“There is a lot of work ASIO is doing to harden up right along that supply chain with a number of smaller businesses and some of the bigger ones … to make sure they have in place the protections necessary” he said. Loading “There is already a lot that we do online and a lot of work we do with our Five Eyes partners in this regard to either proactively neutralise the threat or deal with it as it becomes evident.” National security experts said while Defence had a solid cyber security regime, it was badly exposed due to poor practices among many of its small and mid-tier suppliers. These problems were highlighted by Mr Keelty’s review, which took more than a year to complete and led to the establishment of a taskforce responsible for plugging the holes.

The taskforce’s work and the initial review are classified and will not be made public, the Department said in a statement. It added that the taskforce was scheduled to complete its upgrade of cyber defences by the end of this year. Former AFP chief Mick Keelty. Credit:Andrew Meares “The review was wide ranging and designed to ensure Defence security policies, systems and procedures were appropriate for the contemporary security environment,” a Defence spokesman said. “It was not conducted as a result of a specific threat or incident.” Defence and national security sources said a key recommendation of the Keelty review, being implemented by the taskforce, was forcing suppliers to adopt higher security standards in order to win contracts with the Department.

Adrian Nish, the head of threat intelligence at British defence contractor BAE Systems and the author of a comprehensive report on state-sponsored hacking, said western defence industry contractors were the original targets of the so called “Cloud Hopper” attacks, first noticed in 2009. Loading "Cloud Hopper" refers to the technique used by the Chinese group, known as APT10 or Stone Panda, to "hop" from cloud storage services into the main IT system of a department or company. Mr Nish said the Cloud Hopper group had broadened its hacking from defence contractors to mining, engineering and professional service companies in more recent years. "It is still active,” he said noting it was continuing to target outsourced IT services as way to penetrate the main network of an organisation.

Mike Sentonas, a vice president at cyber security firm CrowdStrike who has linked the Crowd Hopper attacks with the China’s Ministry of State Security, said Defence and other government departments had advanced protections in place and so hackers needed to find another entry point. He said hackers focused on third party suppliers as a way to “exploit the trust between an organisation, or government department and its business and technology providers.” The MSS has been accused of overseeing a surge in attacks on Australian companies over the 12 months, in direct violation of a cyber security pact struck only last year between Beijing and Canberra. The lack of attention to cyber security among government contractors was badly exposed last October when a Polish researcher discovered a cache of data left open in an Amazon’s cloud storage facility. This included names, login information, phone numbers and credit card details for employees at the Department of Finance, Australian Electoral Commission, the National Disability Insurance Scheme, along with corporates AMP and UGL.

In addition further confidential information around salary, travel and invoices was also left unsecured. “It wasn’t a hack or something sophisticated,” says the researcher who discovered the security flaw and goes by the name Wojciech. “It was just one small fault which could lead to havoc in these organisations.” Wojciech, who identified himself as a so called “white hat” or ethical hacker, alerted the Australian Signals Directorate (ASD) to the poor security at the time. ASD said it alerted the third party contractor, which has never been identified, and the problems were fixed. Crucially however ASD would not say if anyone else accessed the information prior to Wojciech identifying the problem. Speculation around Canberra is that other more hostile actors accessed the data, which could have been used for inserting Malware or gathering human intelligence.