CANBERRA -- A mystery hacker codenamed after a larrikin Australian soap opera character has been revealed as stealing sensitive, high-level information about a $1.1 trillion defence project created by an alliance including Australia, the U.S, UK and Canada.
The data about Australia's warplanes and navy ships was stolen from an Adelaide Defence subcontractor which had one I.T. specialist and used extremely easy passwords.
Given the name "ATP ALF" -- in reference to a +30 year character from the long-running Australian beachside TV program, "Home and Away" -- the hacker had managed to sit inside the system of the contractor for months before detection in November 2016, and stole information about programs such as the $17 billion F-35 Joint Strike Fighter project, the C-130 Hercules transport plane and the $4 billion P-8 Poseidon maritime surveillance aircraft project.
A state actor has not been ruled out and it has been reported that a hacking tool, known as the Chinese Chopper, was used. The stolen data was not classified military information, but it was described as "commercially sensitive".
The hack was discovered by a major Defence contractor.
A hacker a government agency has named 'Alf' (after the Home and Away character) has stolen sensitive Defence info https://t.co/awUKATLwgV— Bevan Shields (@BevanShields) October 11, 2017
Intelligence agency, the Australian Signals Directorate (ASD) revealed details of the hack, through the technology news website ZDNet, on Wednesday, after it was flagged on Tuesday by the minister for cyber security, Dan Tehan.
According to Mitchell Clarke, an ASD incident response manager, the stolen documents for a Navy ship could let a viewer, "zoom in down to the captain's chair and see that it's, you know, one metre away from nav chair".
The subcontractor was revealed as using software that hadn't been updated for 12 months as well as username-password combinations, "admin-admin" and "guest-guest".
The many months between where the hacker was left to his own devices was referred to 'Alf's Mystery Happy Fun Time'.
Not an SME - a defence supply chain. Vendors are threat vectors. https://t.co/lxCk9WqDe7— Tim Watts MP (@TimWattsMP) October 11, 2017
Defence industry minister Christopher Pyne told the ABC on Thursday he does not know who the hacker is and indicated he would not tell if he knew, "It could be a state actor, a non-state actor. It could somebody working for another company". He described the contractor as a small enterprise and rejected any implication that the Turnbull Government was to blame for the hack.
"I don't think you can try and sheet blame for a small enterprise having lax cyber security back to the Federal Government," he told RN Breakfast. "That is a stretch."
"The contractor could well have been working for a prime (major contractor) which is why we have been saying relentlessly, for certainly since I have been the Minister and since Dan Tehan has been the minister for cyber security, that businesses need to take this very seriously."