Iran infiltrates UK institutions in state spying attack

News by SC Staff

News has surfaced today of an attack in late December 2018 on key elements of UK infrastructure, including the Post Office, local government networks and banks, by what is believed to be Iranian hackers.

News has surfaced today of an attack in late December 2018 on key elements of UK infrastructure by what is believed to be Iranian hackers.

Both public and private sector entities were hit including the Post Office and local government networks, both hit in coordinated attacks on 23 December, plus government officials and banks in the wider - believed ongoing - campaign.

Broadcaster Sky News reports that is has seen10,204 data records that were stolen from the parliament global address lists during an earlier Iranian attack and that once again personal details of thousands of employees were stolen, in this case from the Post Office, including the email address and mobile phone number of the Post Office chief executive Paula Vennells - along with the mobile phone numbers of at least 10 peers and MPs. According to Sky, The National Cyber Security Centre confirmed it was "aware of a cyber-incident affecting some UK organisations in late 2018" and that it was "working with victims and advising on mitigation measures". 

Lewis Henderson, vice-president of threat intelligence at cyber-security company Glasswall, who was part of the investigation and quoted in the initial Sky report contacted SC Media UK to suggest that the undermining of trust was a key issue. He said: "As we've seen, you can do anything... influence elections, in particular. You can start to impersonate people within that government as well and be utterly convincing.

"The levels of trust that the global address list puts in place is completely eroded once you've lost that information, once it's out there in the hands of the attackers.

"We know that they could be impersonating members of our own government and starting to alter and disrupt communications."

David Atkinson, CEO of Senseon and ex cyber operative describes the report as a sobering story which demonstrates how wide the scope is when we talk about nation state cyber attacks. "The temptation is to think of one government’s agency fighting another. However, as this story demonstrates, the reality is that the battlefield extends beyond that to businesses, public services and other organisations. In this case the Post Office, local government and banks are the victims that were caught in the crossfire.

"This attack also shows that we need to change awareness of what constitutes critical infrastructure. Again, we are not just talking about the energy sector, communications, and industrial organisations. Threat actors will also target the economy and if a large scale attack is launched against the UK’s banks, you can bet the situation will quickly become critical. The government has a responsibility to ensure a good standard of security and defence across all major organisations to safeguard the UK."

Andy Barratt, UK managing director of cyber-security consultancy Coalfire, agreed, commenting: "Iran’s effort to steal sensitive data from UK public sector organisations is another example of a surge in nation-state backed cyber-espionage in recent years. Even a cursory look at the cyber-strategies of countries around the world – both in Asia and the West – shows that there is massive investment in offensive digital capabilities.

"It’s interesting that Iran is seeking to extract data, rather than bring down core infrastructure like other nation-state attacks have done – North Korea’s WannaCry hack, for example, brought parts of the NHS to a standstill. It’s possible that Iran is being careful, given the West’s penchant for military activity in the Middle East. But it’s also possible that this was an intelligence gathering exercise to collect the data needed for more targeted espionage in the future.

"Public sector employees are a good target for accessing data if the end goal is to access government infrastructure. The attack costs are relatively low and a huge database of potential targets can be built up quickly."

Darren Anstee, CTO and SBO International, at Netscout, emailed SC Media UK to note how cyber-space has become the new frontier for nation state attacks, with assaults against the International Affairs sector increasing nearly 200 percent in the past year.

Anstee comments: "Political disruption provides a fertile ground for cyber-attacks against government, non-government and international organisations, meaning it’s hardly surprising malicious actors in Iran have mounted an attack against the UK.

"Cyber-space has become the new frontier and this assault marks the latest in a worrying line of nation state attacks by malicious cyber actors. Our analysis of global threats shows that Distributed Denial of Service attacks against the International Affairs sector - which includes the United Nations, the International Monetary Fund, and foreign consulates and embassies - increased by nearly 200 percent between H2 2017 and H2 2018.

"Furthermore, attacks against market research and polling organisations also increased in the past year, signifying a concerted effort by nation state hackers to undermine democracy from all angles. These attacks reflect an ongoing campaign of advanced persistent threats that emanate from nation state groups, governments and nefarious threat actors.

"Attacks by Iran can be effective, as groups in the country are known to be employing new techniques, as well as combining custom-made tools with commodity crimeware to extend their reach and impact. As a result, it is critical that governments and organisations make themselves aware of these new methods to disrupt and interfere with domestic and international affairs. It is also essential that governments and businesses collaborate closely to neutralise threats and prevent attacks on national institutions."

Echoing the theme of the wider issue of international government driven hacking, Dr Simon Wiseman, CTO of cyber-security firm Deep Secure emailed SC Media UK to discuss the issue of state cyber-attacks noting: "In addition to news of the cyber campaign from Iran, the UK and its western allies recently accused the Chinese government of carrying out an extensive campaign of cyberwarfare, with spies working at General Electric in the US caught using steganography to steal industrial secrets. State-sponsored cyber-warfare and cyber-espionage is only set to increase, with vast amounts now being spent by all countries – including the UK – into offensive as well as defensive cyber capabilities."

While Russian, Chinese and even North Korean state attackers are relatively common in the UK, Iran is often percieved as primarily concerned with regional power plays against Saudi Arabia and Israel. However, its operations have included the aforesaid parliament attack and nine key leaders and affiliates of an Iranian hacking group called The Mabna Institute were indicted by the FBI in February 2018.

As expected, there is no official statement as to whether the UK would take retaliatory measures, though in the light of statements last year about developing offensive capabilities to deter exactly such attacks, it would be more of a surprise if such action were not being taken.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews