British police are investigating attempts to ensnare Members of Parliament, advisers and other political insiders via spear-phishing messages as part of an apparent honeytrap sexting scam.
"Officers from the Met's Parliamentary and Diplomatic Protection Command are carrying out an investigation following reports that a number of unsolicited messages were sent to MPs over recent months," the Metropolitan Police said in a statement.
The attacks are a reminder that adversaries don't need to use technologically sophisticated tactics to compromise targets and that despite holding an office, lawmakers are just as susceptible as the rest of society to many forms of social engineering.
"They had compromising things on me," William Wragg, a Conservative MP who last week admitted to giving contact details for fellow lawmakers to someone he met on the dating site Grindr, told The Times of London.
Wragg said he was pressured into divulging colleagues' details. "They wouldn't leave me alone. They would ask for people," he said. "I gave them some numbers, not all of them. I told him to stop. He's manipulated me and now I've hurt other people."
Multiple MPs have now come forward to say they were first approached via unsolicited messages sent via such services as WhatsApp, from individuals who demanded they share contact details for colleagues.
The campaign may have been underway for more than a year. One unnamed, former government special adviser told The Guardian they'd received a message on Jan. 23, 2023, from a woman claiming to have met them in a bar at a Conservative Party conference. After the adviser said they didn't remember the person, the adviser received unsolicited, explicit images.
Conservative MP Luke Evans said he was a recent target. "A month ago I was a victim of cyberflashing and malicious communications and blew the whistle by reporting it to the police and the parliamentary authorities as soon as this happened," he said in a video message posted to Facebook on Friday.
"Ten days later I got another set of messages," he said. "This time, however, I was sat with my team in the constituency office, so we were able to record the conversation and catch photos and videos of the messages coming through including another explicit female image."
It appears that the campaign targeted at least one senior minister, multiple political journalists or broadcasters, and MPs and staff tied to the governing Conservative Party and the opposition Labour Party, Politico reported.
Political pundits have hypothesized that the attacks could be the work of either a rival nation-state or political insiders. The attacks came to light not long after the U.K. National Cyber Security Center warned all high-risk individuals, as well as anyone involved in a political organization or organization coordinating elections, to beware of a rise in attempts to target them, including via their personal accounts or family.
Cybersecurity expert Alan Woodward told The Guardian that if a nation-state was involved, he'd have expected to see attackers using a channel more akin to LinkedIn and attempting to cultivate "a professional relationship" that could deliver intellectual property or secrets over the long term.
"I think the Chinese already have MPs' telephone numbers. They don't need someone on Grindr," said Woodward, who's a professor of computer science at England's University of Surrey.
One challenge for Parliament - or any other organization or individual - is that social engineering attacks and the use of deception remain relatively difficult to detect, said Ciaran Martin, a professor of practice at Oxford University who served as the NCSC's first CEO.
Especially compared to hack attacks or online disruption, "we're much less experienced in detecting this sort of thing," Martin told London's Times Radio. "It relies essentially on people feeling tired, lonely, vulnerable, needy, whatever it is" and an attacker targeting that to foster some degree of trust with their target.
Like most humans, "politicians are, as we've seen, vulnerable to it," said Martin. Senior ministers may be in charge of massive government agencies and have numerous staff, but many of Parliament's 650 MPs have relatively few staff and will handle at least some of their own communication needs, he said.
Given that such attacks - technically speaking - remain relatively simple to execute yet too often effective, Martin said one of the best defenses is for everyone to remain cautious and skeptical and to always pay attention when communications tools issue a warning that a message comes from an unknown contact.
"Look, if you think you don't know who somebody is, you probably don't know them, and it is better - if it's an unknown number - no matter how convincing it is, just to ignore it," he said. "Follow the advice of your phone. If it's in your junk folder, leave it there."