Shipbuilder Austal was hacked with stolen creds sold on the dark web

Originally published By Ry Crozier
Apr 8 2020
7:05 AM

Provides full post-mortem of late 2018 attack. This is being reposted as many companies defences have not improved. A recent market audit by the Australian Signals Directorate indicated that many companies and Directors have not improved in Cyber Architecture and infrastructure.

Austal, the ASX-listed shipbuilder and defence contractor, was compromised in late 2018 by an attacker who used login credentials purchased on a dark web forum, but who then failed to extract much of value or secure a ransom to have it returned.

CEO David Singleton provided a full post-mortem of the mid-October 2018 breach last week – which he said included a grilling from senior government ministers – and revealed cyber defences put in place afterwards had saved the company from credential phishes as recently as the past fortnight.

Singleton said the company was breached in October 2018 using stolen credentials sold on the dark web, a place he characterised as a kind of “parallel universe… where criminals hide and where criminality is rife”.

“I still don’t really know what [the dark web] is,” Singleton told a recent industry event. 

“[But] in this parallel universe, you can buy company addresses, and you can buy the passwords that go with those addresses, and you can use those passwords to enter somebody’s system. And that’s what happened to us at Austal. 

“Somebody bought passwords from the internet.”

It appeared the stolen credentials were also relatively weak, being either ‘Password123’ or ‘Austal123’.

The attacker used the stolen credentials to gain access to Austal’s system on a Sunday afternoon, and was then able to move laterally “quite easily”.

“The criminal walked around the ‘virtual rooms’ in our ‘house’, and collected things as [they] went,” Singleton said.

While the attacker did collect data from several systems, they inexplicably passed over the most valuable material. 

“In very many ways we’re fortunate in that on the wall in our main living room was a very expensive Rembrandt – [but] what he actually ended up doing was stealing the TV set, which is highly replaceable and has less value,” Singleton said.

“So we were fortunate in many ways, but fortunate only by luck.”

Austal also experienced a second piece of “luck”, with the attacker triggering an alarm as they stockpiled data for exfiltration.

“The way that we found out what was going on was none other than [they] took information from rooms inside of the ‘house’, loaded them into a particular memory drive from which they were then extracting … to the outside, and [they] overloaded the memory drive,” Singleton said.

“As a result of overloading the memory drive, it set off an alarm late on a Sunday night, when everybody was away from the office.

“That was the first trigger that we had that something was amiss and going on.”

Incident response and a ransom demand

When Singleton arrived at the office early Monday, incident response actions by the company’s Information Systems & Technology (IS&T) team were already underway.

“The first thing we did was to lock the system up,” he said.

“The IT department was able to move really quickly on that. They shut down all the external ports and made sure that no more information could move in or out.”

However, that quickly tipped off the company’s thousands of staff, and eventually suppliers and customers, that something was wrong.

“All of a sudden, hundreds of your employees know that there’s something amiss. They can’t get an email out, they can’t get an email back, they can’t access anything and there’s a demand to understand what’s going on and the urgency of the situation is increasing moment by moment,” Singleton said.

“After a few hours, you start to get suppliers ringing in and other people ring in, [asking] ‘what’s going on, we’re not getting any information out of you, why can’t we send you some data?’. 

“So things start to move very very rapidly, and you have to be ready for that.”

Early on, Austal called its insurance company, which – “to show you the urgency of it – sent somebody from the UK immediately” to help mop up.

“Within four hours of us placing a call to our insurance company, they had somebody on a flight in London, coming down to Perth, to help us with the recovery action, and the reason for that is that they knew better than anybody the lightning speed of what’s going on is so profound that you have to react to it quickly to minimise the damage,” Singleton said.

The company also called upon the Australian Cyber Security Centre (ACSC), which helped to “lock the doors, clean the ‘rooms’ and deal with the after-effects of what had happened.”

Singleton said that a motive for the attack quickly became apparent.

“The hacker made a ransom demand,” he said.

“This was just plain criminality. This was an individual who just wanted to extort money from the company in order to return data, and the way [they] did that was [to] send an email to 50 or 60 people in the organisation saying, ‘You’ve been hacked. These are the bitcoins I need for me to return the data that I have stolen’.

“Fortunately for us, as I said earlier, we hadn’t lost our Rembrandt, we’d lost our TV set, and we weren’t in a mind at all to deal with extortion.”

The spring clean

With the assistance of the ACSC, Austal embarked on a “spring clean” of its systems.

“At that point, we had no idea what was going on inside of our systems,” Singleton said.

“We didn’t know whether somebody put a bug in there. We didn’t know whether our data was being eaten away and destroyed quickly. We didn’t know whether somebody had left some backdoors in so they could come along later on.”

Austal’s systems – and data – were largely cloud-based, and the company was confident it had backups.

“About a year before we’d moved our data and our systems to the cloud, so that helped enormously because it made us really confident that we had backup files going back as far as we needed to go because of the quality of the services that we could get from there,” Singleton said.

“So we were never in a position where we were worried about losing our core data, and that was a great relief to me because the idea that you could lose vast swathes of data because it’s been eaten by some malignant bug would have been a pretty scary idea.

“It was a lesson to me that the move to the cloud for us had been really important in us being able to stabilise the situation quickly and be able to move on.”

Tackling password security, lateral movement

Austal has put significant effort into improving password security in the wake of the breach.

“The thing that caused the problem was passwords, so immediately after the event – bear in mind now all of our employees knew what had happened, and they knew it was as a result of passwords – we forced two password changes,” Singleton said.

“Everybody had to change their passwords twice over a 24-hour period. And then at the end of that, we ran [code] that allowed us to look through everybody’s passwords in the company.

“There were 40 versions of these two passwords – Password123 and Austal123 – which taught me something really important in all of this … that the weak link in any system can often be your people. 

“Even after a cyber break, people were using Password123, and Austal123 as a password, the very passwords that had gotten cybercriminals into the system in the first place.”

Singleton said Austal had since put in an Australian-developed software tool that forces users to set more complex passwords and to change them frequently.

It also turned on multi-factor authentication so it no longer granted access to systems using a simple username-password combination alone; and tightened access privileges to a range of internal systems.

“That means that if somebody got through the front door again, their ability to move around the system and gather more data is now much more limited than it would have been before,” Singleton said.

Austal then engaged an external pentester to check its defences. The pentester was unable to gain access from outside, and – when Austal let them in – was also unable to perform lateral movement.

“The next thing they did was they sent an individual to walk into the site,” Singleton said.

“He was an expert at this – and managed to gain entry to the site.

“He had a handful of USB drives, and he went around our organisation and asked people to put a USB drive into their computer to check the data that was on it. On that USB drive was a piece of malware that he had specifically put on that showed that he’d been able to do that. 

“He then left a USB drive in our IT department, and somebody in the IT department picked up the USB drive and put it in their computer, and also transferred the malware onto our system.
“Again, it taught us the importance of not only electronic security, but also physical security in our environment as well.”

The company’s authentication systems and internal readiness also received a real-world test within the past fortnight when a phishing email from a supposed project engineer from Lithuania arrived in multiple inboxes. 

“What happened was … 40 people in our organisation in the first hour clicked on a ‘download proposal’ [button in the email],” Singleton said. 

“When you go to that download proposal, it asks you to put in your email address and your password. 

“Believe it or not, after all that had happened to us, five people put in their email address and password, which would have given them access to the system. The thing that saved us was the multi-factor authentication.”

Victim-blaming

Singleton said he had been advised by the then head of the ACSC, Alastair MacGibbon, that Austal would wind up copping blame for the incident.

MacGibbon previously expressed similar sentiments on other hacks.

“The head of the ACSC said to me at the beginning of all of this, ‘You need to remember all the way through this process you are going to go through that you are the victim, because what will happen is you will be shamed as a victim, and people will start to point to you as being the problem’,” he said.

“He described it to me as some of those really unfortunate stories we’ve heard in the past of judges who have apportioned some element of blame to people who’ve been the victim of crime: ‘Why were you out at two o’clock in the morning in that particular area of town? You were asking for it’.”

This would wind up ringing true.

“I got called up by the Australian government to go and explain myself to … some very senior ministers … about how we had managed to be hacked when we have defence information on our site,” Singleton said.

“You start to create an environment where people forget you were the victim and start to think you were in some way the perpetrator.”

Singleton said he had decided to go public in a bid to help other major companies enable simple protections.

“If enough people talk about the pain of this, the difficulty of this, the cost of cleaning up afterwards, the disruption to your business, then maybe more people will do some of these simple things that I’ve talked about that really can make a fundamental difference,” he said.