With financial institutions admitting data breaches, some very serious others less so, it seems governments are also taking the opportunity to disclose information concerning hacks. This week saw both the Australian Government and the South Korean Government admitting that sensitive information, in South Korea’s case classified information, was stolen. Regarding the Australian hack, a total of 30 GB of sensitive data pertaining to the military and its equipment were stolen. In regards to the South Korean hack, North Korea is accused of stealing approximately 235 GB of data which included classified plans detailing the South and its Allies response in case of war with the North.
Hacker dubbed “Alf” steals Australian military information
Australia’s foreign intelligence collection agency, the Australian Signals Directorate (ASD), confirmed earlier this week that a hacker stole over 30 GB of data on the country's military capabilities, including details on fighter jets, military aircraft, and naval ships. The breach of sensitive information began in July 2016 and the ASD was alerted to the breach in November 2016. The breach occurred at an unnamed Department of Defence contractor, an ASD official told local press, yesterday, at an industry conference in Sydney.
Mitchell Clarke, an ASD spokesperson, said the hacker did not steal "top secret" data, but the breach contained sensitive information, not accessible to the public, and containing confidential information, diagrams, and plans about the country's military response capabilities. The stolen data included details on the new F-35 Joint Strike Fighter jet, the Boeing P-8 Poseidon submarine-hunting airplane, Lockheed-Martin C-130 transport aircrafts, JDAM guided bombs and data on naval ships which constitute part of Australia’s navy.
Little information was presented to the public as to how exactly the breach occurred but human error has been blamed for the attack. It appeared that the company in question used weak passwords such as the generic “guest” and “admin” defaults to try and protect their network. The company employed one IT professional to secure the network which caters to over 50 employees and the use of default passwords can be explained away by an oversight and human error.
During ASD’s investigation, experts discovered the China Chopper web shell on the company's servers. It is unclear if this was the hacker's entry point. Investigations are still ongoing and as yet it is still unclear whether the breach was caused by a lowly-skilled hacker, a case of economic espionage, or the work of nation-state cyber-intelligence actor. In a display of typical Australian humor investigators at ASD codenamed the hacker "Alf," after a character in the "Home and Away" Australian TV soap opera.
The China Chopper web shell
Security researchers at FireEye have described China Chopper as “The little malware that could.” It is not a piece of malware that comes up often on researchers radars and has earned a reputation for being a massively underrated hacking tool. China Chopper is a fairly simple backdoor in terms of components, consisting of the Web shell command-and-control (CnC) client binary and a text-based Web shell payload (server component). The text-based payload is so simple and short that an attacker could type it by hand right on the target server. This simple text-payload requires no file transfer due to its size.
Considering the malware’s tiny size, 4 kilobytes in total, the malware itself is incredibly capable. The web shell client gives the attacker the ability to spider and use brute force password guessing against authentication portals. In addition to vulnerability hunting this Web shell has excellent CnC features and when combined with the client and payload, is capable of file management, database management, and a virtual terminal.
China Chopper is incredibly stealthy, with its inherent stealth being attributed to four factors. Those factors being its size, server-side content, client-side content, and antivirus detection rates. With regards to size, legitimate and illegitimate software need more code if it is to have more features thus making it easier to detect. With China Chopper only being 4 kilobytes on disk or 73 bytes for the aspx version, it is small enough to be slipped into a system without detection. As a result of such factors antivirus software struggle to detect the web shell as the actual code does not read as inherently malicious. Given all the above factors China Chopper deserves more credit than it’s deserved, perhaps if proven that the Australian breach was as a result of the stealthy web shell it might receive more attention and as a result, prevent further data breaches.
South Korean war plans stolen
Hackers from North Korea are reported to have stolen a large cache of military documents from South Korea, including a plan to assassinate North Korea's leader Kim Jong-un. Rhee Cheol-hee, a South Korean lawmaker, said the information was from his country's defense ministry. Not only was a planned assassination scenario included in the stolen data but battle plans drawn up between the US and South Korea. Also included were plans for the South's Special Forces and information on significant power plants and military facilities in the South. Rhee further explained that at least 80% of the data stolen still needs to be identified and it is unclear how military cooperation between South Korea and its allies has been undermined. The breach came to the attention of authorities in September 2016.
Relations between the North and the South have been far from cordial for generations. This incident is unlikely to improve a situation feared to flare up given the smallest offense or miscalculation. Thus South Korea blaming the small hermit kingdom will further exacerbate matters even if the North was responsible. North Korea is known to be behind some of the recent histories more infamous hacks and it is widely believed that to have specially-trained hackers based overseas, including in China. North Korea has denied any involvement in the latest breach and accuses South Korea of fabricating the claims.
Given the recent war of words between the North and the US, this latest incident will do little to ease tensions. The world may have to hold its breath for a while longer to see if this storm can be safely navigated.