Parliament House hack report reveals poor password practices

It took eight days to flush February's cyber attackers from Australia's parliamentary network. A procedure to authenticate staff asking to reset their boss' passwords only came another week later.
Written by Stilgherrian , Contributor
Image: Asha Barbaschow/ZDNet

Interesting facts are starting to emerge concerning the hack of the Australian Parliament network and political party networks revealed in February 2019. Amusing facts, even.

It took eight days to remove the bad guys from the parliamentary network, according to evidence given to the Senate Finance and Public Administration last Thursday.

The Department of Parliamentary Services (DPS) became aware of the breach on January 31, and called in the Australian Signals Directorate (ASD) for help. The attackers were removed on February 8.

What happened in the intervening eight days?

"At this point I have to say that, given this forum, I am unable to go into any further detail," said the President of the Senate, Senator Scott Ryan.

Ryan tabled a report on the incident. The report itself has not yet been published, but his verbal evidence reveals disturbing gaps in DPS defences and procedures.

"While I do not propose to discuss operational security matters in detail, I can state that a small number of users visited a legitimate external website that had been compromised," Ryan said.

"This caused malware to be injected into the Parliamentary Computing Network."

Classic spearphishing.

Ryan said he released this information as a "salient warning" for users to be "cautious and vigilant when clicking on any documents, attachments or links that are outside of our environment".

While two affected senators had been contacted by phone, the rest of the "several thousand people who access the network" were sent a notice to reset their passwords -- via the very network that they'd just been locked out of.

As Senator Kimberley Kitching quite rightly noted: "If the department knew that the system was down, why send out an email to a system that wasn't accessible? That's a little problematic."

"No, we were fully aware," said Ryan.

"That would not make sense," said Kitching.

"It was done in full consultation with the Speaker [of the House of Representatives] and myself," Ryan said. "There was no other alternative given the advice that we received required the wholesale network password reset."

Extra tech support staff had to be brought in to handle the calls.

"We really can't go into, in a public forum, more details of the stages of what happened or explanation for various reasons," Ryan said.

Kitching then noted: "At the time there was a suggestion made to DPS that DPS might acquire our mobile numbers and contact people that way."

Ryan's response: "There has been work with whips, I think, looking into that. That's currently, at least in my experience, still under discussion with whips."

That's right, nine months after the breach there doesn't seem to be a list of all users' phone numbers. That makes this next revelation even more worrying. Or amusing, depending on your personal philosophy.

Ryan also noted that "our computer asks us to change our password for good security reasons quite often", despite that now being contrary to best practice.

One of the documents tabled was a form titled "Authority to reset parliamentarians' passwords", a form not issued until February 15, a full fortnight after the breach was discovered.

"From memory, the purpose of that authorisation was to enable parliamentarians to provide formal authority for passwords to be changed on parliamentarians' behalf by their staff," said DPS secretary Robert Stefanic.

"In the past, there had been ad hoc approaches by email and phone. This was an attempt to formalise that process."

In other words, staff could call or email to reset a parliamentarian's password, and be told that password. Obviously anyone pretending to be staff could do the same.

"The exact process we use to verify the identity I will take on notice and provide more information on," said Ian McKenzie, the DPS chief information security officer.

In general terms, there are "number of ways that security is verified", he said.

"If we see a phone call come from that office, for example, then it verifies at least that that is the extension and the call is coming from the verified senator or member's office -- and the same with electorate offices."

DPS had reassured us in March that the attack was detected early, although it admitted that it still had work to do on fighting external threats. On Thursday's evidence that would certainly seem to be the case.

Your writer is looking forward to reading the full incident report, but fears it won't be anywhere near as transparent as the report issued by Australian National University.

The Parliament House attacker or attackers have never been named, although the working consensus among cyberpundits is that it was China.

Related Coverage

ANU incident report on massive data breach is a must-read

The Australian National University has set a new standard for transparent data breach reporting. They didn't lose all 19 years of data, but they're no closer to understanding the attacker's motives.

ACSC confirms it killed off CyberCon whistleblower talks

Head of the ACSC Rachel Noble says all speakers were 'known public advocates for unauthorised disclosure'.

ASIO discloses LinkedIn foreign intelligence threat

It also warned that the telecommunications sector is an 'attractive target' for foreign interference.

Terrorism, espionage, and cyber: ASIO's omne trium perfectum

ASIO's outgoing Director-General of Security reflects on the 'security triptych' that is of upmost concern to Australia's national security.

Australian political parties also hit by state actor in parliamentary network attack: PM

Prime Minister Scott Morrison has said a sophisticated state actor also hit the networks of Australia's political parties when it attacked the parliamentary network.

Editorial standards