folks in charge would be smart enough to put fake docs in places that could be hacked.

But I'm a realist. I look at the hope hand and and see a pile of smelly stuff. I look in the "smart folks" hand and see nothing.

So I am curious

[nehumanuscrede]

Just how much hacking / stealing / pilfering needs to happen before someone decides the current way of doing business probably isn't the most secure way of doing it ?

Here's a thought:

Quit allowing sensitive / classified data outside of secure networks.

You want access to that data ? Drive your ass into the facility designed to house and secure it. Yes, it's inconvenient. Security usually is.

But it's either that or we may as well just de-classify all of it and mail it to everyone on the planet. Save a lot

Kinda reminds me of when....

[bev_tech_rob]

My company just got thru installing a new accounting system and there is a separate document handling piece that has its own login. The trainer that trained us on the main accounting piece showed us how to setup security on that software, but never showed us the setup on the Document Handling system. Someone called my extension inside my company asking for access to that system (I knew the person and his job, so I knew he needed access), and I happened to guess the default admin password was 'admin'. SM

Military and intelligence data stolen ..

[najajomo]

Have they ever considered not storing their U.S. military and intelligence weapons data on a computer connected to the Internet?