Australian Defence Contractor Austel suffers data breach
November 3, 2018 |
Austel, one of Australia’s main defence contractors has suffered a data breach. It notified the Australian Securities Exchange last Thursday night. The notice to the ASX is found here. Unlike US notices it’s focus is on being vague on critical details and expansive on the impact, it says not much, and what it is doing in response, it says plenty.
The Notice states:
The statement, anodyne as any I have seen, confirms that the hacker attempted an extortion attempt. What the report does not state but the Australian does is that the attack took place two weeks ago and involved the loss of 100 gigabytes of data. There is another report that the material was accessed over a month ago. The Australian’s reports that a source has said that Austel’s cyber security was lacking. That is in contrast to the AFR report Cyber security experts fear more attacks on defence contractors which assumes that the security would have been good and hence the hackers were very good. That is a dangerous assumption. All too often large, sophisticated companies which generate and handle sensitive commercial information have poor data security superstructure and even worse data security practices and culture. The health industry is a case in point. Hospitals are prime and all too often easy targets.
The Australian article provides:
Australian shipbuilding firm Austal has been the victim of a major extortion attempt, in which organised cyber criminals operating out of the Middle East threatened to sell reams of data stolen from the company.
The Australian can reveal that Austal, which has contracts with the Navy and Border Force, lost up to 100 gigabytes of data after organised crime figures hit the company two weeks ago.
Defence Department officials are still combing through the information, which is being offered by the extortionists to the highest bidder on the dark web.
It is understood the material includes shipbuilding schematics and administrative data related to company operations, but at this stage there is no indication that sensitive national security information has been lost.
The material was held on an internet-connected network.
A source familiar with the breach said it was helped by Austal’s poor network security.
It is understood the attackers demanded a ransom but Austal refused, prompting the crime figures to try to sell the material on the dark web.
A tiny portion of the of the data appears to have been published on Twitter and is now being investigated by authorities.
Austal confirmed it had detected and responded to a data breach in which some staff email and mobile phone numbers were accessed.
“There is no evidence to date to suggest that information affecting national security or the commercial operations of the company has been stolen,” Austal said in a statement.
The Australian has been told the breach occurred in mid-October.
Investigations suggested the perpetrators were based in the Middle East, which one national security source said was unusual.
Eastern Europe is the main source for organised cyber criminals and extortionists.
There is no suggestion the breach was state-sponsored.
In a joint statement, the Defence Department, the Department of Home Affairs and the Australian Cyber Security Centre said they were aware of the breach and had referred it for joint investigation by the ACSC and the Australian Federal Police.
“As the investigation continues, the Department of Defence can confirm that no compromise of classified or sensitive information or technology has been identified so far,” the statement said. “Defence and the ACSC have provided cyber security assistance to Austal and are working with Austal to assess and mitigate harm.”
Austal is a prime defence contractor that makes vessels for numerous overseas markets, including the US.
The company said a small number of stakeholders affected by the data theft had been briefed.
The breach is an example of the kind of industrial espionage and extortion that companies are increasingly finding themselves exposed to. However, it is surprising that a company that regularly handles such sensitive national security information was so easily breached.
Australia is on the cusp of a defence industry boom with production of a new fleet or frigates and submarines slated to start in the years ahead and continue for decades to come.
The shipbuilding boom has prompted national security agencies such as ASIO and Defence to commit huge resources to protecting strategically sensitive information.
National security agencies expect areas such asAdelaide’s Osbourne shipyards — where most of the construction will occur — to be top espionage targets for foreign spy services, such as Chinese or Russian agencies.
The timing of the notice to the ASX is quite unusual, suspicious even, given the breach was detected 2 weeks ago. It is more understandable given the report in Australian Shipbuilder Hacked, Refuses to Pay Ransom that a hacker named the Joker advertised the material for sale the day before Austel’s notice to the ASX. Austel’s hand was forced. It didn’t notify because it was being a good corporate citizen, it notified because it had to.
The article provides:
Australia’s largest defense exporter says it hasn’t responded to an extortion attempt after ship design schematics were stolen by a hacker.
Austal, which is based in Henderson, Western Australia, is one of the country’s largest shipbuilders; it has built vessels for the U.S. Navy.
The company, which is listed on Australia’s ASX stock exchange, announced the breach late Thursday. The announcement came just a day after a security researcher in France posted screenshots on Twitter of the purported stolen data.
Austal says the material is neither sensitive nor classified and that it has taken steps to secure its data systems.
“The data breach has had no impact on Austal’s ongoing operations,” the company says. “Austal’s business in the United States is unaffected by this issue, as the computer systems are not linked.”
A spokesman for Austal contacted on Friday says he couldn’t offer further information on the incident.
The breach exposed ship design drawings that are distributed to customers, fabrication subcontractors and suppliers, Austal says. It also exposed “some staff email addresses and mobile phone numbers.” Those individuals have been informed as well as a “small number” of other stakeholders directly impacted by the breach, the company reports.
Austal has contacted the Australian Cyber Security Center and the Australian Federal Police. The Office of the Australian Information Commissioner, which enforces the country’s data protection regulations “will be involved as required,” Austal says.
The.Joker
A hacker going by the nickname “the.joker” advertised the material for sale on an underground forum earlier this week. Xylitol, a well-known French security researcher, posted screenshots of the the.joker’s postings on Oct. 31, a day before Austal’s announcement.
Xylitol also wrote that he asked for samples of the data and received four, with timestamps that ranged from 2006 to 2017.
The.joker claims to have dumped data from Austal’s network PCs about a month prior. The zip file, which consisted of drawings and designs, is 75GB in size, the.joker claims.
Some of the sample images the.joker included in a forum posting were still live on Friday and indicated the material was posted there five days prior.
The material was being offered for 1 bitcoin, or about $6,300. That figure is likely far lower than whatever figure was presented to the company as a ransom.
Don’t Pay Ransoms
Companies are increasingly being subjected to ransoms by hackers after their networks have been breached. Ransoms put companies in tough positions: risk public exposure of potentially embarrassing data, or risk paying a ransom and still face a chance the data could be released anyway.
Security experts and law enforcement generally advise against paying ransoms, even after incidents of file-encrypting malware. But some companies have viewed the situation as either a cost of doing business or a shorter route to recovery.
Late last month in the U.S, the city of West Haven, Connecticut, paid $2,000 to unlock 23 servers that had been infected with ransomware (see: Connecticut City Pays Ransom After Crypto-Locking Attack).
The city’s attorney, Lee Tiernan, was quoted by the Associated Press as saying “research showed it was the best course of action.”
If the city didn’t have a backup file, it may have had little choice. But a compelling counter argument is that paying offers further incentive for criminals to continue with the schemes.
Interestingly there is not reference in the statement of a notification of the data breach, which involved personal information, to the Information Commissioner. That is both extraordinary and extremely poor practice.
The approach that Austel took highlights the confused, inefficient and secretive approach to dealing with data security. Here Austel refers the breach to the Australian Cyber Security Centre and the Australian Federal Police. Never to be heard of again. It appears the Department of Defence, an agency not noted as having good processes and complying with privacy legislation, is also involved in reviewing the impact of the breach. Unfortunately there are too many acronym laden agencies doing much the same thing, and generally in the shadows. Announcing that a gaggle of agencies are investigating is a highly effective stratagem to kill off ongoing reportage.
Clearly there needs to be sensitivity, sometimes extreme sensitivity in what can and can’t be reported however that should not prevent action being taken in relation to the breach and a report on that. In the United Kingdom the Information Commissioner would likely investigate and issue a Monetary Penalty Notice. In the United States the Federal Trade Commission would also investigate. And produce a report. In those jurisdictions significant penalties and reputational damage of open, published and reported action has an impact on the market and the other operators within it.
Only with a proper investigation and published outcome of that investigation, preferably with some regulatory action, will the industry and the market generally improve it’s data security. To date the Australian approach has been to throw a proverbial blanket over an incident, deal with it in house and let time do the rest. That is a policy failure.