back to top

A Hacker The Government Nicknamed After Alf From "Home And Away" Stole Confidential Defence Data

The hacker allegedly stole 30GB of commercially sensitive data on Australia's defence jets.

Posted on

Australia's peak cyber security agency named a hacker who stole gigabytes of confidential defence data from a national security contractor "Alf", after the character Alf Stewart in the long-running Australian soap opera Home And Away.

At a cyber security conference in Sydney yesterday Australian Signals Directorate (ASD) incident manager Mitchell Clarke said that ASD was tipped-off in November 2016 that a hacker had infiltrated the network of an engineering sub-contractor for the Defence Department.

As first reported by technology news site ZDNet, Clarke said that the hacker, which the ASD gave the codename "Alf", was able to obtain around 30GB of data, including technical information on the $16 billion F-35 joint strike fighter, as well as other aircraft and naval vessels.

BuzzFeed News has obtained the audio of the Clarke presentation from freelance tech reporter Stilgherrian. In it Clarke said the aerospace engineering contractor in question had around 50 employees and just one IT person, and that a "significant amount of data" was stolen over a period of around three months by the Alf hacker, which the ASD described as "Alf's Mystery Happy Fun Time".

"For those visitors [from] overseas...Alf is Alf Stewart from an horrific Australia soap opera called Home And Away," he said. "It's just a thing we do."

Here’s the timeline and what the network looked like. #AISACON17

When ASD investigated the hack it found a China Chopper remote shell (a backdoor commonly used by Chinese hackers), and Clarke said that ASD found the Alf hacker had been attempting to use this exploit on a number of Australian IT companies.

And this is what the bad guys got away with. #AISACON17

Clarke described the attack as "nation state espionage".

"They were reading the chief engineer's emails, they were reading the finance person's emails, and they were reading a contracting person's emails," he said.

There was about 30GB of data taken, including ITAR (International Traffic in Arms Regulations) data.

"That ITAR data included information on the JSF - the joint strike fighter, the C130, the P-8 Poseidon, the JDAM — that's a smart bomb — and a few Australian naval vessels," he said.

"To the point where we found one document where it was a diagram of one of the navy's new ships, and you could zoom in down to the captain's chair and see it is one metre away from the nav chair," he said.

Even without this exploit, the company still had used the default username and passwords for many of its logins. Clarke said that this would have made it easier for the hacker to access all the sensitive data on the firm's servers, as the firm used common usernames and passwords on every computer.

"We see this all the time," he said. "Government departments are notorious for doing this."

The Australian Defence Department appears to be in a scramble after Clarke's presentation. When BuzzFeed News sought a copy of the presentation from the department, a reply came from a spokesperson for the Australian Cyber Security Centre (ASCS). It stated the data was not classified, but did not respond to our request.

"Today, while presenting at a conference in Sydney, an ASD official (who works for the ACSC) disclosed information about the theft of data from an Australian company," the spokesperson said.

"While the Australian company is a national security-linked contractor and the information disclosed was commercially sensitive, it was unclassified. The government does not intend to discuss further the details of this cyber incident."

When asked about the incident on ABC RN Breakfast this morning, defence industry minister Christopher Pyne stressed that no military secrets were stolen.

"Fortunately the data that has been taken is commercial data, not military data," he said.

"It's not classified information ... I'm sure there is work being done finding out who did it. It could be a state actor, it could be a non-state actor. It could be someone who is working for another company."

Josh Taylor is a news editor for BuzzFeed News and is based in Sydney.

Contact Josh Taylor at josh.taylor@buzzfeed.com.

Got a confidential tip? Submit it here.