Cyber attack on Parliament: How did it happen?


Police Lab bags mobile phone evidence By Joshua Goddard, Cyber-crime Investigator | 26 June 2017

News broke over the weekend that email accounts belonging to MP’s and peers had been ‘hacked’ by way of a brute force cyber attack. There has been no official confirmation of the extent of any breach or attempted breach, but The Guardian reports that up to 90 accounts were compromised.

How did it happen?

Reports say that a brute force password attack was used, whereby an attacker continually tried different passwords against different usernames in the hope of breaking in. These attacks generally cycle through common passwords before moving on to randomly generated characters - so common or weak passwords are easily 'cracked'.

A Parliamentary spokesperson reportedly said, "Investigations are ongoing, but it has become clear that significantly fewer than 1% of the 9,000 accounts on the parliamentary network have been compromised, as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service".

This comment suggests that the Parliamentary email systems did not enforce a strict password policy. Instead, it would appear that users were expected to use strong passwords by way of a "soft-policy" - giving users a choice on whether or not they complied.

What action was taken?

Reports indicate that remote access to all email accounts was disabled for two days, with access only possible within official buildings. This was a reactive action taken by the Parliamentary IT team to prevent any unauthorised access and was not a result of the attack itself. More than 10,000 people in Westminster were urged to change their passwords.

Who is responsible?

Nobody can say for sure – some reports point to the Russian Government, while others point to a hacking group called ‘Lazarus’ which is thought to be tied to the North Korean government. MP Jacob Rees-Mogg told the Financial Times that “cyber attacks have been a growing challenge for the government in recent times, with more of them coming from state operators”.

It can be difficult to identify those responsible for any cyber attack, as MP Henry Smith tweeted on Saturday, "We're under cyber attack from Kim Jong Un, Putin or a kid in his mom's basement or something...".

What happens next?

It depends on the intention of the attack - if accounts were breached, sensitive data could be used maliciously or passwords to user accounts might be released - users might use the same password on multiple systems and this could put the information on these other systems at risk. It could also lead the way for a more advanced or targetted attack. Right now, we have no way of knowing.

What can be done to prevent attacks like this?

There are several security controls which can be put in place to prevent brute-force attacks on email accounts.

  • Enforce a strong password policy - do not allow users to set weak passwords
  • Use two-factor authentication - this involves something a user knows (like a password) and something a user has (like a mobile phone for an SMS confirmation code) or something a user is (like their fingerprint)
  • Block accounts after multiple failed login attempts - require users to call the security team if they need to reset their password, or try again after a set amount of time
  • Use 'bot' login prevention methods for webmail - this includes things like 'Captcha', where users are required to copy out characters seen in a skewed image to prevent automated systems from trying to log in
  • Prevent access from unauthorised devices - this could include requiring authorisation from an IT security team to setup email on a non-work device

We do not know which of these controls the Parliamentary Digital Service had in place. The news is a good wake-up call for other organisations who have not yet implemented any of these controls - using them can cause a delay in users logging in when they have to remember a stronger password or find their phone for two-step authentication but consider the cost of falling victim to a cyber attack. What's more important?

#   #   #

Find out about how our digital forensic services can help protect your organisation, or if you are considering building up your own digital forensic capabilities in house then learn about our range of expert-led digital forensic training courses

"Reports indicate that remote access to all email accounts was disabled for two days, with access only possible within official buildings. This was a reactive action taken by the Parliamentary IT team to prevent any unauthorised access and was not a result of the attack itself. More than 10,000 people in Westminster were urged to change their passwords."

« BACK

« Back