Around 30GB of commercially sensitive data has been compromised in a hack on an Australian government contractor, including details about new fighter planes and navy vessels.
The data is not classified, the government said, and it doesn’t know if a state was involved. The hackers identity is not known.
“It could be one of a number of different actors,” Defence Industry Minister Christopher Pyne told the Australian Broadcasting Corp on Thursday. “It could be a state actor, [or] a non-state actor. It could be someone who was working for another company.”
The minister also assured the public that the hack was not a risk to national security.
The hack began in July last year, but the Australian Signals Directorate (ASD) was not alerted until November. ASD incident response manager Mitchell Clarke described the hack as “extensive and extreme”.
The hacked Australian Defence subcontractor lost documents on projects including the Joint Strike Fighter (JSF) program and the P-8 Poseidon “submarine killer” plane, as well as detailed designs of Australian Navy ships.
Access was initially gained by exploiting a 12-month-old vulnerability in the company’s IT Helpdesk Portal, which was mounting the company’s file server using the Domain Administrator account. Lateral movement using those same credentials eventually gave the attacker access to the domain controller and the remote desktop server, and to email and other sensitive information.
Clarke told a Sydney security conference that the government contractor’s software had not been updated for 12 months. The aerospace engineering firm was also using default passwords, he said.
Stephen Burke, founder and CEO at Cyber Risk Aware, commenting on the news, said: “Yet again another example of “IT Admin” not carrying out IT Security best practices but more importantly other large firms not carrying out adequate third-party risk assessments.”
>See also: Don’t play the data breach blame game
“Of course, the same rule applies for companies who carry sensitive data, it is not a question of “if” but “when” you will be breached but I don’t accept making it easy either.”
“Basic IT controls such as not using the same local admin username and password across all servers, patching vulnerabilities on servers and applications that are found by running regular vulnerabilities assessments, monitoring network traffic and key asset process activities would have gone a long way in preventing this issue from unfolding the way it did. This is not rocket science but does require resources. One IT admin who had only been in the job 9 months speaks for itself and if the large company had carried out a valid third party risk assessment in the first place they would not have sent the data at all.”
“I don’t think you can try and sheet blame for a small enterprise having lax cyber security back to the federal government. That is a stretch,” Pyne said. “Fortunately, the data that was taken was commercial data, not military data, but it is still very serious and we will get to the bottom of it.”
However, he said “we don’t necessarily let the public know” about the identities of hackers, because of the confidential nature of the environment. The incident, Pyne concluded, was a “salutary reminder” about cyber security.
Indeed, Paul German, CEO at Certes Networks suggests that the breach highlights that the mindset of the entire security industry must change.
“Once again, the latest cyber-attack on the Australian defence programme highlights fundamental flaws in current security models.”
“This is a classic example of where rigid security, tied into an infrastructure that extends beyond the organisation – i.e. the Australian government – has led to weakened cyber security.”
“Given that hackers were able to roam the network long enough to siphon off 30GB of sensitive data, it highlights that there is a fundamental element of cyber-security missing. Breach detection times are not reducing and with it taking between 120 and 150 days to be identify a threat, organisations need a way to limit the damage in the meantime.”
“Collectively, the industry needs to embrace a new approach to security.”
“We need to decouple security from infrastructure and adopt a ‘zero trust’ security model: to achieve access, a user needs to both see an application and be permitted to use it. Taking this model and securing it with cryptographic segmentation allows an organisation to embrace zero trust irrespective of infrastructure, of data centre locations, new cloud deployments, and / or the desire of workers to hang out in the local coffee shop.”
“Moreover, with trust built on the users and applications – rather than the infrastructure – it becomes possible for organisations to embrace a security model built on breach containment, rather than prevention and detection alone. Which means that, in the inevitability of a breach occurring, the data to which hackers can gain access is constrained.”
“Security thinking needs to change; organisations need to move away from the concept of owned and unowned networks or infrastructure and consider only users, applications and secure access – and the security industry must facilitate that shift.”
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate