McCully email thief could be Kiwi

Emails sent to the personal accounts of Foreign Affairs Minister Murray McCully appear to have been stolen and leaked from within New Zealand - possibly by a disaffected staff member.

"Yuri Petrov," who leaked messages to The Dominion Post this week, insisted yesterday that he was emailing from "south of Moscow", but an expert who analysed his messages said he was certain they were sent from a New Zealand computer.

Last week Mr McCully admitted his email had been hacked between last April and June. He said at the time that most of the messages that could have been hacked were just media clippings or "office administration stuff".

But "Yuri Petrov" contacted The Dominion Post after publishing online what appeared to be messages sent to Mr McCully by members of his staff.

The messages included advice on spending in the Pacific region and about Sharon Armstrong, a New Zealander arrested for alleged drug trafficking in Argentina.

Claiming to be a Russian hacker, "Yuri" said that Defence Force information in the emails about flight times could be sold.

But computer forensics expert Daniel Ayers said an analysis of the dateline on his messages strongly suggested they were being sent from a New Zealand computer.

"It is absolutely certain that their computer is in the New Zealand time zone," Mr Ayers said. "I would be pretty confident that Russian hackers wouldn't be setting their computer to a New Zealand time zone. It's not impossible, but why would they?"

Among the email messages published is one reportedly sent by National MP and former diplomat John Hayes, on April 20 last year.

Mr Hayes refused to comment on the email, which, among other things referred to the cost of IT services at the ministry.

On the same day that email was sent to Mr McCully, a long list of MPs' email addresses was published on the same site where the emails themselves were published this week.

MFAT chief executive John Allen is expected to brief staff today on a massive restructuring plan that could see up to 300 jobs cut.

Mr Ayers said the published messages showed Mr McCully had used multiple personal accounts to receive messages, including a "Blackberry.net" address that was likely to have received messages via an overseas server.

"It's actually worse than has been reported, because at least if the minister's correspondence is going to a Telecom Xtra system, at least that's in New Zealand," Mr Ayers said. "The fact that the minister would be doing that at all is of concern ... It's sending all of our information overseas."

Mr McCully's office said it could not confirm the authenticity of the alleged emails and "would not comment on stolen material".

The Government Communications and Security Bureau, which investigated the hacking incident, said questions should be referred to the office of Prime Minister John Key, which said it could not respond to questions until tomorrow.

However, the bureau information security manual says automatic forwarding of emails "can pose a serious risk to the unauthorised disclosure of classified information"."For example, a system user could set up a server-side rule to automatically forward all emails received on a classified internet-connected system to their personal email account outside work. Unfortunately for the agency this would also result in all classified emails being forwarded to their personal email account as well."

An MFAT spokesman said Mr McCully's office was not part of their email system and officials did not correspond directly with ministers.

"The minister's office is required to exercise judgment calls as to how information is communicated to the minister."

The Dominion Post