Security Market Segment LS
Sunday, 24 February 2019 04:43

Sec firm claims ASD agrees with Iran hack findings Featured

Sec firm claims ASD agrees with Iran hack findings Pixabay

The security outfit Resecurity, that claimed the infiltration of the Australian Parliament was the work of an actor backed by Iran, says the Australian Signals Directorate has confirmed this attribution.

Resecurity researcher Jean-Jacques Gonçalves told iTWire that the company had been monitoring the Iranian group, which was backed by an organisation known as the Mabna Institute which is said to be allied with Iran's Revolutionary Guard, for some time.

Asked about Resecurity's claims, the ASD responded with a statement from the Australian Cyber Security Centre which did not address the question, but merely repeated the same message it had provided when asked to comment on the initial claims made by Resecurity a couple of days ago.

"Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity," the ACSC spokesperson said. "It would be too early to speculate on the specific offender – our immediate focus has been on securing the networks, protecting victims and conducting ongoing investigations.

"Proper and accurate attribution of a cyber incident takes time and any attribution would be done in a measured fashion.

"The public can rest assured that our security and intelligence agencies have identified the malicious activity and are responding appropriately."

Gonçalves said the company had obtained a database of 7354 records — a global address list or the internal email address book for a complete domain — which had phone numbers and email addresses for Australian MPs and parliamentary staffers as a result of its monitoring of the Iranian actor. Also included were contact details for staff and ministerial advisers of most parties.

He said this had been obtained by the hackers after they had compromised several email accounts on the Parliament network.

Resecurity chief Charles Yoo had provided some details about the company's claim to The Wall Street Journal on Thursday; Gonçalves provided much more detail to iTWire.

He said the attack was one of an ongoing series against Five Eyes countries — the US, the UK, Canada, Australia and New Zealand — and the ASD had been also informed by Resecurity about earlier attacks by the same actor.

The reason, according to him, was Australia's support for Israel and the trigger was the 70th anniversary of ties between Australia and Israel which was marked on 20 February. An additional factor, he said, was Australia's support for the US backing out of the Iranian nuclear deal.

"We have notified ASD with an alert about compromised Australian Government resources during the Christmas 2018 period. After that, we have sent them additional information about the Parliament attack," Gonçalves said.

He claimed that the same Iranian actor had attacked an Australian e-government resource in the ACT and a government resource in Victoria as well before the Parliament attack.

As to the attack itself, Gonçalves said the threat actors had attempted to connect to the Parliament network over a VPN using externally facing gateways. There was an attempt made thereafter to deliver a malicious payload.

He said this would account for the fact that the ASD "started to distribute AV-like tools for memory and disk scanning by signatures; it may also explain that Parliament endpoints were not properly protected, or government security agencies have a lack of visibility into their security. The initial email required to perform targeted spear phishing with [a] malicious payload [did so] with maximum accuracy".

Gonçalves said the hackers had used a tool known as lazycat to erase logs and used a local privilege escalation to gain administrative privileges on the server. The method used, known as Hot Potato, was made public in 2016 and is claimed to work on Windows 7, 8, 10, Server 2008, and Server 2012.

The tools used by the attackers were all for Windows environments. "Some of the tools analysed by us allowed [the hackers] to execute commands using scripting scenarios like Jscript and VBscript, actively used by threat actors in Powershell malware," Gonçalves said.

"We may make an assumption that there were several campaigns executed by different actors, but at the moment we don’t see any significant sophistication attributable to Chinese state actors. [We] see the continuation of the same APT campaign started before the end of 2018 and targeting Australian Government resources."

Gonçalves said Resecurity would issue a formal report in the days ahead about its findings.

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News