Although the investigation is at an early stage and the identity of those responsible may prove impossible to establish with absolute certainty, Moscow is deemed the most likely culprit.
The disclosure follows the release of the first details of the “sustained” cyber-attack that began on Friday. Fewer than 90 email accounts belonging to parliamentarians are believed to have been hacked, a parliamentary spokesman said.
Amid fears that the breach could lead to blackmail attempts, officials were forced to lock MPs out of their own email accounts as they scrambled to minimise the damage from the incident.
The network affected is used by every MP including Theresa May, the prime minister, and her cabinet ministers for dealing with constituents.
The British security services believe that responsibility for the attack is more likely to lie with another state rather than a small group of individual hackers.
The number of states who might mount such an attack on the UK is limited, and, in addition to Russia, includes North Korea, China and Iran.
A security source said: “It was a brute force attack. It appears to have been state-sponsored.”
“The nature of cyber-attacks means it is notoriously difficult to attribute an incident to a specific actor.”
MPs contacted by the Guardian said the immediate suspicion had fallen upon foreign governments such as Russia and North Korea, both of which have been accused of being behind hacking attempts in the UK before.
In May, Russia was linked to the hacking of France’s computer systems during the presidential campaign, taking data from Emmanuel Macron’s campaign and leaking it to the public.
US officials have previously said they were seeking to share their experience of the 2016 presidential election, where US intelligence agencies concluded that Russia hacked and leaked Democratic party communications and disseminated fake news with the aim of getting Donald Trump elected.
The attack on the Houses of Parliament sought to gain access to accounts protected by weak passwords.
The estate’s digital services team said they had made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails.
A parliamentary spokesman said those whose emails were compromised had used weak passwords despite advice to the contrary. “Investigations are ongoing, but it has become clear that significantly fewer than 1% of the 9,000 accounts on the parliamentary network have been compromised, as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service.
“As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way,” he said.
It comes just over a month after 48 of England’s NHS trusts were hit by a cyber-attack.
Britain’s National Cyber Security Centre (NCSC) is understood to have played a leading role in investigating the WannaCry malware that affected the NHS and other organisations in May and concluded that a North Korean hacking team had been responsible.
An NCSC spokesperson said: “The NCSC is aware of the incident and is working around the clock with the UK parliamentary digital security team to understand what has happened and advise on the necessary mitigating actions.”
The NCSC, which started its operations in October last year, is the public face of the UK’s secret surveillance agency, GCHQ, which works closely with the US National Security Agency. Both are engaged in hacking targets in Russia, China, North Korea and elsewhere around the world.
Conservative MP Andrew Bridgen said such an attack “absolutely” could leave some people open to blackmail. “Constituents want to know the information they send to us is completely secure,” he said.
Liam Fox, the international trade secretary, connected the news to reports that cabinet ministers’ passwords were for sale online. “We know that our public services are attacked so it is not at all surprising that there should be an attempt to hack into parliamentary emails,” he said. “And it’s a warning to everybody, whether they are in parliament or elsewhere, that they need to do everything possible to maintain their own cybersecurity.”
An email sent to all those affected, seen by the Guardian, said: “Earlier this morning, we discovered unusual activity and evidence of an attempted cyber-attack on our computer network. Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.
“These attempts specifically were trying to gain access to our emails. We have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining access; however, our investigation continues.”
The changes are believed to have stopped MPs and their offices from accessing emails on mobile phones and tablets outside Westminster. “Access to systems from the Westminster estate has not been affected,” the email said, before adding that further disruption was likely.
The latest attack was publicly revealed by Liberal Democrat peer Lord Rennard on Twitter as he asked his followers to send any “urgent messages” to him by text.
Angela Rayner, Labour’s shadow education secretary, also tweeted: “If you try and contact me by my parliamentary email address then l will not be able to respond currently, this is due to a cyber-attack.”
Henry Smith, the Tory MP, said: “Sorry no parliamentary email access today – we’re under cyber-attack from Kim Jong Un, Putin or a kid in his mom’s basement or something.”
The government’s National Security Strategy said in 2015 that the threat from cyber-attacks from both organised crime and foreign intelligence agencies was one of the “most significant risks to UK interests”.
The National Crime Agency said it was working with the NCSC but the centre was “leading the operational response”.
Author: Ewen MacAskill and Rajeev Syal