Act on foreign spy risk, firms urged

Foreign governments attempting to gain inside information pose a real threat to UK businesses, and a different risk management approach must be adopted

Government officials have issued an unprecedented warning to businesses to protect their computer systems from hacking attacks by foreign intelligence agencies.

The warning, from the UK's National Infrastructure Security Co-ordination Centre (NISCC), may sound like the stuff of James Bond, but it has serious implications for the way organisations think about security.

As the organisation responsible for advising government departments and the UK's key industries on information security, the NISCC has generally assumed a low public profile. But the organisation's director, Roger Cumming, has now spoken out about the risks.

He said he believed that firms were defending themselves from attacks from organised criminal hackers, but they were overlooking potentially more serious attacks from overseas governments.

The NISCC first issued a notice in June 2005, warning that UK businesses and government departments were being targeted by Trojans tailormade to steal confidential information.

"People assumed the warning was crime-related: it was not. We do not think the origin of these attacks is from organised crime," he said in an interview with Computer Weekly.

The NISCC has traced the source of the attacks to the Far East. It has declined to give further details, but others point the finger at governments in China, Korea and the former Soviet states.

The centre has held private meetings with businesses groups, where officials have warned that defending against attacks from well-resourced government agencies requires a different risk management approach to dealing with hacking attacks by organised criminal groups.

"One of the biggest lessons is that it is very important to focus on the threat sponsor as well as the actor," said Cumming. "It is important to think who might want access to information."

The NISCC believes that foreign intelligence agencies are investing significant resources in identifying key individuals in organisations that have access to company secrets.

Their motive is economic espionage, often with the intention of giving companies in their own countries an unfair advantage during negotiations.

Companies with significant intellectual property, or firms involved in major contract negotiations or takeover battles are prime targets.

The attackers send credible-looking e-mails to the targeted employee, perhaps purporting to come from their boss or a work colleague. The e-mail downloads Trojan software which gives hackers access to the machine. The attackers make use of unpublished vulnerabilities, known as zero-day attacks, which are capable of evading anti-virus and anti-spyware systems.

Another trick is for agents to send the targets an infected CD-Rom or to leave an infected memory stick by the target's car in a company car park. In many cases, the victim will plug it into their computer.

"Social engineering used to be good. Now it is very good," said Cumming. "They will infiltrate a corporate network and launch an attack by encouraging targeted individuals to open an attachment they think comes from a trusted source."

The NISCC is advising businesses to take the threat from foreign intelligence services into account in their risk management strategies. This means identifying which information in the organisation is most at risk and ensuring it is protected.

"Understanding what is important in your organisation is critical. Remember, these are not random attacks. They are going after information that is important to them. If you have information that is at the heart of your business, there is a good possibility there is someone else who thinks they will benefit by obtaining it," said Cumming.

Companies can use a range of technical measures to protect their critical information. One approach is to seed critical servers with dummy content that will immediately sound the alarm if accessed.

Linking the computer audit trail with the physical audit trail - showing who is in the building and accessing which terminal - is one way of identifying the presence of attackers. Monitoring internet traffic out of the organisation is also important.

But Allan Paller, director of research at US security training and advisory body the Sans Institute, said there was no substitute for educating staff about the risks posed by Trojans.

Paller advised companies to carry out mock phishing attacks against their own employees to alert staff to the dangers.

The NISCC, meanwhile, is encouraging businesses to share information more widely on the threats they are facing, and is offering guarantees of confidentiality to businesses that report attacks on their systems.

"We need the NISCC and industry to catch up regularly. That means working together more as a community. Our focus has been on the critical national infrastructure, but the threat goes wider than that," said Cumming.

"There are organisations out there where attacks have been successful, or could be successful, that could have an impact on the UK's economic wellbeing. The more information we share, the more we shine a light on these activities," he said.

Ultimately, said Cumming, the NISCC wants to make it clear to foreign governments that if they attack the UK they will pay a high price.

The NISCC is promising to rapidly alert businesses and other governments to the technical countermeasures that will render the attack useless anywhere else.

Original NISCC advice note:

Report an attack:

Cyber wars: US government in the front line

Although little has been made public in the UK, it has emerged that foreign intelligence agencies are systematically attacking US government and military computer networks.

  • Chinese intelligence agencies downloaded between 10Tbytes and 20Tbytes of data from US government military networks, prompting general William Lord to warn, "There is a nation-state threat from the Chinese."
  • Investigators discovered the US Department of Commerce computer systems were "riddled" with Trojans delivered from Chinese servers.
  • Hackers in Guong Dong in China launched a large-scale attack against the US Department of Defence, contractors and US allies. The attacks came from 20 workstations operating around the clock.
  • Chinese hackers downloaded a huge collection of files, including mission planning systems from army helicopters and flight planning software used by the US army and airforce.

Source: Sans Institute

Comment on this article: [email protected]

Read more on IT risk management