Australian cyber-security officials have revealed that “commercially sensitive” data about the country’s new fighter jets, navy vessels and surveillance aircraft programs have been stolen from an Australian defense contractor in what they described as an “extensive and extreme” hacking attack.
Australian Signals Directorate (ASD), an Australian government foreign intelligence collection agency responsible for foreign signals intelligence and information security, has said that 30 gigabytes of “commercially sensitive but not classified” information on the country’s new F-35 Joint Strike Fighter, worth 17 bln Australian dollars ($13 bln) the P-8 Poseidon submarine hunter aircraft, C130 Hercules transport plane, several Australian naval vessels and joint direct attack munitions (JDAM smart bomb kits) was stolen in a hacking attack on a government contractor.
ASD incident response manager Mitchell Clarke described the attack as “extensive and extreme.”
Addressing the Australian Information Security Association’s national conference in Sydney on Wednesday, he said that the compromised data on the new navy ships included a diagram which could be zoomed in down to the captain’s chair to see that it was one meter away from the navigation chair.
The security official explained that unidentified hacker had exploited a weakness in software being used by the government contractor, which had not been updated for 12 months. The hacker, he said, was codenamed Alf, after a well-known character, Alf Stewart, from the Australian TV soap opera Home and Away.
In a separate comment on the issue, the country’s Defense Industry Minister Christopher Pyne told the Australian Broadcasting Corp that “it could be one of a number of different actors.”
“It could be a state actor, [or] a non-state actor. It could be someone who was working for another company,” Christopher Pyne told the broadcaster on Thursday.
The Defense Industry Minister, however, insisted that the theft was not a risk to national security, as the data that was taken was commercial, not military.
“But it is still very serious and we will get to the bottom of it,” he stated.
The breach began in July of last year, but the (ASD) was not alerted until November, hence the hacker might had access to the information for four months. The security officials began repairing the system in December.
According to Mitchell Clarke, the hacked company was rather small and was subcontracted four levels down from the defense contracts.