Resecurity researcher Jean-Jacques Gonçalves told iTWire that the company had been monitoring the Iranian group, which was backed by an organisation known as the Mabna Institute which is said to be allied with Iran's Revolutionary Guard, for some time.
Asked about Resecurity's claims, the ASD responded with a statement from the Australian Cyber Security Centre which did not address the question, but merely repeated the same message it had provided when asked to comment on the initial claims made by Resecurity a couple of days ago.
"Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity," the ACSC spokesperson said. "It would be too early to speculate on the specific offender – our immediate focus has been on securing the networks, protecting victims and conducting ongoing investigations.
"The public can rest assured that our security and intelligence agencies have identified the malicious activity and are responding appropriately."
Gonçalves said the company had obtained a database of 7354 records — a global address list or the internal email address book for a complete domain — which had phone numbers and email addresses for Australian MPs and parliamentary staffers as a result of its monitoring of the Iranian actor. Also included were contact details for staff and ministerial advisers of most parties.
He said this had been obtained by the hackers after they had compromised several email accounts on the Parliament network.
Resecurity chief Charles Yoo had provided some details about the company's claim to The Wall Street Journal on Thursday; Gonçalves provided much more detail to iTWire.
He said the attack was one of an ongoing series against Five Eyes countries — the US, the UK, Canada, Australia and New Zealand — and the ASD had been also informed by Resecurity about earlier attacks by the same actor.
The reason, according to him, was Australia's support for Israel and the trigger was the 70th anniversary of ties between Australia and Israel which was marked on 20 February. An additional factor, he said, was Australia's support for the US backing out of the Iranian nuclear deal.
"We have notified ASD with an alert about compromised Australian Government resources during the Christmas 2018 period. After that, we have sent them additional information about the Parliament attack," Gonçalves said.
He claimed that the same Iranian actor had attacked an Australian e-government resource in the ACT and a government resource in Victoria as well before the Parliament attack.
As to the attack itself, Gonçalves said the threat actors had attempted to connect to the Parliament network over a VPN using externally facing gateways. There was an attempt made thereafter to deliver a malicious payload.
He said this would account for the fact that the ASD "started to distribute AV-like tools for memory and disk scanning by signatures; it may also explain that Parliament endpoints were not properly protected, or government security agencies have a lack of visibility into their security. The initial email required to perform targeted spear phishing with [a] malicious payload [did so] with maximum accuracy".
Gonçalves said the hackers had used a tool known as lazycat to erase logs and used a local privilege escalation to gain administrative privileges on the server. The method used, known as Hot Potato, was made public in 2016 and is claimed to work on Windows 7, 8, 10, Server 2008, and Server 2012.
The tools used by the attackers were all for Windows environments. "Some of the tools analysed by us allowed [the hackers] to execute commands using scripting scenarios like Jscript and VBscript, actively used by threat actors in Powershell malware," Gonçalves said.
"We may make an assumption that there were several campaigns executed by different actors, but at the moment we don’t see any significant sophistication attributable to Chinese state actors. [We] see the continuation of the same APT campaign started before the end of 2018 and targeting Australian Government resources."
Gonçalves said Resecurity would issue a formal report in the days ahead about its findings.