Compromised Website Led to Australia Parliament HackSenate Leader Describes Watering-Hole Attack
The Australian Parliament’s computer network was compromised in January after politicians browsed a legitimate website that was compromised.
Sen. Scott Ryan, president of the Senate, revealed the style of attack, which hadn’t been discussed before, on Thursday during a hearing of the Finance and Public Administration Legislation Committee. A transcript of the hearing is posted on Parliament’s website.
“While I do not propose to discuss operational security matters in detail, I can state that a small number of users visited a legitimate external website that had been compromised,” Ryan says. “This caused malware to be injected into the Parliamentary Computing Network.”
In February, Prime Minister Scott Morrison said a "sophisticated state actor." widely speculated to be China, was likely behind a breach of Parliament's network, (see: Hack Attack Breaches Australian Parliament Network).
In September, Reuters reported that Australia’s intelligence agencies concluded that China was behind the attack against Parliament, along with attacks against three political parties ahead of May’s general election. The Australian Signals Intelligence Organization concluded that China’s Ministry of State Security was involved.
The conclusion was recommended to be kept secret to avoid disrupting trade relations with China, Reuters reported. China disputed the finding.
What Ryan describes is often referred to as a “watering hole” attack. Attackers gain the upper hand by leveraging a legitimate website to act as a delivery mechanism for malware.
Drive-by attacks, which can result in a computer being infected by malware simply by visiting a website, tend to be rarer these days as browsers have become more resilient. It’s possible that some lawmakers visited the website and downloaded a document, which then infected their computers.
The attack was discovered on Jan. 31. Eight days later, the intruders were removed from the system, Ryan says. The Australian Signals Directorate, under supervision from the Department of Parliamentary Services, conducted the technical investigation.
At the time, the government said no data was compromised in the attack, but its evaluation came just after it had booted the attackers. Ryan now says that the intrusion resulted in the breach of a “small amount of non-sensitive data.”
“While we cannot precisely guarantee that no other data was removed, extensive investigation has provided no evidence of this,” Ryan says. “The small amount of non-sensitive data refers to DPS corporate data and data related to a small number of parliamentarians.”
Australia’s Parliamentary Computer Network also includes archives of lawmakers’ emails.
On Feb. 8, the Parliament initiated a system wide password reset. Ryan says that he called two senators before a statement was issued, and those two were also contacted by DPS.
It wasn’t clear why Ryan contacted two senators. “We really can’t go into, in a public forum, more details of the stages of what happened or explanation for various reasons,” Ryan says.
The ABC reported on Friday that there was another malware attack directed at Parliament around two weeks ago. The attack, which was stopped, involved the Emotet malware (see: Researchers: Emotet Botnet Is Active Again).
Foreign Interference Guidance
Australia has suffered several government intrusions that had hallmarks that separated the incidents from bog standard hackers or cybercriminals, including a very large one in June.
In that month, Australian National University discovered an attack that stole that 19 years’ worth of student and staff data. The university, based in the capital Canberra, does national security research and runs the National Security College, a specialist graduate studies school in cooperation with the government (see: Australian National University: 19 Years of Data Copied).
The stolen data included names, addresses, birth dates, phone numbers, personal email addresses, emergency contact details, tax file numbers, payroll information, bank account details, passport details and student academic records. The data hasn’t surfaced publicly.
The government has sought to increase awareness of cyber incidents. On Thursday, the ministers for Home Affairs and Education announced new guidelines for preventing foreign interference at the country’s universities.
The Home Affairs minister, Peter Dutton says that ASIO considers foreign interference against universities and researchers to be at an “unprecedented level.”
The guidelines have a cybersecurity component, including recommending universities develop cybersecurity strategies, share intelligence and perform threat modelling.