Exclusive: Threat actor alleges treasure trove of sensitive Hunter, Collins class info

The threat actor claimed it had breached the network earlier this year after exploiting a known vulnerability in an older VPN appliance.

“And that’s where the fun began. We didn’t rush. We didn’t smash and grab. We set up tools, moved laterally, dumped hashes, and just… lived there. For five months,” J wrote.

“After 150 days of uninterrupted access, you don’t just steal data; you curate a museum of corporate secrets.”

This long-term access and lateral movement is known as ‘Living-off-the-land’, a set of techniques where threat actors use legitimate, pre-installed system and network tools to engage in cybercriminal activity.

According to the listing, the company has a wealth of files containing personal staff data such as passport scans, client communications & contacts from major defence contractors and agencies, and files pertaining to specific major projects such as BAE Systems’ Hunter Class Frigate Program, the Australian Submarine Corporation’s Collins Class submarines, and Damen Shipbuilders tender responses.

“This isn’t about how ‘elite’ we are. The bar was non-existent,” J added.

VIEW ALL

“This is a masterclass in supply chain risk. IKAD isn’t building the submarine, but they’re building the pumps for it. They are a certified, trusted link in a chain that leads directly to national security hardware.”

In response to Cyber Daily’s request for comment, IKAD said it was aware of the incident, and could confirm that some non-sensitive data relating to contracts and internal information had been exfiltrated.

“IKAD Engineering is currently investigating a cyber incident involving unauthorised access to a portion of our internal IT systems by an external third party,” the company’s CEO, Gerard Dyson, said.

“Following a detailed investigation into the incident with the assistance of cyber security experts, we have determined that some non-sensitive project information relating to our contracts as well as some internal HR information has been impacted.

“As soon as we discovered the incident, we worked to ensure that individuals, partners, and clients were notified and we are committed to providing them with guidance and support.”

The company also said that the hackers engaged in a brutal harassment campaign against staff to increase pressure.

“The individual or individuals responsible have engaged in aggressive tactics to apply pressure on our business, including the harassment of individuals,” the statement continued.

IKAD says it has engaged third-party cyber professionals, relevant government agencies and law enforcement as part of its response.

“With the support of external experts, we are conducting an urgent review of the data to determine if any customers or individuals who have not previously received a notification from us are impacted. If so, we will notify those customers and individuals accordingly,” Dyson added.

“We understand this news may cause concern and IKAD is investigating this development as part of its ongoing response.

“We have also been working closely with law enforcement in response to this incident and have notified the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), Western Australia Police Force, Australian Federal Police (AFP), the Office of the Australian Information Commissioner (OAIC) and Defence Industry Security Program (DISP).

“We would like to assure our partners, clients and staff that we have secured our systems and put additional security measures in place to prevent reoccurrence. We are also working with experts from across the cyber security industry and have sophisticated monitoring in place to detect any further developments.”

J Group is a relatively fresh ransomware operation that first appeared in February 2025. So far, the group has listed 41 victims, but not much is known about the operation as of yet.

One of the group’s first victims was Ausfec Limited, which trades as The Distributors.

Ausfec was listed on the J Group dark web leak site on 22 February 2025; however, the page shows no information other than that the group claimed to have exfiltrated 204 gigabytes of data.

The brands it distributes include Red Bull, Smith’s, Whittaker’s, and Bayer, while its customers include FoodWorks, IGA, Caltex, and 7-Eleven.

The file listing suggests that 4,782 directories were accessed, totalling more than 120,000 files. The data largely appears to be distribution agreements and invoices relating to The Distributors’ clients and customers, product allocations, and banking documents.

The Distributors did not respond to Cyber Daily’s request for comment.

The Royal Australian Navy’s Hunter class frigates are currently being built by BAE Systems Australia under a AU$45 billion contract at their digital naval shipbuilding facility at Osborne in South Australia.

The fleet of six ships are expected to begin delivery from 2030 and have been designed to be the world’s most lethal anti-submarine warfare ships at a time when more than 50 per cent of the world’s submarines will be operating in the Indo-Pacific.

Meanwhile, Australia’s troubled Collins class submarine fleet will continue to serve as a strategic force multiplier long after their expected service life, well into the 2030s, following the arrival of the first of Australia’s conventionally-armed, nuclear-powered submarines beginning in 2032.

Responding to questions, a spokesperson for the Australian Submarine Corporation (ASC) - which is responsible for the build and complex suite of throughlife upgrades for the Collins class - a spokesperson for the company said, "IKAD Engineering is not a supplier to ASC and has never been provided with any technical or sensitive data from us."