Mystery of the UK Parliament cyber-attack unsolved, as spotlight turns on Israel

Since my last post in October, there has been no confirmation of which group was behind the cyber-attack on Westminster, or the role of the Iranian government in sponsoring or tasking the attackers (as noted in my last blog, The Times newspaper reported that the Iranian state was likely behind the attack). Since then, the Israeli General Nadav Padan, in charge of Israel's network security, has spoken out about the growing number of attacks orchestrated by Iranian state-sponsored hackers against Israel. General Padan, who is Head of the IDF C41 Cyber Defese Directorate, told the Reuters Cyber Security Summit that Iran is now responsible for many of the thousands of attacks carried out on Israel each day. The controversial nature of Israeli Foreign Policy continues to stimulate acts of retribution from the Arab states, and Iranian cyber-attacks will, at least to some extent, represent long-standing resentment caused by the Stuxnet attack - rumored to have been carried out jointly by Israel and the US in 2010. This is surely evidence that Iran is continuing to wage war in the cyber domain.

                       General Nadav Padan

Iran has featured heavily in the news of late. John Kerry (former US Secretary), recently rebuffed Donald Trump's claims that Iran is violating the Joint Comprehensive Plan of Action (JCOPA), arguing that there is no 'scientific bases' and 'no evidence' for Trump's claims, and that retaining the Iran nuclear deal is key to preventing a nuclear arms race in the Middle-East. Whilst there may be no evidence to indicate that Iran is defying the terms of the nuclear deal, the USA remains at the center of the cyber-attacks (see my earlier article: Iranian Hacking Threat to US if Nuclear Deal Collapses). However, last month's attack on the UK Parliament demonstrates that Iranian hostility is not confined to the US and Israel; the governments of other Western states are also being targeted.

In the meantime, the people of Iran continue to suffer 'collateral damage', as they lose out form US government restrictions that prevent Iranians from hosting apps on the Apple and Google app stores. Iranians had previously been able to access and download Apple and Google software (as Communications Technology was exempt from the Iran embargo), and activists are putting pressure on Office of Foreign Assets Control (OFAC) to return to the Obama administration policy. 

UK Parliament Hacked By Iran

The United Kingdom (UK) Parliament appears to have been hacked by Iran. The cyber-attack on 23 June 2017 was a brute-force attack against 9000 email accounts including the UK Prime Minister Theresa May and in total between 30 to 90 members of Parliament.

The UK Times newspaper which broke the story, said that it was Iran’s first significant act of cyber-warfare on the UK and underlines its emergence as one of the world’s biggest cyber powers and that Iran is highly capable of such attacks.

The decision to publish the information now is interesting, coming after the US President Donald Trump's intent to withdraw from the JCPOA (Joint Comprehensive Plan of Action) against Iran, which could threaten to re-instate sanctions against Iran. The UK, France and Germany do not agree with the USA on the matter. Without complete agreement, perhaps Iran will not suffer from any new sanctions against it, as it appears that Iran has not violated any of the sanctions.

Iranian regime attack or amateur hackers?

The attack, which was suspected of being originally from Russia, may have been carried out by amateur hackers. At the time of the attack in June, it was said that the attackers could only break into the email accounts of members of Parliament (MPs) which had simple, easy to hack passwords. As a security response at the time, MPs were unable to access their accounts and had to communicate using SMS texts instead. It now seems, however, that the regime may perhaps have after all been behind the attack?

Reasons for the attack

The reasons for the attack are unknown (or at least the British Intelligence services are not saying), but could be:

• Exploratory activities: Iran may have been looking for UK data that Iran could then force the UK to make concessions with, or that could compromise the interests of the UK
• Iran may have been looking for a trade advantage
• More worryingly is the possibility that the IRGC (Iranian Revolutionary Guards Corps) may be seeking to undermine Iran's anti-nuclear proliferation deal in order to get it scrapped; Iran could then restart its nuclear weapons research.

The IRGC are at odds with President Hassan Rouhani, who they see as being too pro-West and the religious leader of the regime, Ayatollah Khamenei is linked with the IRGC, so there is an ongoing rift between the religious and political leadership of Iran, partly due to Rouhani slashing the IRGC's budget to restrict their economic activities.

An uncertain future

In my previous article, it is possible that Iran may seek to increase cyber-attacks against the USA if the US walked away from the JCPOA. Now that President Trump appears to be doing that, even if Germany, UK and France don't agree, we may see an increase in the cyber war from Iran against the West.

NEWSCASTER: Iran Attacks Social Media

Iranian state targeted the public and private sector in the US, Israel, UK and beyond using social media.

Iranian hackers use more than ten fake identities on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated long-term cyber espionage campaign.  At least 2,000 people are caught in the snare and are connected to the false identities.

This campaign is working undetected since 2011 and targets senior American military and diplomatic personnel, congressional personnel, Washington DC journalists, US think tanks, defense contractors in the US and Israel, and others who are loud supporters of Israel to covertly obtain log-in credentials to the email systems of these victims. They targeted also additional victims in the UK as well as Saudi Arabia and Iraq.

The targeting, operational schedule and infrastructure used in this campaign is consistent with Iranian origins.

The fake identities claim they work in journalism, government and defense contracting. These accounts are elaborate and create credibility using among other tactics a fictitious journalism website newsonair.org that copies news content from other media outlets.

These credible identities then connected, linked, followed and friended target victims to get access to information on location, activities and relationships from updates and other common content.

These identities then targeted accounts with spear-phishing messages. Links which appeared to be legitimate asked recipients to log in to false pages to capture credential information. It is not clear at this time how many credentials the attack captured so far.

Additionally this campaign is linked to malware. While the malware is not very sophisticated, but it includes capability that can be used for data exfiltration.

The discovery and investigation of the attack reveals three critical insights:

1. Social media offers a powerful and hidden route to target key government and industry leadership through an external base possibly outside of existing security measures.
2. With reference to targeting associated with this campaign it is possible that Iranian hackers used accesses gained through these activities to support the development of weapon systems, reveal the disposition of the US military or the US alliance with Israel or give an advantage in negotiations between Iran and the US. Furthermore it is possible that any access or knowledge could be used as reconnaissance-for-attack before disruptive or destructive activities
3. These adversaries are improving in finding and exploiting opportunities to carry out cyber espionage, even if they lacked sophisticated capability.  NEWSCASTER’s success is largely due to patience, brazen nature and innovative use of multiple social media platforms.
   
   
   It seems that the NEWSCASTER network targets mainly senior military and policymakers, companies associated with defense technology and the US-Israel lobby, however there are also victims in the financial and energy sectors as well as elsewhere and only a part of the accounts connected to this network were seen. Organizations involved in critical infrastructure or have information that may be of strategic or tactical interest to a nation-state adversary should be concerned about a threat such as this.