The Australian government recently announced that a cyberattack had targeted its Parliamentary computer network. The attack was blamed on an unnamed “sophisticated nation-state actor” and, according to local news sources, Australian members of Parliament had been told to reset their passwords as a precaution.
For Australia, this is the second incident involving Parliament, and it’s a sign that cyberespionage activity targeting politicians and electoral processes is growing globally. Here we would like to provide greater context for these events and share some insights about some meaningful episodes that we have recently shared with the Australian Cyber Security Centre (ACSC), the Australian Signals Directorate (ASD), the Australian Electoral Commission (AEC) and other partners.
Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States).
It is particularly focused on political leaders, political parties and government officials, from whom IRIDIUM may acquire strategic intelligence about global international affairs, including sensitive information about trade, military and diplomatic relations with the Middle East (Israel, in particular).
The most significant spike in activity associated with this global campaign occurred right after the new anti-Iranian sanctions were approved. Australia is one of the strategic players in the Iranian nuclear deal, wielding significant influence in the APAC region and maintaining a positive relationship with Israel. The attack against the Australian Parliament happened right before an event marking 70 years of friendship between Israel and Australia and just before the May 2019 elections.
IRIDIUM acts on behalf of a unit of an intelligence agency focused on foreign politicians. The group recruits young technical specialists for cyber-offensive operations and espionage. It also recruits foreign actors from Lebanon, Syria, Palestine and other countries as well as financially-motivated individuals encountered on the dark web. They use all these resources to conduct CNA/CNE campaigns, which makes attack attribution very fuzzy and forensically complicated.
On December 23, 2018, at 11:02:49 a.m. AEDT, Resecurity notified ASD that two Australian government resources had been compromised as a result of a targeted cyberespionage campaign by IRIDIUM. Since that date, we have observed persistent network activity as the actor probes different Australian government resources.
Further research into the attack indicates that the campaign has unfolded in stages. Based on acquired IOCs, we see that the tradecraft used in the attack was prepared between January 7 and January 17, 2019, and was oriented toward Windows-based server-side environments (Stage 1). The attack continued in February 2019 (Stage 2), levering targeted email compromise and dump of a Global Access List (GAL).
It is possible:
– Stage 1 and Stage 2 might have been conducted sequentially by different actors. However, very tight timing between these stages suggests an extremely close collaboration between these actors during the campaign
– Stage 1 and Stage 2 might have been conducted by the same actor using different techniques, using malicious code distribution, and targeted e-mail compromise using “password spraying” for further network intrusion.
As a result of a long-term threat actor activity monitoring action that had identified a file repository used in this actor’s operations, Resecurity was able to acquire a stolen GAL file from the February intrusion. It stands as evidence of a successful email compromise because a threat actor needs to have hacked into at least one account on the Parliament server to have dumped this information. Once access has been gained and the network intrusion has been conducted, IRIDIUM uses proprietary developed tradecraft and also web shells and back-connect backdoors that are available on the dark web and through public sources. The use of publicly available tools may confuse attribution if one has insufficient familiarity with the actor.
From the GAL file:
Interestingly, after one of the past attacks against an Australian defense contractor, a spokesperson for the Iranian Embassy in Canberra would not deny the possibility of involvement by Iranian actors. “It may be someone within Iran, but it was not our government,” the spokesman told Reuters. That breach was detected in mid-October 2018 — right around the time that Prime Minister Scott Morrison announced that Australia would be reviewing its support for the Iran nuclear deal.
The details about the incident involving the Australian Parliament are extremely important because of another incident, one that took place in the U.K. in June of 2017 and one that was conducted by the same actor. In the 2017 U.K. attack, the email accounts of 90 Parliament members were compromised after a “sustained and determined cyberattack.” Because of the sensitivity of specifics associated with cyberespionage cases, U.K. authorities have not disclosed any additional information about that attack, but the House of Commons press office later published a brief public announcement. The attack also has not been officially attributed to any particular nation-state actor.
Updated statement regarding cyber incident pic.twitter.com/c7JMvBWUgk
— Commons Press Office (@HoCPress) June 25, 2017
Resecurity’s investigation into this attack, which involved the acquisition of intelligence from proprietary sources, may shed light on the situation. The threat actors in this instance compromised several Parliamentary e-mail accounts over the course of several attack iterations, eventually stealing approximately 10,204 records. These records contained details about U.K. Parliament members, various Committee members, and security and IT engineering staff members, including phone numbers, the date of their last login, and other valuable metadata.
According to our analysis, one of the latest indicators of malicious activity by IRIDIUM occurred on June 7, 2017, at 9:01 AM (PST), one full day before the United Kingdom’s General Election. This illustrates the group’s persistence and the level of effort required to monitor ongoing political processes.
In the attacks on both the U.K. and Australian Parliaments, which were definitely not random and involved specifically selected targets, IRIDIUM used aggressive brute-force and “password spraying” attacks through uncommon interfaces that typically have limited logging, besides malware distribution.
In each case, after successfully compromising an email account, the actors dumped a GAL file using an available API and PowerShell. The information stored in the GAL file provides the attackers with detailed information about the politicians’ user accounts, which can then be used for both cyber and operational reconnaissance purposes. It also helps the actors plan for further CNA/CNE activity that is more likely to be effective.
The attack vector often next used by IRIDIUM involves the probing of externally facing apps and network services, with a focus on SSO and VPN gateways (specifically those from Citrix) for network intrusion. The tools, techniques and procedures (TTPs) associated with these attack patterns are almost identical to those of the Mabna Hackers and other actors having close ties with the Iranian Revolutionary Guard Corps (IRGC). Information about these TTPs has been published in a joint alert by the DHS and the FBI.
In December 2018, prior to the attack on the Australian Parliament, another meaningful and previously undisclosed cybersecurity incident was taking place on the other side of the globe. A database belonging to the Liberal Democratic Party of London was compromised.
Shortly thereafter, a posting appeared on the dark web offering to sell the stolen information. The offer appeared in a closed (private) section of the Kickass Forum, an underground TOR network community created for the monetization of stolen data.
Resecurity brought this information to the National Computer Security Centre (NCSC UK), part of the GCHQ, and supplied additional information regarding other U.K. government resources compromised by the same actors in the same timeframe. Samples of the stolen data are illustrated below:
A credible threat actor known as The Dark Overlord [TDO] expressed a strong interest in purchasing the database. TDO is known to represent a group of threat actors and has previously conducted a significant number of cyberattacks on media, insurance, defense, healthcare and law firms for profit and extortion. TDO was using the dark web to monetize the stolen data and was constantly looking for new members in the shape of vetted cybercriminals and black hats. TDO had claimed responsibility for the 2017 hack of HBO and the subsequent leak of stolen intellectual property. However, at the end of the day, that hack was attributed to Behzad Mesri, an Iranian citizen with close ties with the IRGC.
An individual thought to be associated with TDO, Nathan Wyatt, had previously been accused of illegally accessing the iCloud account of Pippa Middleton, the younger sister of Catherine, Duchess of Cambridge and member of the British royal family. Based on information available to Resecurity, Wyatt appears to have been acting as a broker on behalf of another actor, who had tasked him with monetizing the stolen information. Interestingly, some members of IRIDIUM are also working for profit “on the side” from time to time, selling some of the stolen data, and likely without coordinating such actions with their “curators.”
It is worth noting that very near the time this report was published — and after the incident had been disclosed — the administrators of the Kickass Forum took down the resource with the following statement:
< KICK-ASS IS GONE > KA run now years under our control and the LE is for sure searching us …
We have been thinking about stopping with KA for some time now the last downtime we work to secure the forum more after the TDO public NEWS but 100% Opsec is not possible
And now it became quieter in the forum
and the fun after years disappeared too…
We had many years of fun and also luck to be still online
But we think the time to move forward is now
Maybe we start something new in the future
Big thanks to all Members for your time / effort / support …
(we are not seized by law enforcement no worry is only time to move on)
Thanks & Greets
NSA & KA STAFF * KA *
On February 13, 2019, the U.S. Department of Justice (DOJ) charged former U.S. counterintelligence agent Monica Elfriede Witt with espionage on behalf of Iran. With her, they charged four Iranians — including Behzad Mesri, Mojtaba Masoumpour, Hossein Parvar, and Mohamad Paryar — with allegedly using information she had provided to further a variety of cyberespionage campaigns and malicious activities.
Nearly a year earlier, in March 2018, a group known as the Mabna Hackers (who were associated with the Mabna Institute, which was itself an organization associated with the Iranian Revolutionary Guard Corps) were alleged to have previously attacked 320 universities in 22 countries, including many in the U.S., the U.K. and also in Australia. The U.K. has supported the U.S. indictments of the Iranian hacker group and assessed with high confidence that the group is almost certainly responsible for a multiyear Computer Network Exploitation (CNE) campaign. One of the frequently used attack vectors — an email compromise with a further GAL dump — included attacks on ADFS-enabled environments. According to Resecurity, in the wake of legal actions by U.S. and U.K. authorities, this group has been significantly “reshaped.” None of the group’s members have been arrested and it has continued its cyber offensive operations.
U.S. authorities named Mesri as the attacker who hacked HBO and stole unreleased episodes of Game of Thrones and other intellectual property – and demanded millions in Bitcoin in ransom. Notably, TDO was also known for large-scale extortion campaigns. The fact that both TDO and Behzad Mesri have claimed responsibility for the HBO attack suggests significant connection. This would also explain why TDO was interested in purchasing the database information stolen from the Liberal Democratic Party of London. This type of information is not typical amongst the traditional cybercriminal communities but is valuable primarily to state actors in light of foreign intelligence services gathering information about politicians in countries of interest.
– Cyberespionage activity has increased significantly, and we anticipate that it will continue to grow. The described incidents with the U.K. and Australian Parliaments may be characterized as two connected episodes of “state-encouraged” or “state-sponsored” cyber espionage taking place and around each other.
– State actors are actively engaging with threat actors in both the Dark Web and the light of other countries, including Syria, Lebanon, Palestine. The goal of these activities is to conduct joint cyber offensive operations in order to minimize the responsibility for such malicious activity and to blur the attribution.
– The state actor IRIDIUM is responsible for cyber attacks on the Parliaments of the U.K. (2017) and Australia (2019) and is targeting members of the political elite to gain strategic intelligence. The choice of such high-value targets may confirm the direct affiliation with a foreign intelligence agency with these specific assignments.
– The multi-stage cyber attacks conducted by IRIDIUM are extremely effective as demonstrated by the group through a well-organized reconnaissance tradecraft.
– Political elites are becoming one of their major high-value targets. The state actors are targeting political leaders based on countries of interest with the intent to acquire strategic intelligence and to influence election and political processes.