[BreachExchange] Shipbuilder Austal was hacked with stolen creds sold on dark web
Destry Winant
destry at riskbasedsecurity.com
Thu Apr 9 10:17:46 EDT 2020
https://www.itnews.com.au/news/shipbuilder-austal-was-hacked-with-stolen-creds-sold-on-dark-web-546165
Provides full post-mortem of late 2018 attack.
Austal, the ASX-listed shipbuilder and defence contractor, was
compromised in late 2018 by an attacker who used login credentials
purchased on a dark web forum, but who then failed to extract much of
value or secure a ransom to have it returned.
CEO David Singleton provided a full post-mortem of the mid-October
2018 breach last week - which he said included a grilling from senior
government ministers - and revealed cyber defences put in place
afterwards had saved the company from credential phishes as recently
as the past fortnight.
Singleton said the company was breached in October 2018 using stolen
credentials sold on the dark web, a place he characterised as a kind
of “parallel universe… where criminals hide and where criminality is
rife”.
“I still don't really know what [the dark web] is,” Singleton told a
recent industry event.
“[But] in this parallel universe, you can buy company addresses, and
you can buy the passwords that go with those addresses, and you can
use those passwords to enter somebody's system. And that's what
happened to us at Austal.
“Somebody bought passwords from the internet.”
It appeared the stolen credentials were also relatively weak, being
either ‘Password123’ or ‘Austal123’.
The attacker used the stolen credentials to gain access to Austal’s
system on a Sunday afternoon, and was then able to move laterally
“quite easily”.
“The criminal walked around the ‘virtual rooms’ in our ‘house’, and
collected things as [they] went,” Singleton said.
While the attacker did collect data from several systems, they
inexplicably passed over the most valuable material.
“In very many ways we're fortunate in that on the wall in our main
living room was a very expensive Rembrandt - [but] what he actually
ended up doing was stealing the TV set, which is highly replaceable
and has less value,” Singleton said.
“So we were fortunate in many ways, but fortunate only by luck.”
Austal also experienced a second piece of “luck”, with the attacker
triggering an alarm as they stockpiled data for exfiltration.
“The way that we found out what was going on was none other than
[they] took information from rooms inside of the ‘house’, loaded them
into a particular memory drive from which they were then extracting
... to the outside, and [they] overloaded the memory drive,” Singleton
said.
“As a result of overloading the memory drive, it set off an alarm late
on a Sunday night, when everybody was away from the office.
“That was the first trigger that we had that something was amiss and going on.”
Incident response and a ransom demand
When Singleton arrived at the office early Monday, incident response
actions by the company’s Information Systems & Technology (IS&T) team
were already underway.
“The first thing we did was to lock the system up,” he said.
“The IT department was able to move really quickly on that. They shut
down all the external ports and made sure that no more information
could move in or out.”
However, that quickly tipped off the company’s thousands of staff, and
eventually suppliers and customers, that something was wrong.
“All of a sudden, hundreds of your employees know that there's
something amiss. They can't get an email out, they can't get an email
back, they can't access anything and there's a demand to understand
what's going on and the urgency of the situation is increasing moment
by moment,” Singleton said.
“After a few hours you start to get suppliers ringing in and other
people ring in, [asking] ‘what's going on, we're not getting any
information out of you, why can't we send you some data?’.
“So things start to move very very rapidly, and you have to be ready for that.”
Early on, Austal called its insurance company, which - “to show you
the urgency of it - sent somebody from the UK immediately” to help mop
up.
“Within four hours of us placing a call to our insurance company, they
had somebody on a flight in London, coming down to Perth, to help us
with the recovery action, and the reason for that is that they knew
better than anybody the lightning speed of what's going on is so
profound that you have to react to it quickly to minimise the damage,”
Singleton said.
The company also called upon the Australian Cyber Security Centre
(ACSC), which helped to “lock the doors, clean the ‘rooms’ and deal
with the after-effects of what had happened.”
Singleton said that a motive for the attack quickly became apparent.
“The hacker made a ransom demand,” he said.
“This was just plain criminality. This was an individual who just
wanted to extort money from the company in order to return data, and
the way [they] did that was [to] send an email to 50 or 60 people in
the organisation saying, ‘You've been hacked. These are the bitcoins I
need for me to return the data that I have stolen’.
“Fortunately for us as I said earlier, we hadn't lost our Rembrandt,
we'd lost our TV set, and we weren't in a mind at all to deal with
extortion.”
The spring clean
With the assistance of the ACSC, Austal embarked on a “spring clean”
of its systems.
“At that point, we had no idea what was going on inside of our
systems,” Singleton said.
“We didn't know whether somebody put a bug in there. We didn't know
whether our data was being eaten away and destroyed quickly. We didn't
know whether somebody had left some backdoors in so they could come
along later on.”
Austal’s systems - and data - was largely cloud-based, and the company
was confident it had backups.
“About a year before we'd moved our data and our systems to the cloud,
so that helped enormously because it made us really confident that we
had backup files going back as far as we needed to go because of the
quality of the services that we could get from there,” Singleton said.
“So we were never in a position where we were worried about losing our
core data, and that was a great relief to me because the idea that you
could lose vast swathes of data because it's been eaten by some
malignant bug would have been a pretty scary idea.
“It was a lesson to me that the move to the cloud for us had been
really important in us being able to stabilise the situation quickly
and be able to move on.”
Tackling password security, lateral movement
Austal has put significant effort into improving password security in
the wake of the breach.
“The thing that caused the problem was passwords, so immediately after
the event - bear in mind now all of our employees knew what had
happened, and they knew it was as a result of passwords - we forced
two password changes,” Singleton said.
“Everybody had to change their passwords twice over a 24 hour period.
And then at the end of that, we ran [code] that allowed us to look
through everybody's passwords in the company.
“There were 40 versions of these two passwords - Password123 and
Austal123 - which taught me something really important in all of this
... that the weak link in any system can often be your people.
“Even after a cyber break, people were using Password123, and
Austal123 as a password, the very passwords that had gotten cyber
criminals into the system in the first place.”
Singleton said Austal had since put in an Australian-developed
software tool that forces users to set more complex passwords and to
change them frequently.
It also turned on multi-factor authentication so it no longer granted
access to systems using a simple username-password combination alone;
and tightened access privileges to a range of internal systems.
“That means that if somebody got through the front door again, their
ability to move around the system and gather more data is now much
more limited than it would have been before,” Singleton said.
Austal then engaged an external pentester to check its defences. The
pentester was unable to gain access from outside, and - when Austal
let them in - was also unable to perform lateral movement.
“The next thing they did was they sent an individual to walk into the
site,” Singleton said.
“He was an expert at this - and managed to gain entry to the site.
“He had a handful of USB drives, and he went around our organisation
and asked people to put a USB drive into their computer to check the
data that was on it. On that USB drive was a piece of malware that he
had specifically put on that showed that he'd been able to do that.
“He then left a USB drive in our IT department, and somebody in the IT
department picked up the USB drive and put it in their computer, and
also transferred the malware onto our system.
“Again, it taught us the importance of not only electronic security,
but also physical security in our environment as well.”
The company’s authentication systems and internal readiness also
received a real-world test within the past fortnight when a phishing
email from a supposed project engineer from Lithuania arrived in
multiple inboxes.
“What happened was ... 40 people in our organisation in the first hour
clicked on a ‘download proposal’ [button in the email],” Singleton
said.
“When you go to that download proposal, it asks you to put in your
email address and your password.
“Believe it or not, after all that had happened to us, five people put
in their email address and password, which would have given them
access to the system. The thing that saved us was the multi-factor
authentication.”
Victim-blaming
Singleton said he had been advised by the then head of the ACSC,
Alastair MacGibbon, that Austal would wind up copping blame for the
incident.
MacGibbon previously expressed similar sentiments on other hacks.
“The head of the ACSC said to me at the beginning of all of this, ‘You
need to remember all the way through this process you are going to go
through that you are the victim, because what will happen is you will
be shamed as a victim, and people will start to point to you as being
the problem’,” he said.
“He described it to me as some of those really unfortunate stories
we've heard in the past of judges who have apportioned some element of
blame to people who've been the victim of crime: ‘Why were you out at
two o'clock in the morning in that particular area of town? You were
asking for it’.”
This would wind up ringing true.
“I got called up by the Australian government to go and explain myself
to ... some very senior ministers ... about how we had managed to be
hacked when we have defence information on our site,” Singleton said.
“You start to create an environment where people forget you were the
victim and start to think you were in some way the perpetrator.”
Singleton said he had decided to go public in a bid to help other
major companies enable simple protections.
“If enough people talk about the pain of this, the difficulty of this,
the cost of cleaning up afterwards, the disruption to your business,
then maybe more people will do some of these simple things that I've
talked about that really can make a fundamental difference,” he said.
More information about the BreachExchange
mailing list