The WhatsApp accounts of a federal MP and three of their staffers were hacked in a cyberattack that was likely committed by a foreign state actor.
It was revealed at a Senate Estimates hearing on Monday morning that a federal parliamentarian and three of their staff had their WhatsApp accounts hijacked earlier this year following a “targeted phishing” attack.
The breach led to the WhatsApp web version being blocked in Parliament for almost a week as cyber experts scrambled to determine the extent of the compromise.
The WhatsApp accounts were personal ones but were logged in on personal devices and Department of Parliamentary Services managed devices.
The breach occurred on 6 March this year, a Department of Parliamentary Services (DPS) official told the Estimates hearing.
“The specific reports came from one parliamentarian and three staffers, and the accounts were all compromised in the same manner,” the DPS official said.
“The objective, of course, was to take over the accounts, which in this scenario is what did occur.”
DPS staff worked with the impacted parliamentarian and staffers, and contacted the Australian Signals Directorate (ASD) following the incident.
On 9 March, a temporary block was placed on the web version of WhatsApp on the DPS IT network.
“That was largely because these are personal WhatsApp accounts that we don’t control or manage, and we didn’t at that stage know the extent to which communications happen between Parliamentarian officers,” the official said.
“The flow then is that an individual is masquerading as a trusted source – if yourself for example was messaging another senator, if your account was compromised it would come from you as a trusted source.”
The WhatsApp block was lifted the following Sunday.
A social campaign
The breach involved a phishing campaign, with the attackers requesting a legitimate WhatsApp verification code be sent to the victim, then requsting that code.
If the victim passes on the code, the attacker is then able to log into their account and link it to their device, meaning they “essentially become that person, from a communications perspective”, the Estimates hearing was told.
The DPS official said that current evidence suggested that a “foreign state actor” was behind the cyberattack.
“There’s lots of public reporting of state-sponsored WhatsApp phishing campaigns targeting government officials,” they said.
“Multiple governments worldwide have issued warnings on this type of attack.
“This is targeting our Parliamentarians but is a genuine global issue.”
A worldwide problem
Late last year, United Kingdom parliamentary authorities issued a warning that Russia-based actors were targeting the WhatsApp and Signal accounts of politicians.
The warnings detail similar tactics as appear to have been used in the Australian attack, with messages purporting to be from WhatsApp’s support team asking for an access code.
The US Federal Bureau of Investigation (FBI) earlier this year also warned that Russian hackers were targetting the WhatsApp accounts of politicians, military personnel, officials and journalists, and that this campaign had already compromised thousands of accounts.
Germany and the Netherlands have also issued similar public statements.
The DPS official urged Australian politicians to implement basic cybersecurity mitigation strategies and consider what sort of information they are sharing on messaging apps like WhatsApp.
“I think irrespective of platforms, parliamentarians will be high-value targets for this type of group,” he said.
“What I would say is that there are some good practices and best practice guidance for all of those platforms.
“Some platforms are more secure than others, but WhatsApp still has a place for the breadth of use.
“My guidance would be really around making the account as secure as pragmatically possible, and being mindful about which platforms parliamentarians and their staff use for particularly sensitive communications.”
