Remote access to the accounts of parliamentary network users was suspended on Saturday 24 June after unauthorised access attempts were detected.
This meant MPs and other staff were unable to access their accounts remotely, but IT services within the parliament building continued to functional normally.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Parliament said in a statement on Sunday that the parliamentary network and systems had been protected from the attack to ensure the Houses’ business could continue.
Although investigations are ongoing, the statement said that “significantly fewer” than 90 of the 9,000 accounts on the parliamentary network had been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service.
“As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way,” the statement said, adding that Parliament was putting plans in place to resume its wider IT services.
In an email to parliamentary network account holders late on Friday, Rob Greig, director of the Parliamentary Digital Service, said unusual activity and evidence of an attempted cyber attack had been discovered earlier in the day.
“Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in attempt to identify weak passwords,” he said. “These attempts were specifically trying to gain access to users emails.”
Although the Parliamentary Digital Service was able to detect the unusual activity indicating that an attempted cyber attack was under way and took swift action to limit the potential impact by temporarily shutting down remote access to the network, it is unclear why password guidance was not enforced properly.
The statement issued by Parliament appears to blame to account holders for not following official password guidelines, but uncovers that fact that there is no mechanism for enforcing password policy.
UK security services believe the attack is more likely to be state-sponsored than carried out by group of hackers, according to The Guardian, which cited an unnamed security source as saying it was a brute force attack that appeared to be state-sponsored.
The incident comes just days after it emerged that the passwords and email addresses of MPs, parliamentary staff, diplomats and senior police officers had been sold, bartered and then made available for free on Russian-speaking hacking forums.
The Guardian reported that the Russian government was the top suspect in the parliamentary attack, but the paper’s source also said it was “notoriously difficult” to attribute an incident to a specific actor, and security commentators have said it is too early to say who was responsible.
“Such an attack is very simple and cheap to organise, and virtually any teenager could be behind it,” said Ilia Kolochenko, CEO of web security company High-Tech Bridge.
“I would abstain from blaming any state-sponsored hacking groups because with such an unacceptably low level of security, they have likely already been reading all emails for many years without leaving a trace.”
Kolochenko said this incident highlighted once again that cyber security fundamentals were being ignored even by the governments of leading countries.
“Today, two-factor authentication, advanced IP filtering and anomalies detection systems are a must-have for critical systems accessible from the internet,” he said.
“Strict password policies and regular audits for weak and non-compliant passwords are also vital for corporate security. However, apparently, none of these simple but efficient security controls were properly implemented.”
Anurag Kahol, CTO at security firm Bitglass, said the apparent failure to implement the correct controls effectively had resulted in a denial of service attack because legitimate users were locked out for most of the weekend.
“Strong authentication policies, including multi-factor authentication, combined with user behaviour analytics not only within applications, but across applications, could have prevented the need to block users from being able to access work applications,” he said. “This holds especially true for cloud-based applications which, by definition, are available from any device, anywhere.”