Details on the breachIn the breach (related to an Adelaide-based aerospace engineering company) we can speculate that requirements like those found in NIST 800-171 where clearly not enforced, but applicable, because some of the breach material included the F-35 Joint Strike Fighter, P-8 Poseidon, and C130 transport aircraft (in addition to other navy vessels) which are manufactured in the United States. In total, about 30GB of data was compromised. But like any good hack, the threat actor has still not been positively identified despite speculation of regional nation state involvement.
What went wrongThis sensitive military breach at a contractor is particularly annoying since so many basic cyber security hygiene policies, procedures and indicators where not followed, or just completely missed. For example:
- The breach began in July 2016, but government officials (ASD) were not notified until November 2016 – four months before disclosure and much too long by any standards.
- The exploit occurred in a software application that had not received security updates for a full year. No red flags from vulnerability or patch management were raised to remediate or mitigate the threat? It sounds like Equifax to me.
- The contractor was also using default passwords on the application! Wait. What? You’re protecting sensitive military secrets and cannot even change the default password on an application that could be leveraged against the crown jewels of your organization? Clearly, hygiene went out the window here too.