F-35 Joint Strike Fighter Plans Stolen

With financial institutions admitting data breaches, some very serious others less so, it seems governments are also taking the opportunity to disclose information concerning hacks. This week saw both the Australian Government and the South Korean Government admitting that sensitive information, in South Korea’s case classified information, was stolen. Regarding the Australian hack, a total of 30 GB of sensitive data pertaining to the military and its equipment were stolen. In regards to the South Korean hack, North Korea is accused of stealing approximately 235 GB of data which included classified plans detailing the South and its Allies response in case of war with the North.

Hacker dubbed “Alf” steals Australian military information

Australia’s foreign intelligence collection agency, the Australian Signals Directorate (ASD), confirmed earlier this week that a hacker stole over 30 GB of data on the country's military capabilities, including details on fighter jets, military aircraft, and naval ships. The breach of sensitive information began in July 2016 and the ASD was alerted to the breach in November 2016. The breach occurred at an unnamed Department of Defence contractor, an ASD official told local press, yesterday, at an industry conference in Sydney.

Mitchell Clarke, an ASD spokesperson, said the hacker did not steal "top secret" data, but the breach contained sensitive information, not accessible to the public, and containing confidential information, diagrams, and plans about the country's military response capabilities. The stolen data included details on the new F-35 Joint Strike Fighter jet, the Boeing P-8 Poseidon submarine-hunting airplane, Lockheed-Martin C-130 transport aircrafts, JDAM guided bombs and data on naval ships which constitute part of Australia’s navy.

f35 joint strike fighter plans stolen

Little information was presented to the public as to how exactly the breach occurred but human error has been blamed for the attack. It appeared that the company in question used weak passwords such as the generic “guest” and “admin” defaults to try and protect their network. The company employed one IT professional to secure the network which caters to over 50 employees and the use of default passwords can be explained away by an oversight and human error.

During ASD’s investigation, experts discovered the China Chopper web shell on the company's servers. It is unclear if this was the hacker's entry point. Investigations are still ongoing and as yet it is still unclear whether the breach was caused by a lowly-skilled hacker, a case of economic espionage, or the work of nation-state cyber-intelligence actor. In a display of typical Australian humor investigators at ASD codenamed the hacker "Alf," after a character in the "Home and Away" Australian TV soap opera.

The China Chopper web shell

Security researchers at FireEye have described China Chopper as “The little malware that could.” It is not a piece of malware that comes up often on researchers radars and has earned a reputation for being a massively underrated hacking tool. China Chopper is a fairly simple backdoor in terms of components, consisting of the Web shell command-and-control (CnC) client binary and a text-based Web shell payload (server component). The text-based payload is so simple and short that an attacker could type it by hand right on the target server. This simple text-payload requires no file transfer due to its size.

Considering the malware’s tiny size, 4 kilobytes in total, the malware itself is incredibly capable. The web shell client gives the attacker the ability to spider and use brute force password guessing against authentication portals. In addition to vulnerability hunting this Web shell has excellent CnC features and when combined with the client and payload, is capable of file management, database management, and a virtual terminal.

China Chopper is incredibly stealthy, with its inherent stealth being attributed to four factors. Those factors being its size, server-side content, client-side content, and antivirus detection rates. With regards to size, legitimate and illegitimate software need more code if it is to have more features thus making it easier to detect. With China Chopper only being 4 kilobytes on disk or 73 bytes for the aspx version, it is small enough to be slipped into a system without detection. As a result of such factors antivirus software struggle to detect the web shell as the actual code does not read as inherently malicious. Given all the above factors China Chopper deserves more credit than it’s deserved, perhaps if proven that the Australian breach was as a result of the stealthy web shell it might receive more attention and as a result, prevent further data breaches.

South Korean war plans stolen

Hackers from North Korea are reported to have stolen a large cache of military documents from South Korea, including a plan to assassinate North Korea's leader Kim Jong-un. Rhee Cheol-hee, a South Korean lawmaker, said the information was from his country's defense ministry. Not only was a planned assassination scenario included in the stolen data but battle plans drawn up between the US and South Korea. Also included were plans for the South's Special Forces and information on significant power plants and military facilities in the South. Rhee further explained that at least 80% of the data stolen still needs to be identified and it is unclear how military cooperation between South Korea and its allies has been undermined. The breach came to the attention of authorities in September 2016.

Relations between the North and the South have been far from cordial for generations. This incident is unlikely to improve a situation feared to flare up given the smallest offense or miscalculation. Thus South Korea blaming the small hermit kingdom will further exacerbate matters even if the North was responsible. North Korea is known to be behind some of the recent histories more infamous hacks and it is widely believed that to have specially-trained hackers based overseas, including in China. North Korea has denied any involvement in the latest breach and accuses South Korea of fabricating the claims.

Given the recent war of words between the North and the US, this latest incident will do little to ease tensions. The world may have to hold its breath for a while longer to see if this storm can be safely navigated.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal