China, not Iran, still the main suspect in hacking of Australia's political parties, say sources
Top-level sources with detailed knowledge of the cyber attack on Australia's political parties and Parliament have dismissed a report that Iran and not China was behind the hacking of Australia's main political parties.
Citing the US cyber research company Resecurity, The Wall Street Journal reported the attack was likely carried out by Iran's Mabna Institute Hackers.
Rescurity President Charles Yoo said the pattern of the attack fitted with those previously carried out by the Mabna hackers and believed that the blame most in Australia had laid on the Chinese was a false flag.
He provided a database of 7354 records containing phone contacts and emails for Australian MPs and parliamentary staffers.
But Australian sources with detailed knowledge of the hacking, but who are not allowed to speak on the record about the information to which they are privy, said the Mabna link was an unlikely theory and that China remained the suspect.
They said that the sophistication of the attack meant only two countries were capable of conducting it, and that Iran was not on the list.
Australia has so far not attributed the attack, which came three months before the election due in May, but said a "sophisticated state actor" was responsible. Prime Minister Scott Morrison told Parliament on Monday "there is no evidence of any electoral interference".
The hack on the Liberal, National and Labor parties was detected by the Australian Cyber Security Centre during the course of their investigation into a prior hack on the Australian parliamentary system.
Alastair MacGibbon, the national cybersecurity adviser, said on Monday that the government had not learned the identity of the hacker before it acted to block the activity.
That defensive action, he said, "also does other unpleasant things, like remove some of the forensic evidence we're interested in".
A government cybersecurity expert said one difficulty in identifying the perpetrators was that the hackers used tools that had not previously been seen.