Hackers who breached Australia’s parliamentary networks earlier this year tricked users into installing malware that brought the network to its knees.
Senate President, Scott Ryan, described to a parliamentary committee on Thursday night what appears to be a watering hole attack that caused the major breach.
"A small number of users visited a legitimate external website that had been compromised," Ryan said.
"This caused malware to be injected into the parliamentary computing network.
"I reveal this information as a salient warning to all users of the parliamentary network that they must be cautious and vigilant when clicking on any documents, attachments or links that are outside of our environment.”
A watering hole attack focuses on compromising legitimate websites that are popular with people who use the targeted system.
The attackers then infect the sites with malware and wait for their unsuspecting victims to act as they normally would.
A similar threat vector was used in a covert surveillance operation targeting iPhone users.
After discovering the breach in late January, security agents kept an eye on the hack for eight days before shutting the network down.
According to Ryan, “a small amount of non-sensitive data” was accessed.
"While I can't precisely guarantee that no other data was removed, extensive investigation has provided no evidence of this," he said but was limited in what he told the committee.
Chinese state actors were widely credited for the parliamentary breach in January, but Centre Alliance Senator, Rex Patric, said he thought there should be more transparency about who intelligence agencies blamed for cyber incidents.
“The problem is we do not know how long this foreign intelligence services was monitoring or indeed looking inside the parliamentary system prior to the 31st of January,” he said.
“It’s an open secret that the Australian Signals Directorate identified the Chinese Ministry of State Security as the foreign intelligence agency responsible.
“In my view there should be transparency about who they think did this.”
The ABC reported that parliamentary systems were attacked again in October when the Emotet trojan was found on the network.
In this instance it was swiftly dealt with, but not before users were temporarily banned from using personal email services on the network.
Shadow Assistant Minister for Cybersecurity, Tim Watts, said not enough importance is placed on the optional cyber hygiene courses offered for parliamentarians and staff.
"It's a common practice in the corporate sector these courses are mandatory – that's not the approach the parliament has taken," he said.
"We need to significantly increase the sense of urgency among MP's and staff about cyber hygiene and how to protect themselves.
“I think the political class in Australia needs to get the wake up call that they are targets.”