The Australian Cyber Security Centre Threat report for 2017 (p27) describes a compromise of an Australian company with national security links In November 2016, which is now believed to refer to the theft of 30GB of data from a small Australian military defence contractor which included technical information on jet fighters, transport aircraft, ‘smart bomb kits.'
The Sydney Morning Herald reports that a senior IT technician – a military staffer working in the Middle East - misused his access privileges to get into the email accounts of 10 members of his unit, as well as a personal drive and he accessed the deployed Defence secret network and the Defence restricted network several times without authority.
The data was reportedly breached on a network with no regular patching regime and a common local admin account password for all servers.
In a military trial the hacker was convicted of nine acts of unauthorised access and two offences of prejudicial conduct but was acquitted of 14 charges apparently related to whether "network roaming" was explicitly forbidden on the restricted networks that the technician had accessed.
The Herald also reported that as a result of these difficulties regarding the policy documents, the military aborted three other prosecutions for similar alleged misconduct by deployed ADF members. It quoted the Director of Military Prosecutions, Jennifer Woodward, CSC, saying in a report that her office had received an increase in the number of referrals involving misuse of IT systems and was now changing policies to increase convictions. Her report also said a lack of technical IT investigative capability and ambiguous guidelines had inhibited prosecutions.
Mitchell Clarke, the ASD spokesperson who revealed the incident on Tuesday at a Sydney conference was reported as saying that the hacker did not steal "top secret" data, but the breach contained sensitive information, not accessible to the public, and containing confidential information, diagrams, and plans about the country's military prowess.
Bleeping Computer reports Clarke blaming the intrusion on human error, with weak passwords being used, such as using usernames and passwords like "admin" and "guest." It notes that the unnamed defence contractor, which has roughly 50 employees, had apparently hired only one IT staffer to secure its network.
In the ACSC report is says analysis of an unnamed incident (presumed the same) confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data. “Analysis showed that the adversary gained access to the victim network by exploiting an internet-facing server, then using administrative credentials to move laterally within the network, where they were able to install multiple webshells – a script that can be uploaded to a webserver to enable remote administration of the machine – throughout the network to gain and maintain further access.”
Stephen Moore, chief security strategist at Exabeam emailed SC Media UK to comment:“A large number of cyber-attacks today exploit well-known vulnerabilities, for which patches usually exist. But while it seems easy to point a finger at those who have unpatched systems, patch management can be a very complex process, not least for a company where just one person manages all IT-related functions. That's why it is important to be able to detect unusual usage of credentials, or in other words, see unusual user behaviour on the network. If an employee begins moving around a network accessing multiple file servers and databases for the first time, and no one else in their department has done so, it can be an indicator of a stolen – but valid – credential. Today, simply ensuring that passwords are complex often doesn't help in stopping credential-based attacks.”
This view was echoed by Thomas Fischer, global security advocate at Digital Guardian who said in an email to SC: "Breaches such as this re-inforce why all companies, no matter how small, need to adopt a “patch early, patch often” mantra. They also need to regularly review system settings and disable unnecessary services that could leave them open to attack. Unfortunately, businesses continue to underestimate the importance of patching. Keeping IT systems constantly updated and free from known vulnerabilities is truly essential. Most companies, at some point, will have their networks' breached. In this case, seemingly with no encryption or access control measures in place, the sensitive defence data was freely accessible. But breaches don't have to result in data theft. Data-centric security technologies can greatly reduce an attacker's ability to successfully exfiltrate data. This is because, even if attackers gain access to sensitive data, they would be prevented from copying, moving or deleting it without approval.”