Security Market Segment LS
Sunday, 24 February 2019 04:43

Sec firm claims ASD agrees with Iran hack findings Featured

By
Sec firm claims ASD agrees with Iran hack findings Pixabay

The security outfit Resecurity, that claimed the infiltration of the Australian Parliament was the work of an actor backed by Iran, says the Australian Signals Directorate has confirmed this attribution.

Resecurity researcher Jean-Jacques Gonçalves told iTWire that the company had been monitoring the Iranian group, which was backed by an organisation known as the Mabna Institute which is said to be allied with Iran's Revolutionary Guard, for some time.

Asked about Resecurity's claims, the ASD responded with a statement from the Australian Cyber Security Centre which did not address the question, but merely repeated the same message it had provided when asked to comment on the initial claims made by Resecurity a couple of days ago.

"Our cyber experts believe that a sophisticated state actor is responsible for this malicious activity," the ACSC spokesperson said. "It would be too early to speculate on the specific offender – our immediate focus has been on securing the networks, protecting victims and conducting ongoing investigations.

"Proper and accurate attribution of a cyber incident takes time and any attribution would be done in a measured fashion.

"The public can rest assured that our security and intelligence agencies have identified the malicious activity and are responding appropriately."

Gonçalves said the company had obtained a database of 7354 records — a global address list or the internal email address book for a complete domain — which had phone numbers and email addresses for Australian MPs and parliamentary staffers as a result of its monitoring of the Iranian actor. Also included were contact details for staff and ministerial advisers of most parties.

He said this had been obtained by the hackers after they had compromised several email accounts on the Parliament network.

Resecurity chief Charles Yoo had provided some details about the company's claim to The Wall Street Journal on Thursday; Gonçalves provided much more detail to iTWire.

He said the attack was one of an ongoing series against Five Eyes countries — the US, the UK, Canada, Australia and New Zealand — and the ASD had been also informed by Resecurity about earlier attacks by the same actor.

The reason, according to him, was Australia's support for Israel and the trigger was the 70th anniversary of ties between Australia and Israel which was marked on 20 February. An additional factor, he said, was Australia's support for the US backing out of the Iranian nuclear deal.

"We have notified ASD with an alert about compromised Australian Government resources during the Christmas 2018 period. After that, we have sent them additional information about the Parliament attack," Gonçalves said.

He claimed that the same Iranian actor had attacked an Australian e-government resource in the ACT and a government resource in Victoria as well before the Parliament attack.

As to the attack itself, Gonçalves said the threat actors had attempted to connect to the Parliament network over a VPN using externally facing gateways. There was an attempt made thereafter to deliver a malicious payload.

He said this would account for the fact that the ASD "started to distribute AV-like tools for memory and disk scanning by signatures; it may also explain that Parliament endpoints were not properly protected, or government security agencies have a lack of visibility into their security. The initial email required to perform targeted spear phishing with [a] malicious payload [did so] with maximum accuracy".

Gonçalves said the hackers had used a tool known as lazycat to erase logs and used a local privilege escalation to gain administrative privileges on the server. The method used, known as Hot Potato, was made public in 2016 and is claimed to work on Windows 7, 8, 10, Server 2008, and Server 2012.

The tools used by the attackers were all for Windows environments. "Some of the tools analysed by us allowed [the hackers] to execute commands using scripting scenarios like Jscript and VBscript, actively used by threat actors in Powershell malware," Gonçalves said.

"We may make an assumption that there were several campaigns executed by different actors, but at the moment we don’t see any significant sophistication attributable to Chinese state actors. [We] see the continuation of the same APT campaign started before the end of 2018 and targeting Australian Government resources."

Gonçalves said Resecurity would issue a formal report in the days ahead about its findings.

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments