A coordinated cyberattack that successfully compromised WhatsApp accounts linked to one unnamed Australian parliamentarian and three parliamentary staff members was orchestrated by a foreign state actor, top parliamentary technology officials have confirmed during a recent Senate estimates hearing.
Department of Parliamentary Services (DPS) Chief Information Officer Mike Webb told the committee on Monday that the breach, which unfolded on March 6, was part of a deliberate, targeted phishing operation focused specifically on Australian parliamentary personnel. All four compromised accounts — connected to both personal devices and devices managed by the DPS — were hijacked using identical tactics, according to Webb’s testimony.
In response to the confirmed breach, DPS implemented a temporary block on WhatsApp Web starting March 9, a measure made necessary because most of the compromised accounts were personal profiles that the department does not administer or monitor. The temporary restriction was lifted the following Sunday once initial security assessments were completed, Webb added.
When questioned about the attribution of the attack, Webb confirmed that available intelligence points to a foreign state actor as the perpetrator. He noted that state-sponsored phishing campaigns targeting government officials via WhatsApp have been widely documented in public reporting, with multiple governments across the globe — including Germany, the Netherlands, and the United States — having already issued formal warnings about this exact style of cyber threat. “This is targeting our parliamentarians, but this is a genuine, global issue,” Webb told the hearing.
At the time the temporary block was put in place, cybersecurity officials had not yet mapped the full scope of sensitive communications that may have been exposed via the compromised personal accounts. Webb outlined the common tactic used in the phishing scheme: attackers masquerade as a trusted contact — such as a fellow senator — to trick targets into granting access to their accounts.
The hearing also shed light on the broader scope of persistent cyber threats facing the Australian parliament. DPS Deputy Secretary and Chief Operating Officer Nicola Hinder told the committee that between late March and the time of the hearing, security systems had detected 46 instances of malware, blocked more than 20,000 separate phishing attempts, and responded to 1,458 distinct cyber alerts — most of which were attempts to disrupt or breach parliamentary websites.
Hinder noted that the volume of cyber threats against the Australian parliament fluctuates over time, with periods of heightened activity followed by lulls when global attention shifts to other priorities. Webb added that parliamentarians will always remain high-value targets for cyberattacks regardless of the communication platform they use. The hearing also confirmed that while intelligence attributes this recent hack to a foreign state actor, pinpointing the exact group or responsible nation remains extremely challenging, described by officials as near impossible.