As the dust settles on yet another cyber attack, Les Bell from the Optus Macquarie University Cyber Security Hub and adjunct lecturer in cryptography and information security shares his analysis and tips on how we can best protect our digital identities.

On 24 June, news broke of a sustained attack on the UK’s parliamentary email system. Details are sketchy, as they always are with disclosures of security breaches – the victims don’t want to reveal particulars before they have had a chance to fix any vulnerabilities.

On the basis of publicly available information, a confident attribution will have to wait on an analysis of the tools, techniques and procedures (TTP) used by the attackers, such as any malware they have installed into compromised systems, or the internet addresses of command-and-control servers or phishing sites used in the attack. Analysts will also examine the timing of events and the time stamps on malware files – these often align with business hours in the time zone where the hackers are based.

However, hacking groups associated with Russia, such as FANCY BEAR (APT* 28) and COZY BEAR (APT 29) have previously shown strong interest in politician’s emails. The public statements and privately-expressed views of politicians are not always perfectly aligned, and emails might reveal juicy material which can be released to embarrass or compromise (Russian term: kompromat) either individuals or parties. These two groups are believed to be behind the breaches of the US Democratic National Convention and subsequent release of emails in an attempt to embarrass the Clinton campaign and to align Sanders’ supporters against Clinton.

In the case of the UK parliamentary email system, the attack has been described as ‘brute force’, in which the attacker simply uses a program to repeatedly attempt to log on, cycling through a long list of likely passwords. This is different from FANCY BEAR and COZY BEAR’s previous attacks, which have mainly relied upon phishing attacks, in which the victim is lured to a fake webmail site which is then used to capture his or her credentials. In the brute force attack, it seems many Members of Parliament had chosen weak and easily guessed passwords which were quickly compromised, leading to the entire email system being shut down.

In France, Emmanuel Macron’s election campaign staff expected that their emails would be targeted, so they deliberately created some fake emails. Then, when they were released to WikiLeaks, they could point to the fakes and ask which others are faked? And by whom?

However, at this stage, it would be premature to rule out other countries – many countries have offensive cyberwarfare capabilities (for example, PLA Unit 61938 and Israeli Unit 8200).

It would also be unwise to assume that these state-sponsored actors are only interested in high-profile targets like governments, political parties and defence institutions. North Korea’s Unit 180 is believed to be behind the recent WannaCrypt ransomware outbreak, using code they adapted from the NSA’s EternalBlue exploit recently leaked by the ShadowBrokers group. And just recently, yet another piece of ransomware called GoldenEye or Petya is rapidly spreading – once again, derived from EternalBlue, but this time, having started in Ukraine is probably of Russian origin.

No matter who is behind this, and no matter whether you are a direct target or just collateral damage, the defensive techniques are the same:

1. Implement two-factor authentication, using Security Keys like the YubiKey or authentication apps on phones – for example, Google Authenticator. This is particularly important for email accounts, since ‘password forgotten’ procedures typically work by sending a link to your email account, and if the attackers have access, they can reset passwords on other accounts. With two-factor authentication enabled, they might be able to get your password, but they don’t have the other factor.
2. Security education and awareness – not clicking on links in emails and not opening email attachments.
3. Filtering of emails on corporate firewalls. For small and medium businesses, use Google GSuite, Microsoft Office 365. They’re much better at detecting attacks than most companies can manage with their own resources.
4. Ensure you have a good backup regimen. That means any backup should be offline ­– unplugged and disconnected where the ransomware cannot get to it. Many cloud storage services (for example Google Drive) just looks like another drive to ransomware, so it will encrypt what it sees there. And take care with automated backups – you don’t want the encrypted files to be backed up, thereby over-writing the good backup copies.

*Advanced Persistent Threat. The different APT’s are numbered by the various private security companies as they are discovered. APT 1, for example, is a Chinese PLA unit in Shanghai.