Australia Parliamentary Hack: China or Iran?

Less than a month ago, Australian National Cyber Security Adviser Alastair MacGibbon signed a Memorandum of Understanding (MoU) on cyber cooperation with the Israel National Cyber Directorate (INCD) in Tel Aviv, building on a previous MoU with Israel on cybersecurity signed by former Prime Minister Malcolm Turnbull in 2017. This was perfect timing, as Prime Minister Scott Morrison announced this week that a “sophisticated state actor” had hacked Australia’s parliamentary networks and all major political parties in a cybercoup mere months before federal elections. While Israel was bizarrely mooted as a potential culprit in certain reports, nearly all coverage and commentary obliquely or explicitly blamed China, given its history of aggressive cyberattacks against Australia and interest in Australian politics. Of course, China continues its consistent policy of denial. There was one country, however, that was missing from speculation in the news: Iran.

To their credit, Peter Jennings of the Australian Strategic Policy Institute and The Australian’s Greg Sheridan, among others, both at least mentioned Iran in their respective commentaries before downplaying the likelihood. Given the particulars of this case, it is natural that China should be the country under suspicion – but  it’s a mistake to rule out all speculation about Iranian responsibility based on either capability or intent.

As we’ve covered in-depth in previous articles, Iran is quite a sophisticated actor in cyberspace in its own right, and has specifically targeted Australia in the past, including most recently a hack of Navy shipbuilder Austal. What’s more, there are indications of cooperation between Chinese and Iranian intelligence, according to U.S. intelligence officials, with some suggesting a countervailing alliance in cyberspace made up of Russia, China and Iran opposing the “Five Eyes” – the intelligence alliance of the US, UK, Canada, Australia and New Zealand .

More importantly, on February 21, US cybersecurity firm Resecurity claimed that the hack of the Australian parliamentary system was in fact consistent with those conducted by Iran, specifically the Mabna Institute, as part of a global campaign against Five Eyes, and it was suggested that they’d simply tried to make it look as if China had carried it out. The Mabna institute, a front for Iran’s Islamic Revolutionary Guard Corps (IRGC), has previously been implicated in a massive hack of dozens of Australian universities, and it was cited specifically by former Prime Minister Malcolm Turnbull when he established the new national cyber security centre in 2018. Some Australian sources involved in the investigation, however, have dismissed Resecurity’s analysis regarding Mabna and say China remains the primary suspect, although Resecurity now says that the Australian Signals Directorate has confirmed its attribution of the attack to Iran.

Attribution is notoriously difficult to assign when it comes to sophisticated cyberattacks, and in this case  even more so than usual, as a rapid reaction was required to neutralise the hackers, resulting in the loss of forensic evidence. The hackers may even still be embedded in the system. All we know publicly is that the attack was apparently unique, “a ‘first-seen in terms of the tools and tradecraft used,” a source told The Australian. Five Eyes, as well as other Western intelligence sources, all told The Australian Financial Review that they’d never seen the likes of it, either. While these claims make the Mabna Institute – a known quantity – a less likely suspect, it’s still clear that Australia is going to need to pursue all available avenues to upgrade its capacities in order to counteract the malicious cyber-activities of this coalition of hostile and sophisticated state actors.

The MOU with Israel, a global leader in cyber-security, must be looking like a very good move in Canberra right now.