Labour cyberattack: Was a nation state behind the incident?

By Lucy Ingham

Who is behind the Labour cyberattack that saw the UK’s second biggest party hit by a distributed denial of service (DDoS) attack that briefly slowed down campaigning efforts?

That’s the question now being asked, and according to experts, the answer may be hard to ascertain.

“Attributing a cyberattack is never easy to get right, and rarely does the technical evidence for assigning responsibility to a nation-state get presented publicly,” said Dean Ferrando, Systems Engineer Manager – EMEA, at Tripwire.

Despite the challenge, it is a question that the UK’s National Cyber Security Centre will be seeking to answer, particularly if the answer is another nation state.

Attacks by or on behalf of nation states are becoming increasingly common, providing a cheaper and less escalatory alternative to traditional warfare. Countries attack others for a host of reasons, but political gain is extremely common.

“We are beginning to see cyberattacks and politics becoming intertwined. Anytime one nation blames another for a cyberattack, political motivations have to be considered as well as what evidence has been presented,” said Ferrado.

Was a nation state the source of the Labour cyberattack?

With the attack posing a threat to the UK’s democratic process, there is a serious need to determine their origin.

“Politically motivated cyberattacks are nothing new, but the fact that they are now more targeted and advanced than ever, presents a growing danger to democracy,” said Mike Fenton, CEO of Redscan.

“The pressure is on the intelligence services to identify where this attack came from, which may be easier said than done.”

If the attacker is a nation state threat actor, pinpointing blame is expected to be very difficult.

“While details around the attack remain scant, it is difficult to speculate on who the perpetrators might be. Nation state attackers are particularly good at covering their tracks so any forensic investigation is unlikely to be straightforward,” said Fenton.

“In terms of how to catch the culprits, it’s almost impossible, the whole point is that the attack is distributed, so working out who is controlling them all is very difficult,” added Kieran Roberts, head of penetration testing at Bulletproof.

However, given the current political climate, a nation state actor is not beyond the realm of possibility.

“Whilst attacks have been reported during previous general elections, for example government systems being compromised during the 2015 Election (with some politicians and security services later blaming Russia), a deliberately disruptive attack against a specific party is unusual,” said Dan Pitman, principal security architect at Alert Logic.

“At the moment we don’t have a lot of info, but certainly interesting timing given the Government’s refusal to release their report into nation state interference in the Brexit referendum and the last general election,” added Roberts.

“The motivations for nation-state attackers are very different from the majority of cybercriminals who are financially motivated,” said Ferrando.

“Nation state attackers are often better resourced, more patient, and more interested in causing material harm to life and safety than their criminal counterparts, which is why it is interesting to see such a brute force attack directed to the Labour party.”

Alternative culprits behind the Labour cyberattack

While a nation state is possible, the method of attack makes other possibilities just as likely. However, security experts do not believe that it is likely to have come from another political party.

“In the run up to a general election, political parties become an even bigger target than usual. Attacks may not necessarily come from within the opposition, but more likely from someone trying to either raise awareness, or simply make noise,” said Jake Moore, Cybersecurity Specialist at ESET.

Notably, the use of a DDoS attack means that it could have been achieved with very little skill and expense.

“DDoS alone is not necessarily a sophisticated attack; it could literally be driven by a single individual with a botnet,” said Roberts.

“There is no information on who the culprits might be right now, but a DDoS attack is not complex to arrange but takes resources to setup from scratch,” agreed Pitman.

“It’s entirely plausible that someone without any hacking experience paid for the DDoS attack on the ‘dark web’ from what is known as a ‘booter’ – a paid-for service where a hacking group will lease out their existing botnet to perform the attack.

“The barriers to entry for a DDoS attacker has been significantly lowered, offering users the option to anonymously attack any target, for a nominal fee.”

A smokescreen for something bigger?

While the cyberattack may simply be the effort an individual with a grudge against the Labour Party, it is also possible that it is a smokescreen for something far more sophisticated – which would increase the chances of the perpetrators being backed by a nation state.

“The issue with DDoS is the pure volume of traffic which can also be used as a smokescreen, that’s not to say that this is the case here though,” said Roberts.

“In some cases, DDoS attacks can be a distraction from an attackers’ attempt to steal data,” added Robert Ramsden Board, VP of EMEA at Securonix.

“Labour has stated that no data has been stolen in this attack, however, any organisations that are victim of a cyberattack should do their due diligence and check all systems for malicious activity or data loss.”

More attacks to come

While experts are left scratching their heads about who is behind the Labour cyberattack, many have warned that there are very likely to be other attacks targeting political parties in the run up to the general election – and parties should ensure their security is prepared.

“Large scale cyberattacks against political organisations is growing concern for political parties. As attackers become more sophisticated and persistent in their methods governments and political organisations need to invest in robust security systems to avoid operational disruptions or data loss,” said Ramsden Board.

“The failure of the attack against the Labour Party headquarters should act as reminder to political organisations of the enormous benefits of having cybersecurity protections in place.”

Read more: Labour DDoS attack “should be a significant concern to all voters”