30GB of data stolen from a small Australian military defence contractor which included technical information on jet fighters, transport aircraft, 'smart bomb kits.'
The Australian Cyber Security Centre Threat report for 2017, on page 27, describes a compromise of an Australian company with national security links In November 2016, which is now believed to refer to the theft of 30GB of data from a small Australian military defence contractor which included technical information on jet fighters, transport aircraft, ‘smart bomb kits.'
The Sydney Morning Herald reports that a senior IT technician – a military staffer working in the Middle East - misused his access privileges to get into the email accounts of 10 members of his unit, as well as a personal drive and he accessed the deployed Defence secret network and the Defence restricted network several times without authority.
The data was reportedly breached on a network with no regular patching regime and a common local admin account password for all servers.
In a military trial the hacker was convicted of nine acts of unauthorised access and two offences of prejudicial conduct but was acquitted of 14 charges apparently related to whether "network roaming" was explicitly forbidden on the restricted networks that the technician had accessed.
The Herald also reported that as a result of these difficulties regarding the policy documents, the military aborted three other prosecutions for similar alleged misconduct by deployed ADF members. It quoted the Director of Military Prosecutions, Jennifer Woodward, CSC, saying in a report that her office had received an increase in the number of referrals involving misuse of IT systems and was now changing policies to increase convictions. Her report also said a lack of technical IT investigative capability and ambiguous guidelines had inhibited prosecutions.
Mitchell Clarke, the ASD spokesperson who revealed the incident on Tuesday at a Sydney conference was reported as saying that the hacker did not steal "top secret" data, but the breach contained sensitive information, not accessible to the public, and containing confidential information, diagrams, and plans about the country's military prowess.
Bleeping Computer reports Clarke blaming the intrusion on human error, with weak passwords being used, such as using usernames and passwords like "admin" and "guest." It notes that the unnamed defence contractor, which has roughly 50 employees, had apparently hired only one IT staffer to secure its network.
In the ACSC report is says analysis of an unnamed incident (presumed the same) confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data. “Analysis showed that the adversary gained access to the victim network by exploiting an internet-facing server, then using administrative credentials to move laterally within the network, where they were able to install multiple webshells – a script that can be uploaded to a webserver to enable remote administration of the machine – throughout the network to gain and maintain further access.”