In November 2016, tipped off by a ‘partner organisation’ advising that an ‘APT actor’ had gained administration access to a fourth-tier defence contractor, ASD and CERT Australia were rapid to respond and on site the following day. Though on arrival, without official ASD credentials, the ‘customer’, a small aerospace engineering firm, with about 50 employees, called into question the bona fides of these ‘visitors’ from the Federal Government. Even calls to the CERT Australia Hotline did not initially verify the visit. Yet despite this and with the best social engineering techniques at play, they were able to later walk out with hard-drives of historical backups, in order to commence an official forensic investigation.
The investigation revealed the company had been compromised five months earlier, in July 2016, and involved a significant amount of data being stolen, and most was defence related, including data related to the Joint Strike Fighter program and other primary defence hardware.
“The fact you have valuable information, you would have likely been breached either way and let’s focus on treating the problem. Too many organisations seek to apply blame and this isn’t helpful,” said the ASD Incident Response Manager, presenting to a full conference room in Sydney at #AISACON17.
One may beg to differ. Blame could be easily attributed to the Executives who allowed this small self-managed network to be supported by one IT person, and without a security risk assessment, which would have highlighted the vulnerabilities involved with using a common local admin account, no DMZ, no regular patching regime, and with hosted internet facing services…all whilst handling defence data and commercially sensitive information. In this case, because of the defence data, the investigation became a combined ASD and CERT Australia investigation…Click HERE to read full article.