Just over a year ago, I was sitting down to lunch with a client in Wellington. It was a rare, beautiful day with a nice buzz of students and frantic businessmen walking around us. We were about 300 metres away from the Beehive (Executive Wing of the New Zealand Parliament Buildings) and my client leant over to ask, “What do you think is the most likely and unlikely organisation to be hacked or targeted by cyber-terrorism?” After very minor thought, I concluded that anything to do with the Defence Force is not only a huge target for any budding hacker, but surely, it’s also the last place that would allow that to happen, right? Wrong!
As of Tuesday 10th October 2017, an Australian Defence Contractor has had highly commercially sensitive information on the build and design of new fighter jets, navy vessels, and surveillance aircraft stolen.
The Facts as we know them:
Dan Tehan, the minister in charge of cybersecurity, confirmed the hacking had taken place and was targeted towards an unknown contractor.
The hack itself took place over a few months, without any defence or internal networks picking up the attack.
24 hours after the news broke, Australian authorities researched and criticised the defence contractor for “sloppy admin” concluding that in fact, anybody could have penetrated the company’s network and that they were “surprised it hadn’t happened sooner”.
During the investigation of the hack, it was found that hackers had exploited a hole in the IT helpdesk portal where no staff member had updated the 12-month old vulnerability. Literally leaving a door wide open for even the most amateur of hackers to enter.
Furthermore, the Australian Signals Directorate (ASD) found that the contractor had not updated any of its key passwords and entry codes for any internet facing servers in many, many months.
It has recently emerged that the admin password used to enter the company’s web portal was ‘admin’ and the guest password was ‘guest’. An unbelievable fact in terms of the contractor’s field of work.
ASD incident response manager Mitchell Clarke told a conference in Sydney on Wednesday (11th October) the hackers targeted a small “mum and dad type business” — an aerospace engineering company with about 50 employees in July last year. This means the hackers were experienced enough to go through a third party/supply chain of the main contractors first, again exploiting a hole in the continuity of the whole program.
Clarke noted, “It included information on the (F-35) Joint Strike Fighter, C130 (Hercules aircraft), the P-8 Poseidon (surveillance aircraft), joint direct attack munition (JDAM smart bomb kits) and a few naval vessels.”
This particular firm has been confirmed as a fourth level contractor to the main Defence Force. This means the hackers could still get into the main information via a partner of the organisations – four levels down!
Why aren’t we learning?
Less than six months ago, the biggest cyber-attack to ever hit the internet occurred, WannaCry. The simple lesson learned from this should have been to update all networks, computers, and passwords. This can be done in a few hours depending on the size of your organisation.
If we break down the facts of this case, there are some key questions and discussions coming up:
- The Defence Force should have had a plan in place for all associates of their organisation?
- Why did no one check supply chain security, but are still blaming them?
- The usernames and passwords were not adequate. This should have been noticed earlier.
- How does a hack lasting nearly 12 months not get picked up?
- Is the idea of a foreign state hacking a concern?
The answer to that last question is no. In fact, foreign state powers trying to hack each other has happened since the internet was first set live – it’s nothing new. The key question here is more about the order and control of their supply chain in the first place.
What might happen now?
Nothing is likely to happen. Like with most hacks, it’s an opportunity to boast how good you are at it. The most likely scenario now is a ransom put on the return of the information. Or, we may never hear about this again meaning it’s been taken higher.
The ASD, for now, has dubbed the hacker “ALF”, after a character in the TV soap opera Home and Away. At least they’re seeing the humorous side to all this!
Mr Clarke described the security breach as “sloppy admin” during his press conference. Most IT people could spot holes in the system, it’s the higher authorities who should have put checks in there in the first place.
What you need to do, right, now!
If you didn’t already do this in May following the WannaCry cyber-attack, go and ask your IT team when the last time they changed passwords.
You need to then check how up to date your security systems are.
Then most importantly, you need to get in touch with any third parties you’re associated with and your supply chain! As stated by Alastair MacGibbon the Special Adviser on cyber to the Prime Minister, on breakfast news, “this is a supply chain issue, not the Governments fault”. Sorry Alastair, you can’t blame your supply chain, the responsibility for a disruption remains with the company.
If, for example, you were an airline based in Australia, you will have hundreds of supply chain dependencies, even right down to the travel agent. There would be many websites and potential gateways to stay on top of. Starting to work these out and know what is what will maintain your resilience.
Your DRP (Disaster Recovery Plan) and ITDR need to be looked at, right now. Even if you looked at it last week, you need to double check it’s up to date and where it needs to be.
Coincidently, I’m about a day off finishing my article on the Auckland Fuel Crisis follow up. In this, I discuss contractors and how we often look to blame third party when something like this happens. In fact, your stakeholders aren’t going to do that, neither is the media.
We still don’t know officially who these contractors were, but we’re all happily blaming the resilience of the Defence Force here when really, many authorities and people are involved.
I will be following up this story as it progresses as I believe it as being a huge eye opener for Australian and New Zealand organisations.
RiskLogic specialise in modules around Business Continuity for your supply chain. We’ve been doing it for over a decade. As well as this, we have industry leading cybersecurity modules & plans for all types of organisations. Our senior consultants and trainers live and breathe this daily across Australia & New Zealand. If you’re concerned about possible holes in your supply chain or cyber-security, give us a call now, obligation free.
Until then, plan, do, check & act…