Last month, the Australian Government said it believed a cyberattack targeting its parliamentary computer network to be the work of a “sophisticated nation-state actor”. The country’s parliament and its three biggest political parties were the victims of the “unprecedented” attack, but new research by cybersecurity company Resecurity suggests that the scale of the cyberattack is far greater than first thought.

The Los Angeles-based firm has investigated the attack and connected it to Iranian cyber espionage group Iridium, which targets sensitive government, diplomatic and military resources of other countries. Resecurity believes that the Australian cyberattack is connected to an attack on the UK Parliament that occurred in 2017.

In June 2017, the UK Government reported unauthorised attempts to access accounts of parliamentary networks users in which fewer than 1% of the 9,000 accounts on the parliamentary network were compromised. Some records were stolen as a result.

This attack was originally thought to be of Russian origin, with The Guardian reporting that “Moscow is deemed the most likely culprit”, but it has not been officially attributed to any actor.

However, according to Resecurity, the same group is responsible for the Australian cyberattack. Based on its investigation, the company believes that the two attacks are both part of a multi-year “state-encouraged” or “state-sponsored” campaign by Iridium.

The nature of the attacks indicate that Iridium is acting on behalf of “a unit of an intelligence agency that focuses on acquiring information from politicians and political parties in other countries”, particularly in Australia, New Zealand, Canada, the UK and the US.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

According to Resecurity, Iridium recruits young technical specialists for cyber-offensive operations and espionage as well as foreign actors from Lebanon, Syria, Palestine, as well as individuals on the dark web.

Although the country’s authorities have not publicly attributed the Australian cyberattack to Iran, The Wall Street Journal has linked it to the Iranian group.

The firm believes that the two connected episodes are part of a campaign by Iridium targeting members of the political elite to gain strategic intelligence and “monitor ongoing political processes” (as notably the UK Parliament attack is believed to have taken place in the run-up to the 2017 general election.)

Resecurity believes that the same group also compromised a database belonging to the UK Liberal Democratic Party in 2018 that was then put up for sale on the dark web.

Linking the Australian cyberattack to the UK Parliament attack

The reason the two attacks are believed to be linked is due to the similarities between them. In both cases, attackers used a method called “password spraying” in which a large number of accounts using a few commonly used passwords.

Attackers used this technique to successfully compromise an email account and then dumped a type of file known as GAL using an available API and scripting language called PowerShell. The information stored in the GAL file was then used by the attackers to gain detailed information about the user accounts.

Resecurity also noted that the “tools, techniques and procedures associated with these attack patterns are almost identical to those of the Mabna Hackers and other actors having close ties with the Iranian Revolutionary Guard Corps.”

The company said that it has provided Australian and UK authorities with detailed research supporting this.

The fact that the group are conducting effective multi-national cyber attacks suggests the group has a sophisticated operation increasingly targeting political figures in specific countries of interest with the intent of acquiring sensitive information and influence political processes.

Last month, Joseph Carson, chief security scientist & advisory CISO at Thycotic told Verdict that this is a sign of things to come, with cyberattacks of this nature predicted to escalate:

“Cyberattacks are going to continue:  both loud cyberattacks that bring down services and disrupt society and stealth cyberattacks that remain hidden, lurking within the networks stealing sensitive information or waiting for the right moment to bring down the network.”


Read more: NotPetya, WannaCry: The privatisation of nation-state capabilities threatens us all