Cyber Incident Victim: Australian Signals Directorate
Date:
Jul 2016
Location:
Australia
Summary
A hacker stole approximately 30GB of sensitive military data from an Australian defense contractor via compromised systems, including technical specifications for fighter jets, naval vessels, aircraft, and guided munitions. The breach, attributed to weak security practices such as default credentials and limited IT staffing, was discovered months later by an external partner organization. Investigators identified a web shell on the contractor's network but could not conclusively determine whether the intrusion involved opportunistic hacking, economic espionage, or state-sponsored activity. The incident exposed non-public but unclassified technical schematics and operational details related to defense capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2016, a hacker compromised the network of an unnamed Australian Department of Defence contractor, exfiltrating over 30 GB of sensitive military data. The breach remained undetected until November 2016, when a partner organization alerted the Australian Signals Directorate (ASD) to suspicious activity. The stolen information included technical specifications, diagrams, and operational plans related to critical defense assets, such as the F-35 Joint Strike Fighter, Boeing P-8 Poseidon maritime patrol aircraft, Lockheed-Martin C-130 transport planes, JDAM guided bombs, and several naval vessels. While ASD confirmed the data was not classified as "top secret," it contained non-public technical details that could compromise Australia’s military capabilities if exploited by adversaries. Initial analysis indicated the attacker leveraged weak authentication practices, including default credentials like "admin" and "guest" on exposed systems. The contractor’s limited cybersecurity resources—a single IT staff member managing security for approximately 50 employees—contributed to the vulnerability landscape.
ASD investigators discovered the China Chopper web shell on the contractor’s servers during their forensic examination, though they could not conclusively determine whether it served as the initial intrusion vector. The agency categorized the incident as a significant compromise of sensitive defense-industrial information, attributing the breach primarily to human error and inadequate security protocols. No evidence confirmed the attacker’s identity or motives by the time of ASD’s public disclosure in October 2017, with inquiries ongoing into whether "Alf" (the hacker’s ASD-assigned codename, inspired by a character from the TV show *Home and Away*) operated as an individual, a corporate espionage actor, or a state-sponsored entity. The breach underscored systemic risks in supply-chain security, particularly among smaller contractors handling sensitive government data. ASD emphasized the operational consequences of the theft but did not disclose specific mitigation measures taken by the contractor or potential downstream impacts on allied military partnerships.