The news this morning that Australian government employees and one Victorian MP are among those whose details were posted by a group calling itself the Islamic State Hacking Division is a security concern, but it is unlikely the information was obtained by hacking the government agencies themselves.
Earlier in the week, the group boasted it had a trove of US government emails on a now-suspended Twitter account linking to an unrelated website running a compromised version of WordPress containing a table of around 1500 mostly US government-related email addresses, passwords and phone numbers.
“Know that we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah [caliphate], who soon with the permission of Allah will strike at your necks in your own lands!” the site states.
The vast majority of the hacked email addresses are associated with the US state department, the US army, the Center for Disease Control and a number of other .gov address agencies, but the Islamic State (also called ISIS, ISIL or Daesh) hacking fishnet appears to have also caught a bunch of unrelated email addresses, including Gmail addresses and seven or eight Australian government email addresses.
The addresses are associated with NSW Department of Health employees, Department of Defence employees, an Australian National Audit Office employee, and a member of Victorian Parliament.
The phone numbers associated with the Australians on the list appear to be legitimate, but several of the other numbers on the list are not in the correct format for a phone number (containing random letters in place of numbers). The Register pointed out that some of the numbers are disconnected and appear to be out of date, and the formatting suggests that the table was copied over to the site from an Excel spreadsheet.
The phone number associated with the Victorian MP is also one publicly available in association with his website, so it is entirely possible the list was generated by scraping various sites for government-associated email information.
The passwords posted on the site are incredibly weak, with several just being “password” or a plain-text word like “porridge”. This is not the sort of password Defence or government personnel would likely use for their government accounts. Even so, Crikey understands Defence personnel would not be able to access their accounts using such passwords remotely, with multiple stages of identity authentication required before they can access their government accounts.
The group claims it was inside government computers and systems, but the far more likely explanation is that the hackers obtained the details from a compromised online forum, or from a number of different sites trawling for .gov or other government-related email addresses. Several passwords being simply “procurement” suggests the origin could be a procurement-related website.
The group has also posted just three credit card details and a Facebook conversation allegedly between US forces discussing military operations.
The headlines associated with the release of the data, which promote it as a hack of government agencies without actually examining the origin of the obtained data and whether or not it is actually what the group claims it to be, serves Islamic State’s propaganda purposes. It also serves as a way for the government to promote its need to crack down on the online activity of those associated with the group, with the chair of the Joint Committee on Intelligence and Security Dan Tehan telling Sky News this morning that the online fight was important, alongside the push to begin fighting the organisation in Syria.
Prime Minister Tony Abbott declined to give his view on the hack at the Australian Crime Commission this morning, stating he would be briefed on the topic later today, but he said Islamic State should not be underestimated.
“We should not underestimate this organisation, this death cult,” Abbott said.
The Department of Defence would not confirm the accuracy of the data when contacted by Crikey today, but said it was investigating the matter. A spokesperson said in a statement:
“As a matter of long standing practice the Australian Government does not comment on specific security or intelligence matters. However, we are aware of media reporting on claims that a group calling itself the Islamic State Hacking Division has hacked the personal information of Australian citizens, including some ADF personnel.
“While we are not aware of any specific threats, the Government takes these claims very seriously. The safety of members of the Australian community is the main priority of the Australian Government.
“The Australian public can rest assured that all relevant law enforcement and security agencies are looking into these claims and are in contact with their relevant state and international partners.”