UK Politician's Email Hacked by Suspected Russian Threat Actors

A British Member of Parliament (MP) has revealed his personal email account was hacked by suspected Russian threat actors.

Stewart McDonald from the Scottish National Party (SNP) highlighted the spearphishing incident in a tweet published on February 8.

It read: “Over the past couple of weeks I have been dealing with a sophisticated and targeted spear phishing hack of my personal email account, and the personal email account belonging to one of my staff. These hacks are a criminal offence.”

McDonald, formerly the SNP’s defense spokesperson, continued: “Although attempts to hack my parliamentary account are continuous - as is the case for all MPs - these have not been successful. I want to assure constituents that their information is secure. My private account is not used for constituency or parliamentary business.”

He added that he has worked with Parliament’s security team and the National Cyber Security Centre (NCSC) to ensure that all his inboxes are secure. In addition, McDonald confirmed he is no longer actively using the compromised private account.

However, he acknowledged that “some of the stolen information may appear online.”

Speaking to the BBC, McDonald said he received the message in January 2023, which came from the real email address of a member of his staff.

The message said there was a password-protected document attached containing an update on the military situation in Ukraine. McDonald said this wasn’t unusual given his previous position as SNP defense spokesperson and because he had taken an active interest in Ukraine for a number of years, even receiving the order of merit from the Ukrainian government.

After clicking on the document, the MP was directed to the login page for the email account he was using. However, when he typed in his password, it brought up a blank page.

A few days later, the member of staff who had purportedly sent the message told McDonald that he was locked out of his personal email because of suspicious activity. The MP then asked about the email that he received, to which the staff member replied that they didn’t send it.

McDonald was advised to contact the NCSC about this suspicious activity, who worked with the parliamentary security team to examine the email and attachment. They suspect a Russian state-backed group was behind the attack.

McDonald told the BBC: “I can expect them to manipulate and fake some of that content and I want to get out ahead of that to ensure any disinformation attack against me is discredited before it's even published."

In the twitter thread, McDonald said he wanted to raise awareness around phishing threats, noting: “As was the case here, these attempts are highly sophisticated and deeply convincing. Having spoken with others who this has also happened to - most of whom have a heightened sense of cyber security and good practice - it's easy to see how anyone can fall victim.”

The lawmaker’s experience mirrors an advisory issued by the NCSC in January 2023 about spearphishing attacks by Russian and Iranian threat actors targeting specific sectors and individuals in the world of politics, including politicians, journalists and activists.

This advisory warned that Russia-based threat actor SEABORGIUM and Iran-based group TA453 were launching highly targeted and convincing phishing attacks to steal log in credentials to access and steal sensitive emails and documents.

Commenting on the story, Javvad Malik, lead security awareness advocate at KnowBe4, said: "When we see nation state attacks, or those by organized cyber-criminals, the most popular way of attack is through social engineering - of which phishing is the preferred method.  

"This appears to be a targeted attack, where the attackers researched and sent an email which they knew had a high likelihood of fooling the victim." 

What’s Hot on Infosecurity Magazine?