Security Market Segment LS
Sunday, 24 February 2019 04:43

Sec firm claims ASD agrees with Iran hack findings Featured

Sec firm claims ASD agrees with Iran hack findings Pixabay

The security outfit Resecurity, that claimed the infiltration of the Australian Parliament was the work of an actor backed by Iran, says the Australian Signals Directorate has confirmed this attribution.

Resecurity researcher Jean-Jacques Gonçalves told iTWire that the company had been monitoring the Iranian group, which was backed by an organisation known as the Mabna Institute which is said to be allied with Iran's Revolutionary Guard, for some time.

Asked about Resecurity's claims, the ASD responded with a statement from the Australian Cyber Security Centre which did not address the question, but merely repeated the same message it had provided when asked to comment on the initial claims made by Resecurity a couple of days ago.

"Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity," the ACSC spokesperson said. "It would be too early to speculate on the specific offender – our immediate focus has been on securing the networks, protecting victims and conducting ongoing investigations.

"Proper and accurate attribution of a cyber incident takes time and any attribution would be done in a measured fashion.

"The public can rest assured that our security and intelligence agencies have identified the malicious activity and are responding appropriately."

Gonçalves said the company had obtained a database of 7354 records — a global address list or the internal email address book for a complete domain — which had phone numbers and email addresses for Australian MPs and parliamentary staffers as a result of its monitoring of the Iranian actor. Also included were contact details for staff and ministerial advisers of most parties.

He said this had been obtained by the hackers after they had compromised several email accounts on the Parliament network.

Resecurity chief Charles Yoo had provided some details about the company's claim to The Wall Street Journal on Thursday; Gonçalves provided much more detail to iTWire.

He said the attack was one of an ongoing series against Five Eyes countries — the US, the UK, Canada, Australia and New Zealand — and the ASD had been also informed by Resecurity about earlier attacks by the same actor.

The reason, according to him, was Australia's support for Israel and the trigger was the 70th anniversary of ties between Australia and Israel which was marked on 20 February. An additional factor, he said, was Australia's support for the US backing out of the Iranian nuclear deal.

"We have notified ASD with an alert about compromised Australian Government resources during the Christmas 2018 period. After that, we have sent them additional information about the Parliament attack," Gonçalves said.

He claimed that the same Iranian actor had attacked an Australian e-government resource in the ACT and a government resource in Victoria as well before the Parliament attack.

As to the attack itself, Gonçalves said the threat actors had attempted to connect to the Parliament network over a VPN using externally facing gateways. There was an attempt made thereafter to deliver a malicious payload.

He said this would account for the fact that the ASD "started to distribute AV-like tools for memory and disk scanning by signatures; it may also explain that Parliament endpoints were not properly protected, or government security agencies have a lack of visibility into their security. The initial email required to perform targeted spear phishing with [a] malicious payload [did so] with maximum accuracy".

Gonçalves said the hackers had used a tool known as lazycat to erase logs and used a local privilege escalation to gain administrative privileges on the server. The method used, known as Hot Potato, was made public in 2016 and is claimed to work on Windows 7, 8, 10, Server 2008, and Server 2012.

The tools used by the attackers were all for Windows environments. "Some of the tools analysed by us allowed [the hackers] to execute commands using scripting scenarios like Jscript and VBscript, actively used by threat actors in Powershell malware," Gonçalves said.

"We may make an assumption that there were several campaigns executed by different actors, but at the moment we don’t see any significant sophistication attributable to Chinese state actors. [We] see the continuation of the same APT campaign started before the end of 2018 and targeting Australian Government resources."

Gonçalves said Resecurity would issue a formal report in the days ahead about its findings.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments