Cyber Adversaries Targeting Defence Contractors
Download CSOC Protect Notice, Cyber Adversaries Targeting Defence Contractors (PDF), August 2012
- Cyber adversaries regularly target Australian Government Department of Defence (Defence) information, both classified and unclassified, in an attempt to gain an economic or strategic advantage.
- Defence contractors need to apply appropriate protection to their networks to ensure that information provided to or developed for Defence is effectively protected.
- The following information aims to assist Defence contractors with appropriately securing Defence information and highlights factors for consideration.
Defence contractors hold valuable Defence information
- State-sponsored actors are the foremost cyber threat to Australia. Such adversaries seek Defence, national security and commercial information to identify vulnerabilities in Australian capability or to further their own economic or strategic advantage.
- Defence contractors, both in Australia and overseas, have reported significant increases in malicious cyber activity against their networks and are priority targets for adversaries.
- Often the value to a cyber adversary of the information contained on a Defence contractor’s network is not immediately evident. Unclassified information can still be sensitive; in particular, wholesale aggregation of unclassified information can present a threat to Australia’s interests.
- Recent examples of cyber adversaries compromising Defence or government contractors include the compromises of:
- a major US information technology contractor Booz Allen Hamilton, which resulted in the release of 90,000 email accounts and, potentially, US military passwords
- HB Gary Federal, which prompted its CEO’s resignation after cyber adversaries compromised gigabytes of internal data, internal emails and websites
- security vendor RSA, which led to subsequent targeting of major US defence contractor Lockheed Martin, responsible for key projects including the F-35 Joint Strike Fighter, L-3 Communications and Northrop Grumman. This incident is reported to have cost RSA US$90 million.
- Cyber intrusion techniques are many and varied. Recurring methods include socially-engineered malicious emails targeting high-ranking members of organisations and their support staff. Adversaries exploit common security vulnerabilities such as unpatched applications or operating systems, the use of similar passwords across systems, or the use of non-work systems for official purposes.
- To protect Defence information and prevent malicious cyber activity, the following strategies should be implemented.
- It is highly recommended that all Defence contractors implement the top four strategies in DSD’s Strategies to Mitigate Targeted Cyber Intrusions.
- application whitelisting.
- patching third party applications
- patching operating systems
- minimising administrative privileges
- When implemented as a package, these strategies have the potential to prevent at least 85% of targeted cyber intrusions. It will also make it significantly more difficult for an adversary to get malicious code to run on your network or continue to run undetected. After implementing the top four strategies, you should also consider implementing the other 31 strategies as required to protect further your network.
- Perform regular vulnerability assessments. Regularly review your network for vulnerabilities, particularly after significant changes, and implement appropriate mitigations where required. Vulnerability assessments can be done in-house by your IT security team or by an independent provider using both automated and manual methods.
- Consider implementing and sustaining an education program for contractors and employees. This will provide your contractors and employees with a better understanding of common Internet and network threats such as socially engineered emails, malicious websites or the danger of poor password policies.
- Report incidents early and often. This includes informing Defence of any network intrusions that could potentially threaten stored data.
- Seeking assistance early can mitigate or prevent a potentially dangerous and embarrassing compromise.
- By immediately informing internal parties (such as an IT security area) and external parties (such as CERT Australia or the Cyber Security Operations Centre (CSOC)), technical and policy assistance can be provided without delay and will contribute to safeguarding Defence information.
- Use available information security resources. Initiatives such as the Defence Industry Security Program (DISP) and organisations such as CERT Australia provide preventative and response advice, while DSD publishes a range of information security products on its public website.
- Defence sponsorship of contractors into the DISP helps to ensure that Defence contractors provide, and are provided with, appropriate security guidance and assurance.
- Defence contractors with membership to the DISP also have access to the electronic Defence Security Manual (eDSM), which details the standards, processes and procedures that direct the application of protective security measures by Defence personnel and external service providers.
- The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian Government systems
- DSD’s Strategies to Mitigate Targeted Cyber Intrusions and other DSD products such as Detecting Socially Engineered Emails, Restricting Administrative Privileges Explained and Application Whitelisting Explained complement the advice in the ISM.
Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.
Australian businesses and other private sector organisations seeking further information should contact CERT Australia.