An Australian defence contractor lost as much as 30GB worth of data about the country’s F-35 Joint Strike Fighter, P-8 Poseidon aircraft and several naval vessels to a cyber attack last year.
An unnamed hacker exploited an outdated server used by the defence contractor to steal sensitive military secrets worth billions.
An Australian defence contractor’s IT helpdesk portal was hacked into in July last year by an unnamed hacker who went on to steal 30GB worth defence documents. The said portal was not updated with new patches for 12 months before the cyber-attack took place.
According to the Australian government, the data lost was critical but not classified and that it doesn’t know yet if the attacker was state-sponsored or not.
“It could be one of a number of different actors. “It could be a state actor, [or] a non-state actor. It could be someone who was working for another company,” said Defence Industry Minister Christopher Pyne to the Australian Broadcasting Corp.
Even though the data is not classified, it contains details about Australia’s $18bn Joint Strike Fighter programme thanks to which the country will arm its Air Force with 72 top-end F-35 strike aircraft in the coming years. The data also contains details about the submarine-hunter P-8 Poseidon aircraft as well as designs for several upcoming battleships.
‘Yet again another example of “IT Admin” not carrying out IT Security best practices but more importantly other large firms not carrying out adequate third-party risk assessments,’ said Stephen Burke, Founder and CEO at Cyber Risk Aware, while commenting about how a lax IT security practice impacted Australia’s military secrets and capabilities.
‘Basic IT controls such as not using the same local admin username and password across all servers, patching vulnerabilities on servers and applications that are found by running regular vulnerabilities assessments, monitoring network traffic and key asset process activities would have gone a long way in preventing this issue from unfolding the way it did,’ he said.
‘This is not rocket science but does require resources. One IT admin who had only been in the job 9 months speaks for itself and if the large company had carried out a valid third-party risk assessment in the first place they would not have sent the data at all,’ he added, confirming that the breach could have been avoided had adequate risk assessments been conducted by the relevant firms.
Even in the United States, a number of defence contractors have lost critical military data to hackers because of lax IT security measures or plain oversight.
An eye-opening research paper from Motherboard has revealed that major defence contractors like Lockheed Martin, Boeing, Raytheon, and Northrop Grumman do not have standard HTTPS web encryption enabled on their official websites by default. The site adds that these four defence contractors received a combined $95 bn from the U.S. government last year.
“For companies bidding on major cybersecurity contracts, lack of HTTPS-by-default in 2017 is a bad look. You are better protected from man in the middle attacks when visiting Pornhub than Raytheon or Lockheed,” said John Scott-Railton, a senior researcher at the Citizen La to Motherboard.