Government officials have issued an unprecedented
warning to businesses to protect their computer systems from
hacking attacks by foreign intelligence agencies.
The warning, from the UK's National Infrastructure Security
Co-ordination Centre (NISCC), may sound like the stuff of James
Bond, but it has serious implications for the way organisations
think about security.
As the organisation responsible for advising government
departments and the UK's key industries on information security,
the NISCC has generally assumed a low public profile. But the
organisation's director, Roger Cumming, has now spoken out about
the risks.
He said he believed that firms were defending themselves from
attacks from organised criminal hackers, but they were overlooking
potentially more serious attacks from overseas governments.
The NISCC first issued a notice in June 2005, warning that UK
businesses and government departments were being targeted by
Trojans tailormade to steal confidential information.
"People assumed the warning was crime-related: it was not. We do
not think the origin of these attacks is from organised crime," he
said in an interview with Computer Weekly.
The NISCC has traced the source of the attacks to the Far East.
It has declined to give further details, but others point the
finger at governments in China, Korea and the former Soviet
states.
The centre has held private meetings with businesses groups,
where officials have warned that defending against attacks from
well-resourced government agencies requires a different risk
management approach to dealing with hacking attacks by organised
criminal groups.
"One of the biggest lessons is that it is very important to
focus on the threat sponsor as well as the actor," said Cumming.
"It is important to think who might want access to
information."
The NISCC believes that foreign intelligence agencies are
investing significant resources in identifying key individuals in
organisations that have access to company secrets.
Their motive is economic espionage, often with the intention of
giving companies in their own countries an unfair advantage during
negotiations.
Companies with significant intellectual property, or firms
involved in major contract negotiations or takeover battles are
prime targets.
The attackers send credible-looking e-mails to the targeted
employee, perhaps purporting to come from their boss or a work
colleague. The e-mail downloads Trojan software which gives hackers
access to the machine. The attackers make use of unpublished
vulnerabilities, known as zero-day attacks, which are capable of
evading anti-virus and anti-spyware systems.
Another trick is for agents to send the targets an infected
CD-Rom or to leave an infected memory stick by the target's car in
a company car park. In many cases, the victim will plug it into
their computer.
"Social engineering used to be good. Now it is very good," said
Cumming. "They will infiltrate a corporate network and launch an
attack by encouraging targeted individuals to open an attachment
they think comes from a trusted source."
The NISCC is advising businesses to take the threat from foreign
intelligence services into account in their risk management
strategies. This means identifying which information in the
organisation is most at risk and ensuring it is protected.
"Understanding what is important in your organisation is
critical. Remember, these are not random attacks. They are going
after information that is important to them. If you have
information that is at the heart of your business, there is a good
possibility there is someone else who thinks they will benefit by
obtaining it," said Cumming.
Companies can use a range of technical measures to protect their
critical information. One approach is to seed critical servers with
dummy content that will immediately sound the alarm if
accessed.
Linking the computer audit trail with the physical audit trail -
showing who is in the building and accessing which terminal - is
one way of identifying the presence of attackers. Monitoring
internet traffic out of the organisation is also important.
But Allan Paller, director of research at US security training
and advisory body the Sans Institute, said there was no substitute
for educating staff about the risks posed by Trojans.
Paller advised companies to carry out mock phishing attacks
against their own employees to alert staff to the dangers.
The NISCC, meanwhile, is encouraging businesses to share
information more widely on the threats they are facing, and is
offering guarantees of confidentiality to businesses that report
attacks on their systems.
"We need the NISCC and industry to catch up regularly. That
means working together more as a community. Our focus has been on
the critical national infrastructure, but the threat goes wider
than that," said Cumming.
"There are organisations out there where attacks have been
successful, or could be successful, that could have an impact on
the UK's economic wellbeing. The more information we share, the
more we shine a light on these activities," he said.
Ultimately, said Cumming, the NISCC wants to make it clear to
foreign governments that if they attack the UK they will pay a high
price.
The NISCC is promising to rapidly alert businesses and other
governments to the technical countermeasures that will render the
attack useless anywhere else.
Original NISCC advice note:
www.niscc.gov.uk/niscc/docs/ttea.pdf
Report an attack:
www.niscc.gov.uk/niscc/reportIncident-en.html
Cyber wars: US government in the front line
Although little has been made public in the UK, it has emerged
that foreign intelligence agencies are systematically attacking US
government and military computer networks.
- Chinese intelligence agencies downloaded between 10Tbytes and
20Tbytes of data from US government military networks, prompting
general William Lord to warn, "There is a nation-state threat from
the Chinese."
- Investigators discovered the US Department of Commerce computer
systems were "riddled" with Trojans delivered from Chinese
servers.
- Hackers in Guong Dong in China launched a large-scale attack
against the US Department of Defence, contractors and US allies.
The attacks came from 20 workstations operating around the
clock.
- Chinese hackers downloaded a huge collection of files,
including mission planning systems from army helicopters and flight
planning software used by the US army and airforce.
Source: Sans Institute
www.sans.org
Comment on this article:
computer.weekly@rbi.co.uk