Stewart McDonald tells the BBC his emails have been stolen by a group linked to Russian intelligence.
Image source, UK ParliamentAn MP has told the BBC his emails have been stolen and he fears they will be made public.
The SNP’s Stewart McDonald said the hack took place in January and he wanted to pre-empt any publication sharing them.
The group responsible are believed to be linked to Russia’s spy services.
The UK’s cyber-defence agency has warned about targeted attacks on politicians in recent weeks.
On 13 January Mr McDonald was walking down the street when he received a notification on his phone.
There was a new message in the MP’s private email account.
He glanced at it – it was from a member of his staff.
There was nothing suspicious about it and it came from the staff member’s real email account.
The message said there was a password protected document attached which had a military update on Ukraine.
This made sense as the MP for Glasgow South had taken a close interest in Ukraine for a number of years, receiving the order of merit from the Ukrainian government.
He had also been the defence spokesperson for the SNP until last year.
Mr McDonald clicked on the document.
It brought up a login page for the email account he was using. He put in his password.
Strangely, it then brought up a blank page.
Perhaps it was not loading properly on his phone, he thought?
He would ask the staff member to resend it next time they spoke.
What he did not know yet was that a hacking group believed to be linked to Russia’s intelligence services was now inside his account – a group which has on other occasions published emails belonging to public figures.
A few days later, the member of staff mentioned to the MP that he had been locked out of his personal email account because of suspicious activity and was having problems trying to prove his identity and get back in.
“I meant to ask you about that email you sent. I couldn’t open the attachment,” Mr McDonald recalls saying to him.
“I didn’t send any email,” the member of staff replied.
Alarm bells were now ringing for the MP.
The advice was to contact the National Cyber Security Centre (NCSC), an arm of the UK’s intelligence agency, GCHQ.
Working with the parliamentary security team, they asked for the email and attachment to be sent so they could examine it.
The NCSC was already preparing to issue an advisory about a hacking group, known as Seaborgium saying it was responsible for a highly targeted campaign against individuals including politicians, activists and journalists.
That advisory tallies closely with what Mr McDonald experienced – the compromise of individuals, like his staff member, so they can in turn be used to send emails to the primary target.
These are highly targeted and sophisticated attacks against a small number of people rather than the broad-bush sending of malicious emails that are usually seen.
Sources say the advisory was long-planned and confirm the same group is believed to be behind the hack of Mr McDonald’s account.
The British government has not formally accused the Russian state of being behind the group or the hacks but within the wider cyber-security community the group has been identified as linked to Russia’s intelligence services.
The same group is said to have published hacked emails and documents by other individuals, including the former head of MI6 Sir Richard Dearlove, as well as journalist Paul Mason.
Mr McDonald says he has decided to go public to warn others of the risks and limit the potential damage as he waits to see what the hackers do with the stolen material.
“If it is indeed a malicious state-backed group, then, in line with what I’ve seen elsewhere, I expect them to dump some of the information online.
“And I can expect them to manipulate and fake some of that content and I want to get out ahead of that to ensure any disinformation attack against me is discredited before it’s even published,” he told the BBC.
“An incident has been reported to us and we are providing the individual with support,” a spokesperson for the NCSC told the BBC.
“The NCSC regularly provides security briefings and guidance to parliamentarians to help them defend against the latest cyber threats. This includes expert advice for MPs and their staff available on the NCSC website.”
Mr McDonald continues to be unsure what – if anything – will be done with the stolen material. Even though he was aware of the risks before the incident he has since then taken additional steps to secure his accounts.
“It can catch people even those who are alive to these threats,” he said.