MSPs targeted in brute force attack on Scottish Parliament

Attack on Scottish Parliament comes after MPs at Westminster were targeted in June in a similar fashion

Scottish MSPs have been targeted in a brute force attack by hackers trying to steal their email credentials in a cyber attack that comes just weeks after MPs in Westminster were targeted in a similar fashion.

However, officials at Holyrood claim that no accounts were compromised, although they have warned MSPs to update and strengthen passwords.

"The parliament's monitoring systems have identified that we are currently the subject of a brute force cyber-attack from external sources," Sir Paul Grice, chief executive of the Scottish Parliament, warned in an internal bulletin to MSPs and staff.

He continued: "This attack appears to be targeting parliamentary IT accounts in a similar way to that which affected the Westminster parliament in June. Symptoms of the attack include account lockouts or failed log-ins.

"The parliament's robust cybersecurity measures identified this attack at an early stage and the additional security measures which we have in readiness for such situations have already been invoked. Our IT systems remain fully operational."

Intriguingly, perhaps, he claimed that IT staff at the Scottish Parliament had analysed passwords used and found that too many were ‘simple' and easy to crack in a brute force attack. "The number of simple passwords identified is too high for us to contact each individual personally," he said.

The attacks on Westminster MPs' email accounts in June, meanwhile, has been blamed on hackers linked with the Russian government. Up to 90 email accounts are said to have been compromised in that series of attacks, in which MPs were locked out of their accounts as a precaution in response.

A security source at the time told The Guardian: "It was a brute force attack. It appears to have been state-sponsored… [But] the nature of cyber-attacks means it is notoriously difficult to attribute an incident to a specific actor."

"A brute force attack is a tale as old as time and relies on one of the weakest areas of security - passwords," said Dr Jamie Graves, CEO at security firm ZoneFox, told Computing.

Graves continued: "That the Scottish Parliament's security measures were able to keep systems operational is a case in point of how important it is to be in a position to rapidly identify attacks and stop them in their tracks.

"The hackers may have been thwarted this time, but there's nothing to say they won't be back. That the IT department will force a change on weak passwords is a good, proactive measure.

"However, this isn't a failsafe... unquestionably all staff will heed Sir Paul Grice's request to remain vigilant. A united, digitally alert team is one of the greatest tools organisations can deploy in their fight against hackers."