Poor Password Security Blamed Following Compromise of Up to 90 Accounts
Members of Parliament in Britain, as well as staff and civil servants, have had their remote email access suspended after technology teams detected signs that someone was attempting to hack into a large number of their email accounts.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Parliament officials say that the “sustained” effort by remote attackers appears to have resulted in a breach of up to 90 accounts. Initial reports have suggested attackers were attempting to brute-force guess weak passwords.
Parliament first confirmed the attack on Saturday, and said that all remote access to email – outside of the Westminster estate, where Parliament meets – had been temporarily disabled. Thanks to incident response efforts over the weekend, however, officials say parliamentary business is continuing as scheduled on Monday.
“Parliament’s first priority has been to protect the parliamentary network and systems from the sustained and determined cyberattack to ensure that the business of the Houses can continue,” according to a statement issued by Parliament. “This has been achieved and both Houses will meet as planned today.”
Related investigations remain ongoing, led by the National Cyber Security Center – Britain’s national incident response and computer emergency response team, which is part of intelligence agency GCHQ – and assisted by the National Crime Agency. Officials have suggested that full, remote access to email should resume shortly.
Weak Passwords Blamed
Officials have said fewer than 90 accounts appear to have been affected, and blamed the compromised accounts on users who made poor password choices (see Why Are We *Still* So Stupid About Passwords?).
“Investigations are ongoing, but it has become clear that significantly fewer than 1 percent of the 9,000 accounts on the parliamentary network have been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service,” according to the statement. “As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way.”
The statement adds: “Parliament is now putting in place plans to resume its wider IT services.”
Only email addresses hosted on the “parliament.uk” domain were affected, a spokesman tells Information Security Media Group. That means that the attack did not affect accounts hosted on the gov.uk domain, which ministers – all of whom are MPs – are instructed to use for any confidential work or communications.
Even so, the parliament.uk email addresses are used by all MPs and peers – referring to members of the House of Lords. As a result, private communications with constituents could have been compromised.
The parliament.uk domain emails – together with file sharing and storage – appear to be running on Microsoft Office 365, following Parliament’s 2014 migration to the cloud service.
Officials at the House of Commons and the House of Lords declined to comment on whether the email services are still running on Office 365, whether two-factor authentication is made available to secure users’ access to their accounts, whether the use of TFA is mandatory, or what type of data may have been compromised in the attack.
“It would be inappropriate to comment on the other questions while investigations are ongoing,” a spokesman tells ISMG.
Attack Detected Saturday
News of the hack first came to light Saturday via a tweet from Chris Rennard, a Liberal Democrat peer, who warned that he should be texted – not emailed – with any urgent communications.
Other lawmakers, including Tory MP Henry Smith, quickly followed suit.
Sorry no parliamentary email access today – we’re under cyber attack from Kim Jong Un, Putin or a kid in his mom’s basement or something…
— Henry Smith MP (@HenrySmithUK) June 24, 2017
The attack was confirmed by Parliament later on Saturday. Multiple media outlets have quoted unnamed sources in the British intelligence sphere suggesting that the attack must have been sponsored by a nation state.
“It was a brute-force attack. It appears to have been state-sponsored,” one source tells the Guardian.
The same source, however, adds a massive caveat: “The nature of cyberattacks means it is notoriously difficult to attribute an incident to a specific actor.”
Indeed, no such evidence as to the identity of the attacker has come to light. Incident response experts say that identifying the individual behind an online attack – if they can ever be identified – requires much more than technical indicators such as IP addresses, which can be spoofed, but also human intelligence.
Liam Fox, a Tory MP who serves as Britain’s international trade secretary, said it’s no surprise that attackers might be trying to harvest lawmakers’ email access credentials.
“We know that there are regular attacks by hackers attempting to get passwords,” Fox said in an interview with the BBC. “We have seen reports in the last few days of even Cabinet ministers’ passwords being for sale online. We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails.”
Security experts say the attacks are a reminder to practice essential email-related information security defenses, such as using two-factor authentication. Indeed, if parliamentarians had used TFA, then brute-force attacks attempting to guess their username and password would have been impossible.
Cryptography expert Matthew D. Green, an assistant professor in the Johns Hopkins University computer science department, says via Twitter that one of the takeaways from the Parliament email attack is to ensure that every user employs two-factor authentication. He also adds that email should not be used for any sensitive communications. Instead, he recommends using messaging applications and servers that employ end-to-end encryption (see Crypto in Europe: Battle Lines Drawn).