Hack Attack Breaches Australian Parliament Network

Cybercrime , Cyberwarfare / Nation-state attacks , Data Breach

No Signs of Data Theft; Password Resets Ordered(euroinfosec) • February 8, 2019    Hack Attack Breaches Australian Parliament NetworkThe Australian Parliament Building in Canberra

Hackers have breached the Australian Parliament's network, although investigators say they have found no evidence that attackers stole any data.

See Also: Sunset of Windows Server 2008: Migrate with Docker

But the presiding officers of Parliament, in Canberra, said all users have been ordered to reset their passwords as a precaution.

"Following a security incident on the parliamentary computing network, a number of measures have been implemented to protect the network and its users," Tony Smith, speaker of the lower House of Representatives, and Scott Ryan, president of the upper house, the Senate, said in a joint statement issued on Friday.

"All users have been required to change their passwords," they said. "This has occurred overnight and this morning."

Parliament's network includes legislators' email archives, The New York Times reported.

The country's signals intelligence agency, the Australian Signals Directorate, as well as the Department of Parliamentary Services are probing the intrusion, according to Australian media reports.

Lawmakers Caution: Don't Rush Attribution

Smith and Ryan cautioned that it's too soon to try and attribute the attack (see Stop the Presses: Don't Rush Tribune Ransomware Attribution).

"Accurate attribution of a cyber incident takes time and investigations are being undertaken in conjunction with the relevant security agencies," Smith and Ryan said. "We are not in a position to provide further information publicly at this stage. Updates will be provided to members and senators and the media as required."

The head of the Australian Cyber Security Center, Alastair MacGibbon, declined to speculate about the identity of the attacker.

"My primary concern is making sure we get that offender out and we keep the offender out," he told Australian Associated Press.

Addressing reporters on Friday, Prime Minister Scott Morrison likewise declined to speculate about the identity of the attacker, and he reiterated that the attack appeared to be limited to targeting Parliament's network.

"I should stress that there is no suggestion that government departments or agencies have been the target of any such incursion," Morrison said, Associated Press reported.

"My primary concern is making sure we get that offender out and we keep the offender out."
—Alastair MacGibbon, Australian Cyber Security Center

Nevertheless, multiple Australian media reports have offered unsubstantiated speculation as to the identity of the attacker, based on the current geopolitical environment. Notably, Australia has banned China's Huawei and ZTE, and fell out with Moscow over the investigation into Malaysia Airlines Flight MH17, which was shot down by a Russian anti-aircraft missile in July 2014.

Some experts quoted in media reports have also suggested that only a nation-state could guess parliamentarians' passwords. But previous incidents have proven otherwise.

Legislators Routinely Targeted

Indeed, hack attacks that target legislators and their staff are common.

In December 2018, Politico reported that the email accounts of four senior aides within the National Republican Congressional Committee were compromised for several months

In late 2017, the Scottish Parliament, known as Holyrood, alerted 129 Members of the Scottish Parliament, or MSPs, as well as staff, that their email accounts were being targeted in unauthorized login attempts. Holyrood says the attack was not successful (see: Scottish Parliament Repels Brute-Force Email Hackers).

The same was not true in mid-2017, however, when an attacker appeared to have breached 90 email accounts used by British Members of Parliament, as well as staff and civil servants. In response, IT teams disabled remote access to the accounts. An investigation by Parliament blamed users' poor password choices for the breaches (see: Parliament's Email Practices Probed by Privacy Watchdog).

'Rattling Door Handles'

Alan Woodward, a professor of computer science at the University of Surrey, has described these types of email account-targeting attacks as "rattling door handles to see if any are open."

As with the U.K. Parliament breach, weak passwords chosen for email accounts and cloud services were also cited as the method using by an attacker to gather personal information on German politicians and celebrities, which was leaked throughout December 2018.

Following the episode, as some media outlets suggested the leaks might be the work of a nation state, German ministers pointedly declined to speculate about the attacker's potential identity. Shortly thereafter, a 20-year-old suspect, a German citizen, was arrested and police said he confessed to the crimes (see: German Police Identify Suspect Behind Massive Data Leak).

"Bad passwords were one of the reasons he had it so easy," Minister of the Interior Horst Seehofer said.

Beyond better password hygiene, Woodward says an excellent defense against these types of attacks is to use two-factor or multifactor authentication. While it won't provide bulletproof security, it would easily repel the types of low-tech attacks - including brute-force password guessing and spear-phishing - that continue to be leveled at so many legislative bodies (see: Nation-State Spear Phishing Attacks Remain Alive and Well).

It's not clear how many legislators follow recommendations to always use multifactor authentication to protect their email and online accounts.