Global Weekly Executive Summary, 20 OCT 2017

By MDL on October 20, 2017

British Intelligence Suspects Iran in Parliament Email Attacks

British intelligence now suspects that Iran was the source of the June 2017 brute force attacks against 9,000 UK Parliament email accounts.

Key Details:

On 23 June of 2017, 9,000 UK parliamentary email accounts were targeted in a 12-hour long brute force attack that included 200,000 attempts to access accounts. (BBC)
The accounts of Prime Minister Theresa May and other senior ministers were among those targeted. (Guardian)
Up to 90 Members of Parliament (MP) accounts were compromised because of weak password use. (Times)(Guardian)
UK government officials say that although fewer that 1% of the email accounts were compromised, they assume that some sensitive materials were accessed. (Times)
Prime Minister May’s emails were considered safe because she uses the more secure account associated with her role as Prime Minister rather than her parliamentary account. (Times)
Iran, or groups working in the interests of the Iranian government, have been suspected in major cyber attacks in the past, but they have not been known to target the UK in the past.

Supporting Details:

Previously, the attacks were suspected to be state-sponsored, with Russia or North Korea considered to be the possible perpetrators because those countries were believed to be behind previous cyber incidents in the UK. (BBC, Guardian)
Articles in The Times and The Guardian revived the story of the June 2017 attack this week, citing “an unpublished assessment by British intelligence” that attributed the attacks to Iran. (Guardian) The Times described “a secret intelligence assessment” as the source for this new attribution.
The creator and source of the “unpublished assessment by British intelligence” is not named, but the document was reported on by The Times was independently verified by The Guardian. (SC)
The UK National Cyber Security Centre (NCSC) spokesperson declined to confirm or comment on the report “while inquiries are ongoing.” (Guardian)

Significance:

This seems to be Iran’s first “significant cyber-attack on a British target” (SC), This may signal Iran’s desire to be considered a leading global “cyberpower.” (Times)
Iran is believed to be behind the destructive Shamoon attacks targeting Saudi Aramco and other energy companies in Saudi Arabia. Other cyber campaigns attributed to Iran include the 2016-2017 “Mia Ash” espionage campaign thought to have been used to compromise the Deloitte accounting firm, the 2011-2013 DDOS attacks on 46 American banks and financial institutions and an attempt at shutting down a New York dam (Reuters) (Hill), and GPS disruption/spoofing of ships in the Persian Gulf. (Times)
The 2015 “The DOD Cyber Strategy” document states, “While Iran and North Korea have less developed cyber capabilities, they have displayed an overt level of hostile intent towards the United States and U.S. interests in cyberspace.” (DOD pdf)
This news comes at a time of increased tension between Iran, The UK, and the United States. President Trump has considered withdrawing from the 2015 Iran nuclear deal while the UK, France, and Germany have reaffirmed support of the deal. (BBC)
The Times raised a possible theory, “Some experts believe it is possible that elements of Iran’s Islamic Revolutionary Guard Corps are using cyber-attacks to undermine the deal because they want the country to resume its weapons programme.” (Times)

Sources: