March 1, 2019

Iranian hackers behind Australian cyberattack linked to UK Parliament attack

By Ellen Daniel

Last month, the Australian Government said it believed a cyberattack targeting its parliamentary computer network to be the work of a “sophisticated nation-state actor”. The country’s parliament and its three biggest political parties were the victims of the “unprecedented” attack, but new research by cybersecurity company Resecurity suggests that the scale of the cyberattack is far greater than first thought.

The Los Angeles-based firm has investigated the attack and connected it to Iranian cyber espionage group Iridium, which targets sensitive government, diplomatic and military resources of other countries. Resecurity believes that the Australian cyberattack is connected to an attack on the UK Parliament that occurred in 2017.

In June 2017, the UK Government reported unauthorised attempts to access accounts of parliamentary networks users in which fewer than 1% of the 9,000 accounts on the parliamentary network were compromised. Some records were stolen as a result.

This attack was originally thought to be of Russian origin, with The Guardian reporting that “Moscow is deemed the most likely culprit”, but it has not been officially attributed to any actor.

However, according to Resecurity, the same group is responsible for the Australian cyberattack. Based on its investigation, the company believes that the two attacks are both part of a multi-year “state-encouraged” or “state-sponsored” campaign by Iridium.

The nature of the attacks indicate that Iridium is acting on behalf of “a unit of an intelligence agency that focuses on acquiring information from politicians and political parties in other countries”, particularly in Australia, New Zealand, Canada, the UK and the US.

According to Resecurity, Iridium recruits young technical specialists for cyber-offensive operations and espionage as well as foreign actors from Lebanon, Syria, Palestine, as well as individuals on the dark web.

Although the country’s authorities have not publicly attributed the Australian cyberattack to Iran, The Wall Street Journal has linked it to the Iranian group.

The firm believes that the two connected episodes are part of a campaign by Iridium targeting members of the political elite to gain strategic intelligence and “monitor ongoing political processes” (as notably the UK Parliament attack is believed to have taken place in the run-up to the 2017 general election.)

Resecurity believes that the same group also compromised a database belonging to the UK Liberal Democratic Party in 2018 that was then put up for sale on the dark web.

Linking the Australian cyberattack to the UK Parliament attack

The reason the two attacks are believed to be linked is due to the similarities between them. In both cases, attackers used a method called “password spraying” in which a large number of accounts using a few commonly used passwords.

Attackers used this technique to successfully compromise an email account and then dumped a type of file known as GAL using an available API and scripting language called PowerShell. The information stored in the GAL file was then used by the attackers to gain detailed information about the user accounts.

Resecurity also noted that the “tools, techniques and procedures associated with these attack patterns are almost identical to those of the Mabna Hackers and other actors having close ties with the Iranian Revolutionary Guard Corps.”

The company said that it has provided Australian and UK authorities with detailed research supporting this.

The fact that the group are conducting effective multi-national cyber attacks suggests the group has a sophisticated operation increasingly targeting political figures in specific countries of interest with the intent of acquiring sensitive information and influence political processes.

Last month, Joseph Carson, chief security scientist & advisory CISO at Thycotic told Verdict that this is a sign of things to come, with cyberattacks of this nature predicted to escalate:

“Cyberattacks are going to continue:  both loud cyberattacks that bring down services and disrupt society and stealth cyberattacks that remain hidden, lurking within the networks stealing sensitive information or waiting for the right moment to bring down the network.”

Read more: NotPetya, WannaCry: The privatisation of nation-state capabilities threatens us all

Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,