Cyber security experts took more than a week to eject the state-sponsored attacker from Parliament’s computing network after it was compromised by malware earlier this year, Senate President Scott Ryan has revealed.
In answers to questions on notice to budget estimates hearings released on Thursday, Ryan said the malware infection occurred when a small number of the network’s 4000 users visited an unnamed website that itself had been compromised.
“A small number of users visited a website that was outside of parliamentary management and that website had been compromised causing malware to be injected into the parliamentary computing network,” he said.
Ryan said the cyber attack, which has since been labelled “Australia’s first national cyber crisis” by the Australian Signals Directorate (ASD), took a total of nine days before the infiltration was stamped out after it was first discovered on 31 January.
This was more than a full week before the Department of Parliamentary Services (DPS) reset all network, users, administrator and system level passwords in a bid to protect parliamentarians and their staff, as well as staff from the department.
“DPS became aware of the incident on the 31 January 2019. DPS and the ASD acted immediately to monitor and plan effective remediation,” he said.
“Removal of the attacker occurred on the 8 February.”
While ASD had previously confirmed a limited amount of data deemed non-sensitive was stolen by the attacker, new details on the type of data taken has now been disclosed.
“The small amount of non-sensitive data refers to DPS corporate data and data related to a small number of parliamentarians,” Ryan said.
He said that any impact on the email accounts of parliamentarians either had or would be discussed with those parliamentarians directly.
“Two Senators were contacted. I will not address matters related to members of the House of Representatives; they should be addressed to the Speaker,” Ryan said.
The new information is likely to be the some of the only details released about the attack, with the federal government unlikely to release even a redacted version of the final report.
This is at odds with other organisations like the Australian National University, which was praised for its transparency over its recent cyber attack.
A state-sponsored actor is still widely believed to have been responsible for the attack, which was also later found to have extended to the networks of the Liberal, Labor and National Parties, though the federal government is yet to make any attribution claims.
Reuters reported in September that multiple sources had claimed ASD had concluded the attack was conducted by China.
Centre Alliance senator Rex Patrick, who submitted the questions, said the sparse details were no substitute for a declassified version of the report, and that without it, MPs, Senators and the Australian public would remain in the dark.
Ryan also confirmed on Thursday that there was no evidence of “insider involvement or assistance in the compromise”.