Australia’s parliamentary network was targeted with an “unsophisticated brute-force” attack over a 24-hour period in late March.
A brute-force attack uses trial-and-error to guess login info by throwing a number of combinations at a system.
President of the Senate Scott Ryan told senate estimates on Monday that the brute-force attack did not breach parliament’s defences, but did lead to mobile devices being locked down between March 27 and April 5.
“On March 26, the Department of Parliamentary Services (DPS) was the subject of malicious cyber activity,” Ryan said.
“A malicious actor sought to access the DPS network accounts through MobileIron [managed] devices using unsophisticated brute force tradecraft.
“The malicious activity lasted just under 24 hours. It was unsuccessful and DPS networks were not compromised.”
Ryan said that in response to the attack, “appropriate network controls were implemented, which ensured that … accounts were locked down, preventing compromise.”
“Those controls were successful in blocking the malicious actor, but also impacted legitimate users’ ability to access DPS networks for several days while even more rigorous IT security arrangements were implemented,” Ryan said.
The new arrangements included the fast-tracking of a new mobile device management (MDM) system, which had been planned but not yet implemented at the time.
“This migration had been planned well before the incident but it was to be implemented over a three month period,” Ryan said, adding the migration went through in just three days instead.
“Fourteen (14) technical staff across different IT disciplines worked over the Easter long weekend to ensure the remaining migration to provide support to parliamentarians and other users that needed assistance.”
Ryan added that DPS “has been and will remain an attractive target for malicious cyber activity which is increasing in frequency and sophistication.”
Report builder breaks
Senate estimates also heard that a Microsoft Office upgrade by DPS had unintentionally isolated a key reporting system used by parliamentary committees, with insufficient “preparatory work” blamed for the incompatibility.
Ryan told estimates that he had “personally pressed” the department (DPS) on the issue “on a number of occasions”.
“It is being prioritised and it is being given the highest priority,” Ryan said of his discussions with the department.
Clerk of the Senate Richard Pye said that the “committee report builder program is not compatible with the new suite of Microsoft Office products” in use at parliament.
He said that while the Office upgrade had been fast-tracked by a number of months, it was no excuse for the incompatibility issue arising.
“My view is that insufficient work was done to identify the interdependencies between our system which we’d been using for many years now, and the intended upgrade to the parliamentary computing network, so not enough preparatory work was being done anyway,” Pye said.
“The fact that suddenly we had to switch over, over the course of just a couple of weeks in around October last year, has really exacerbated, I think, the difficulty that our staff have using our systems.”
Pye said that a “workaround” had been reached whereby the report builder is now available for use via a “virtual desktop”.
“That allows access to the locations which allow the committee report builder to compile all of the information it needs to compile, but that sits aside from the usual desktop environment that people are using, so you’re logging in and out of different systems,” Pye said.
“It’s a little bit frustrating because the whole point of the new Microsoft suite that has been adopted throughout the building is to enable people to share information and collaborate more easily, and we’ve had an experience over the last six months where the reverse has been the case.”
The committee report builder tool is in-house developed; while Pye said it had “come to the end of its usable life … I think the assumption was that it could be more easily ported over to the network than has proved to be the case.”
Pye said that based on current guidance from DPS, he was unsure when a permanent fix would be possible.
“How long it’s going to take to build a satisfactory replacement is going to depend on some work that’s being done at the moment to try to identify whether we need to start from scratch or whether we can build on top of the system that we are used to using,” Pye said.
“The work they’re doing at the moment will identify how long the project will have to be to remediate.”
Ryan indicated the remediation had been complicated by the brute-force attack and fast-tracked MDM system replacement, which saw DPS IT resources temporarily redeployed.