F-35 fighter jet secrets stolen from Australian defence contractor in ‘extensive’ hack

True identity of hacker codenamed "Alf" currently unclear...

F-35 fighter jet secrets stolen from Australian defence contractor in 'extensive' hack

Unknown individuals stole sensitive information pertaining to Australia’s defense programs by hacking a government contractor.

News first broke of the hack on 11 October when the Australian Cyber Security Centre (ACSC) published its 2017 Threat Report. The report doesn’t provide many details on what happened. It lists the event as a case study under the title “Compromise of an Australian company with national security links.”

Here’s what it says:

In November 2016, the ACSC became aware that a malicious cyber adversary had successfully compromised the network of a small Australian company with contracting links to national security projects. ACSC analysis confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a signifi cant amount of data. The adversary remained active on the network at the time.

Analysis showed that the adversary gained access to the victim network by exploiting an internet-facing server, then using administrative credentials to move laterally within the network, where they were able to install multiple webshells – a script that can be uploaded to a webserver to enable remote administration of the machine – throughout the network to gain and maintain further access.”

Case study

Additional details followed on Wednesday when Mitchell Clarke, the Australian Signals Directorate (ASD) incident response manager, told a conference in Sydney that the incident involved a government contractor. As part of the attack, hackers made off with 30 gigabytes of sensitive data pertaining to the Joint Strike Fighter warplane, the P-8 Poseidon surveillance plane, and other Australian defense programs.

Defence Industry Minister Christopher Pyne says he has no idea who perpetrated the breach. As quoted by BBC News:

It could be one of a number of different actors. It could be a state actor, [or] a non-state actor. It could be someone who was working for another company.”

Alf home and awayThose close to the investigation of the hack are saying the unnamed individual, codenamed “Alf” (presumably after a character from the Australian soap opera “Home and Away”, attacked the government contractor in July 2016.

The ASD didn’t learn about the incident until November 2016 when a partner agency notified it, reports Bleeping Computer.

It’s currently not clear what exactly happened in the breach. ZDNet reports that Alf gained access by exploiting a 12-month-old vulnerability in the company’s IT helpdesk. They then could have moved laterally to other parts of the company’s network by brute forcing the weak passwords found to be protecting other systems.

At the time of the incident, the defense contractor had hired just one IT staffer to secure its network.


For companies hoping to secure lucrative government contracts out there, they had better review their security defenses and make sure they’re staying on top of all known software vulnerabilities. Failure to do so could at best lose them valuable business and at worst land them in hot water with the federal government.

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

2 Responses

  1. Mark Jacobs

    October 16, 2017 at 11:45 am #

    by exploiting an internet-facing server” Mmmmm, sounds like it wasn’t very secure in the first place!

    • coyote in reply to Mark Jacobs.

      October 18, 2017 at 10:41 pm #

      Funny. That was my thought when I read ‘They then could have moved laterally to other parts of the company’s network by brute forcing the weak passwords found to be protecting other systems.’.

      (More like it wasn’t really protecting anything was it?)

      Funny of course means odd here; it’s not at all funny but it’s certainly scary. Yet sadly unsurprising to me. It’s quite typical actually.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.