Sloppy password fail exposes military's top secrets
TOP secret technical information about new fighter jets, navy vessels, and surveillance aircraft has been stolen from an Australian defence contractor.
Dan Tehan, the minister in charge of cyber security, on Tuesday confirmed the hacking of an unnamed contractor.
Hackers spent months downloading sensitive information about Australia's warplanes, navy ships and bomb kits.
Australian authorities criticised the defence contractor for "sloppy admin" and it turns out almost anybody could have penetrated the company's network.
Hackers initially gained access by exploiting a 12-month-old vulnerability in the company's IT helpdesk portal but they could have just walked in the front door.
The investigation by Australian Signals Directorate (ASD) found the company had not changed its default passwords on its internet facing services.
The admin password, to enter the company's web portal, was 'admin' and the guest password was 'guest'.
ASD is not ruling out a foreign state power as being behind the hack.
It dubbed the hacker "ALF", after a character in TV soap opera Home and Away.
Government cyber officials started fixing the system in December last year and referred to the, roughly, three month period before that as "Alf's Mystery Happy Fun Time".
ASD incident response manager Mitchell Clarke told a conference in Sydney on Wednesday the hackers targeted a small "mum and dad type business" - an aerospace engineering company with about 50 employees in July last year.
He said the firm was subcontracted four levels down from defence contracts.
"The compromise was extensive and extreme," Mr Clarke told the Australian Information Security Association national conference in audio obtained by a freelance journalist called Stilgherrian.
"It included information on the (F-35) Joint Strike Fighter, C130 (Hercules aircraft), the P-8 Poseidon (surveillance aircraft), joint direct attack munition (JDAM smart bomb kits) and a few naval vessels."
Mr Clarke said the information hacked on the new Navy ships included a diagram in which you could zoom in down to the captain's chair and see that it was one metre away from the navigation chair.
Mr Clarke described the security breach as "sloppy admin". He said the organisation only had one IT person and that person had only been in the job for a short while.
An Australian Cyber Security Centre spokesperson said the information released by the ASD staffer, who works for the centre, was commercially sensitive but unclassified.
"While the Australian company is a national-security linked contractor and the information disclosed was commercially sensitive, it was unclassified," they said in a statement on Wednesday evening.
"The government does not intend to discuss further the details of this cyber incident."
Comment has been sought from Mr Tehan and the Defence department.