Cyber-espionage: a real and present threat

A cyber spy ring targeting government and business computers containing sensitive information in over 100 countries grabbed the headlines this week

A cyber spy ring targeting government and business computers containing sensitive information in over 100 countries grabbed the headlines this week, but the latest attacks are nothing new or unusual, say investigators.

UK businesses are still shocked when they discover they have been infiltrated by cyber-espionage operations, but experts warn that this sort of infiltration happens all the time.

The headline-grabbing spy operation, dubbed Ghostnet, is detailed in a report published this week by Canada's Information Warfare Monitor (IWM) research group. The report should be a wake-up call to all organisations that underestimate the threat.

"Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most," IWM says.

The reality is that most organisations are susceptible to having commercially sensitive information stolen, says Ian McGurk, associate director for information security at consultancy Control Risks.

Jonathan Evans, the MI5 director general, warned UK businesses of the threat of state-sponsored cyber attacks in 2007, but most organisations do not take the warning seriously, he says.


How to mitigate the threat of cyber spies 
  • Make users aware that threats exist
  • Educate users about risky behaviour
  • Limit user privileges to job roles
  • Do not give open machines admin rights
  • Audit and log network activity
  • Identify and protect high-value information
  • Do not rely on signature-based anti-virus software
  • Use behaviour-based malware detection

Daily attacks

"We are seeing these cases on a daily basis. The [cyber-espionage] operations are real, they are well organised, and they are targeting data in organisations that continue to rely on outdated technology for protection," says Yuval Ben-Itzhak, chief technology officer at security firm Finjan.

According to Ben-Itzhak, signature-based malware detection systems are useless against the types of trojans cyber spies are using that are unknown to the security community and have no registered signature.

Businesses have no defences against social malware attacks like those used by the GhostNet operators. Well-designed e-mail lures combined with malware are devastatingly effective, says Ross Anderson, a professor at Cambridge University.

"If your business has sensitive information that might be a target of capable motivated opponents, then your current information security will probably not be good enough in the future," he says.

IT departments should tackle the problem by beefing up system security and staff awareness around the organisation's most important information, says McGurk.

"Cyber-espionage is highly targeted, so protection should be greatest around information that has the highest value to outsiders," he says.

Enhance your protection

Organisations should identify high-value assets and information, and concentrate on putting enhanced protection around these and associated processes.

Information relating to mergers and acquisitions or anything else likely to affect share prices, and about new products such as designs and planned launches, are prime targets.

"Anyone working with this type of information should be made aware of the threat of cyber espionage and how they could be targeted by social engineering attacks," says McGurk.

In the face of unknown trojans that may go undetected for months, McGurk advocates a layered defence strategy, including auditing and logging systems to track all network activities.

"If you have the right defences and levels of awareness and training in place, you can make it difficult to the point where cyber spies give up," he says.

Chinese connection 

GhostNet has been linked with locations in China, raising suspicions of state-sponsored espionage.

Chinese hackers are thought to target western networks continually, and are known to have attacked UK government department computers in 2007.

But researchers say it is wrong to attribute all Chinese malware with deliberate information gathering by the state, and Chinese authorities have denied any involvement.

The operation infiltrated over 1,000 computers using spyware installed invisibly as users clicked on attachments or links in well-crafted or hijacked e-mails.

Useful links:

Read more on IT for government and public sector