Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security IT

UK Critical Structures Targeted by Trojan Attacks 102

ElGanzoLoco writes "The UK's National Infrastructure Security Coordination Centre is reporting that key british infrastructures (government, telecom, transports, banks among others) are under attack by specific, targeted e-mail trojans. According to their report (PDF), 'the emails use social engineering to appear credible, with subject lines often referring to news articles that would be of interest to the recipient. In fact they are "spoofed", making them appear to originate from trusted contacts, news agencies or Government departments.'. The attackers are apparently trying to gather sensitive or secret data. While the NISCC has not been able to precisely trace the attacks' origins, most IPs seem to trace back to Far-East Asia."
This discussion has been archived. No new comments can be posted.

UK Critical Structures Targeted by Trojan Attacks

Comments Filter:
  • lol? (Score:3, Interesting)

    by Anonymous Coward on Friday June 17, 2005 @07:56AM (#12840542)
    If this is a sustained attack:
    1) block these emails
    2) educate staff to be aware of this atleast in the short-term
    3) hold educated staff atleast partly responsible for any infections that result from this attack
    4) we need to vote in a government that actually knows how to use a computer
    • You know. I must have been spoofed about a hundred times from people wanting my bank account information. Unfortunately, the emails weren't from the right bank. Also, after a while I got curious and clicked on the spoofing links. The website was dead. If all spoofers are the same then I'd suggest that people should seriously think about firing those idiots in the UK. Also, where is the antivirus software???
      • Re:lol? (Score:4, Interesting)

        by BiggyP ( 466507 ) <philhNO@SPAMtheopencd.org> on Friday June 17, 2005 @08:21AM (#12840715) Homepage Journal
        It could be that a lot of these links, the ones that appear dead, do so only because the spoofing vulnerability in use doesn't work in the browser you're using.

        Imagine if the UK government stopped wasting vast amounts of money licensing windows for their end users and switched to something a little less bug ridden.
        • It could be that a lot of these links, the ones that appear dead, do so only because the spoofing vulnerability in use doesn't work in the browser you're using. You mean Internet Explorer????? They actually fixed the phishing problem????? Nah.. More than likely the website was shut down.
      • A reply to both parent and grand parent.

        If this is a sustained attack: 1) block these emails

        That's why they put out this warning so those responsible can do this

        2) educate staff to be aware of this atleast in the short-term

        That's why they put out this warning so those responsible can do this

        3) hold educated staff atleast partly responsible for any infections that result from this attack

        We do.

        4) we need to vote in a government that actually knows how to use a computer

        No arguments here.

      • 1. antivirus software works by looking for signatures, modify the virus and you can change the signature. if the virus writer has up-to-date sigs, they can test the modifications to see if they have made the virus undetectable.
        2. by targeting the virus to a limited range of targets, it's more difficult for the antivirus to find the new signatures for the virus
        3. users in a protected enrivonment have a false sense of security making successful attacks more likely.
        4. if the website is dead either law-enforcem
    • Re:lol? (Score:2, Funny)

      by Bob3141592 ( 225638 )
      At least we can be confident that the highly trained, tech savy American Homeland Security systems will be perfectly secure.
    • I get emails from ebay.com, but they're sent from hackers who want my ebay information. If I was to block the email, I wouldn't get anything else further from ebay when they sent legitamate emails.

      If I wasn't moral, I'd have been doing this crap since the early 90s. Luckily, so few people do it, that the FEDS could generally bust people by simply walking into the trap, then tracing the information.

      The problem comes when the attack is from oversea. The feds want to bust them, but they people they wa
      • I get emails from ebay.com, but they're sent from hackers who want my ebay information. If I was to block the email, I wouldn't get anything else further from ebay when they sent legitamate emails.

        Block the IP from hitting up your SMTP servers, not the specific email address. These are not hackers, these are scammers. Scammers (and anybody else) are able to send you an email with a link that says "ebay.com" but in html says "231.12.255.255/fakeebay.cgi". They depend on uneducated people believing that
    • 4) we need to vote in a government that actually knows how to use a computer
      And the Tories can? Besides most of the staff are non-politicals, changing governments won't change that.
  • success through spam-jacking, comes the hit U.K. blockbuster 'Concerted Distributed National Espionage'. Let's get Nick Cage to play Tony Blair.
  • Far East Asia? (Score:4, Interesting)

    by EQ ( 28372 ) on Friday June 17, 2005 @07:57AM (#12840554) Homepage Journal
    Perhaps the fabled North Korean Super Hackers at work?

    Although why woudl they want anything to do with the UK? Isnt it the USA thats their bete noir?
  • Political Spin? (Score:5, Insightful)

    by Kinky Bass Junk ( 880011 ) on Friday June 17, 2005 @07:59AM (#12840570)
    While the NISCC has not been able to precisely trace the attacks' origins, most IPs seem to trace back to Far-East Asia.

    There's no doubt that these attacks will create a political spin, which could be their target in the first place. We all know there are many tensions between western and easter countries, particularly North Korea & China, and U.K. & U.S.A. This also goes hand-in-hand with previous stories saying there are highly skilled cracker armies in North Korea. I would say without a doubt that these are politically motivated.
    • Yes, but Tony B-Liar will have a MUCH tougher time trying to convince the rest of parliament and the UK Public to go after NKorea, or China just because of a few trojan emails.

      The british public will blame the government for the lack of security than blame N.Korea, et al for this.

      Mind you, this may be good for Linux Adoption!
      • Right, but even if the public doesn't condone going after North Korea, they might condone more funding or even powerful legislation that allows law enforcement more powers.
  • Just like spam (Score:2, Informative)

    by Anonymous Coward

    like most spam seems to originate in China but in reality its American spam gangs [spamhaus.org] sending spam via China
    iam sure this is no different

    • Re: (Score:3, Funny)

      Comment removed based on user account deletion
      • Re:Just like spam (Score:4, Informative)

        by 1u3hr ( 530656 ) on Friday June 17, 2005 @09:03AM (#12841088)
        I would be very interested to know how they find ways to hop the Great Firewall of China twice...

        China doesn't really care about through traffic, but about what their citizens are reading and writing. The "firewall" is just a wordplay, not a useful metaphor for how China manages its part of the net.

  • "Secret" data? (Score:5, Informative)

    by ssimpson ( 133662 ) <slashdot@samsimps o n . c om> on Friday June 17, 2005 @08:04AM (#12840591) Homepage

    According to UK Government operational and configuration guidelines for classified system (primarily JSP440), any system containing CONFIDENTIAL or data with high protective marking just won't be connected to the internet so therefore won't get the mails and therefore won't be able to leak to the internet?

    So how the hell would these PC leak SECRET data at all?

    • So how the hell would these PC leak SECRET data at all?

      IANA, but in my understanding if a PC is compromised by a trojan, there is a lot it can do. Now confidential data may only be held on secure systems, but what happens when Joe from upstairs needs a copy of this, and for ease of work Jim (with a compromised machine) emails it to him, after getting it manualy? A combination of social engineering and use of compromised machines could get you a plethora of sensitive information.
      • The program then needs to magically send data back out from the classified network to the internet, somehow. These networks (certainly all networks containing SECRET data and above) are physically disconnected from other networks and the internet, so I don't understand how this would occur....

        • What I meant was users with physical access to the disconnected networks pass on the information to co-workers through the internet-connected network. It's quite likely, really.
          • Sorry, are you saying 1) someone gets and e-mail, transfers it to the SECRET network and then someone runs a trojan or 2) that the unclassified network will contain SECRET data copied either accidentally or maliciously by users

            If 1) then my comment stands - the data has no way to get out from the air-gapped SECRET network

            If 2), then this would be surprising. Most government employees that have sufficient clearance and have been granted access to SECRET material on a need to know basis are pretty well i

            • I meant #2

              If 2), then this would be surprising. Most government employees that have sufficient clearance and have been granted access to SECRET material on a need to know basis are pretty well informed about the required Operating Procedures

              I was assuming (yes, i know, assumptions...) that users are still going to converse, possibly about the sensitive data, and as such may leak through these trojans monitoring emails.

              I think that makes sense.
              • Based upon work at a few highly secure sites, I am very confident that "business systems" networks don't knowingly contain protectively marked data, but I can imagine it happens accidentally from time to time. But in terabyte after terabyte of data on a non-classified network, it's going to be unlikely that a trojan just so happens to leak the protectively marked material.

                I really had a lot of respect at how seriously DV people (the top clearance in UK) took protection of classified material. Even secre

            • Most government employees that have sufficient clearance and have been granted access to SECRET material on a need to know basis are pretty well informed about the required Operating Procedures
              All it takes is one who thinks the rules don't matter or that he is above them. The USA had a CIA deputy director who took a laptop home with classified data and put it on the Internet [fas.org]
          • What I meant was users with physical access to the disconnected networks pass on the information to co-workers through the internet-connected network. It's quite likely, really

            If they want to keep there job they won't do this, there are more secure ways that aren't much slower to get data to collegues. Also if someone wants data from the systems they need to supply a production request approved by the environment owner an approved e-mail request won't do.

      • Trojans can do a fair bit of damage , but i don't yet think they have one which can print out a robot to go and swap the network cables around to put it on the internet... which raises the question of how it would get on a secure computer in the first place unless James Bond has gone rouge
      • Re:"Secret" data? (Score:2, Interesting)

        by kc0re ( 739168 )
        No, what's he's saying is.. SECRET and CONFIDENTIAL machines are connected to a "net" but not /the/ net. See there are other "nets" that never ever touch the internet. So his question is, how did information on a totally seperate net get onto the internet... The answer to that question is thumbdrives, floppies, or god forbit, a SECRET machine plugged into the Internet.
        • On sites with this level of security, thumbdrives, floppies etc are prohibited items. All staff that access SECRET material will be DV cleared and acutely aware that breaching Operating Procedures will result in instant dismisal and possible prosecution under the OSA.

          Seriously, in normal business having lapse security is usual. In facilities that contain SECRET or greater material, the IT & business staff are generally anal about securing data and IT systems. USB ports disabled or removed, all hard

          • Of course, as we all know from the reports of the mess at Los Alamos National Laboratories, it's very possible for a lab culture to be extremely casual about frequently breaching the mandated air gap. Just because the regulations exist doesn't mean that they're even remotely followed.
    • So how the hell would these PC leak SECRET data at all

      By way of the user behind it

      Who needs access to the actual data files when you can trick the person behind the machine into giving the data (be it the files, be it just some quotes/numbers, be it whatever) to you ?

      That's how the vast majority of these things work after all.
    • Re:"Secret" data? (Score:3, Interesting)

      by Jon Chatow ( 25684 ) *
      All government departments now live on email - email over the Internet, that is - including with non-governmental parties and non-secure systems, all the time. The idea that they could function without being connected to the Internet, but simply some private internet, is unworkable.

      Nor, for that matter, could they do what bits of the Armed Forces do - all emails to the outside world go to a special room where trained security operatives read the outbound email on one screen (a computer on the white netwo

    • I didn't find in the actual report PDF [niscc.gov.uk] where they used the word secret or confidential as in government classified SECRET or CONFIDENTIAL, so the implication is the government data was as the report said sensitive or as it implied a business secret.
      Also it may be that somebody wants to turn an employee so putting him in financial difficulty or learning an embarassing personal secret can have great rewards.

    • The Critical National Infrastructure is private infrastructures such as Water Boards/Eletricity, Electricity, banks etc, it doesnt carry anything approaching a secret classification.

      The CNI is completely different from the GSI (government secure intranet) which links low level government departments and
      and public authorities, police, hospitals, etc.

      Those are also completely different and unconnected with the GDN (Government data network) which links confidential but lowish security government departments.
    • Yeah, yeah, you're very clever.

      Commercial organisations have plenty of small-ess secret data that others would be interested to see. Same goes for government. (Consider a typical leak of info on, say, transport dept plans for road charging (random example) to the press.

      Disclaimer: I work for Messagelabs; read the Register story to see the connection.

  • by NigelJohnstone ( 242811 ) on Friday June 17, 2005 @08:06AM (#12840613)
    Seems to be a lot coming from one IP address.

    ----------------------
    "Rejected mail, The original message was received at Fri, 17 Jun 2005 08:05:12 +0800 from uniontrib.com [121.206.16.100]."
    Actually its a trojan (a.COM) in a zip file.
    Comes from 222.136.55.64 = China
    -----------------------

    "RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS"
    Another from 222.136.55.64 ....

    I think they're just paranoid, we have nothing to do with security or government, yet we get these trojans all the time too.

    • This is not about the stuff your spam filters or anti-virus software detect. Read the NISCC advisory. Lond doc short: they're hand-optimised apps, each used for a specific, targetted organisation. Signature-based virus scanners won't detect these (which is why Dr Evil is producing them and only usnig them for a small number of targets before moving on to the next one.)

      Disclaimer: I work for Messagelabs (hint: we have our own in-house scanning technologies that work differently to typical a/v, and... well,

      • http://www.niscc.gov.uk/niscc/docs/ttea.pdf [niscc.gov.uk]

        That NISCC advisory exactly describes exactly what I'm seeing. Even down to the 'newspaper article' reference, e.g. the one I shows as an example was from uniontrib.com = San Diego Union Tribune.

        I don't see the difference, what they describe is exactly what is normal for this sort of attack, custom backdoor variants, social engineering, website or attachment delivery, sender spoofed, IP address typically Asian.

        What exactly is this 'critical infrastructure' that
        • Add 221.227.27.154 to the list.

        • The copy of the NISCC report I have says on P3 (para 5):

          Trojan capabilities suggest that the covert gathering and transmission of otherwise privileged information is a principal goal. The attacks normally focus on individuals who have jobs working with commercially or economically sensitive data.

          It's clear that 'critical infrastructure' in this context doesn't just mean nuclear power-stations or the electricity grid any more. Of course such SCADA systems, and the NSA systems and the classified milit

          • Surely critical infrastructure is stuff thats critical! i.e. Indispensable.

            So intangible things, economic confidence etc. aren't critical because you can live without them. (and given the state of the US$ you ARE living without economic confidence right now!).

            Knock a bank off the Internet, what happens? Nothing, Citibank website was down recently, I used the telephone banking instead!

            "The business model, and hence attack strategy, adopted by the present attackers is significantly differnt,"

            Except it is
            • Surely critical infrastructure is stuff thats critical! i.e. Indispensable.

              So intangible things, economic confidence etc. aren't critical because you can live without them. (and given the state of the US$ you ARE living without economic confidence right now!).

              The threat to economic confidence is a lot more significant than "a recession". Personally I've lived through 3 recessions in the UK in my lifetime, none were much fun and all of them killed people. Even if we were talking about the ability to

              • "The threat to economic confidence is a lot more significant than "a recession"."

                So you're suggesting you can have a recession *AND* have economic confidence at the same time? If thats so why aren't people investing during a recession? You write as though they're unlinked.

                "Personally I've lived through 3 recessions in the UK in my lifetime, none were much fun and all of them killed people."

                And I've seen people kill themselves over a tax bill.

                I believe lack of economic confidence is a tiny thing, and *te
                • So you're suggesting you can have a recession *AND* have economic confidence at the same time? If thats so why aren't people investing during a recession?

                  I'm talking about a much more profound loss of confidence in the economic systems than the temporary belief that one's better off sticking money on deposit or into bonds than into equities for a few years (ie a recession.) If people weren't investing during a recession there would be no employment and hence no economy. (If I pay you to sweep the st

  • by lxdbxr ( 655786 ) * on Friday June 17, 2005 @08:07AM (#12840622) Homepage
    On the Radio 4 "Today" program this morning they covered this story, the correspondent basically said that NISCC knows where the attacks are coming from (& I would be surprised if they didn't, NISCC are pretty competent people), but did not spell it out in the report to avoid diplomatic complications. The Radio 4 guy reckoned that these specific, targeted attacks (mostly against gov.uk) were coming from China and Russia, though whether private or state actors he didn't say.

    No mention of North Korean superhackers, I was a little disappointed :-)

  • A number of open source3 and bespoke trojans, altered to avoid antivirus
    detection, have been used. The wide variety and constant evolution of
    the trojans used appears to be an attacker strategy to identify the conditions
    needed to successfully penetrate a network.
    Sounds like the regular spam and virus crap I get.

    Maybe the "far eastern" enemies think I'm part of the British government?
    Investigate anomalous slow-running machines, looking for unknown processes or unexpected Internet connections, as this may be an indication of malicious programs operating in the background. User reports of such behaviour should be encouraged and fully investigated.
    Oh yeah. That's going to be GREAT!

    No more of those "reboot and see if it fixes the problem" comments. Now it has to be "fully investigated".
    Implement spam filtering to guard against infrastructures commonly used by the attackers. Anti-spam measures such as greylisting/blacklisting of dial-ups, open proxies and open relays, in addition to more sophisticated methods (e.g. Bayesian filtering) can be effective protective measures.
    But I already do that.

    Wow, my email system is more "secure" than the British governments! Who would have guessed!
  • There's no way this could work without shear stupidity - are they using Outlook? is it running scripts? are they opening executable attachments? For fucks sake, why is my tax money being wasted when it clearly needs to be spent, today, on some 30 minute training, to educate government computer users on some very simple and very effective ways of defeating this sort of crap. This country used to be run like clockwork, its going down the drain.
    • There's always the possibility that someone other than the intended recipient reads the mail, such as a temp, who hasn't been trained against espionage. Most of these attempts fail but occassionally they do work! The more you try the better chance you have of succeeding.
    • Government agencies in the United States are Microsoft Lapdogs.

      And yes, they use Outlook. Until Mozilla Lightning comes out there won't really be any viable options.

      But what really has to happen is for a drop-in replacement for MS Exchange with it's calendaring, groups, etc.

      From what I recall, the Mozilla folks are working on that but it's a project thats 5 years down the pike.
  • SANS Community (Score:4, Informative)

    by kc0re ( 739168 ) on Friday June 17, 2005 @08:21AM (#12840712) Journal
    The SANS [sans.org] community broke this news yesterday on the DShield listserv... Check out Incidents.org [incidents.org] for the current news concerning it. As well as the ongoing investigation.
  • by Claws Of Doom ( 721684 ) on Friday June 17, 2005 @08:22AM (#12840720)
    I question the tone of the headline and the content. The implication is that British sites are being targetted exclusively. Being a British Government publication, this would have been their remit. I think that if the net was thrown wider you'd see that this is a general problem for the internet as a whole, and also for personal as well as business and Government computers. The article is correct in so far as it goes, but is far to narrow its view to be newsworthy. It would have been far more interesting if they'd found that other territories weren't being targetted. My suspicion is that there isn't any targetting - only carpet bombing.
    • perhaps specific targets are targeted initialy, then a carpet-bombing to cover their tracks? or even more likely since everybody is being carpet-bombed, a specialized attack might just fly under the radar.
  • by digitaldc ( 879047 ) on Friday June 17, 2005 @08:23AM (#12840728)
    The obvious solution to this problem is to recruit Austin Powers and have him go back in time to around 1995 to Microsoft Headquarters and take over their security services department. Then by sheer mojo, he will re-engineer the software to prevent these types of intrusions. Problem solved, the Queen is saved!
  • From the article: Implement operating system and software updates to patch the vulnerabilities exploited by these trojans. As Microsoft Office vulnerabilities have been particularly exploited, advice contained in all Microsoft security bulletins should be followed. These can be found at: Microsoft Security Bulletin Search http://www.microsoft.com/technet/security/current . aspx [microsoft.com]

    Maybe I am missing something, but why do the Brit spooks perform classified work and put secret documents on Windows machines? If

  • The real issue is that they are describing massive targetted attacks, which is why it's not regular spam/worm/trojan stuff. Supposedly the targets are government and financial sector businesses.
  • by Anonymous Coward
    ... I've got a pretty good idea what these "convincing emails from government officials" look like.

    GOOD DAY

    MY NAME IS PRINCE NARIB ABDULLAH HERZEGOVINA OOGA-BOOGA. I RUN AN OIL COMPANY IN NIGERIA. I AM CONTACTING YOU BECAUSE I NEED YOUR HELP.

    I HAVE $20,000,000 WHICH I NEED TO GET OUT OF NIGERIA AND INTO THE UK. I WANT TO USE YOUR BANK ACCOUNT IN ORDER TO DO THIS.

    I HAVE GIVEN THIS MUCH THOUGHT AND I AM PREPARED TO OFFER YOU 20% ($4,000,000) FOR THIS SERVICE.

    PLEASE CONTACT ME AT YOUR EARLIEST CONVENIEN
  • just the same trojans that everyone gets. ;)
  • by snortCrush69 ( 885031 ) on Friday June 17, 2005 @09:28AM (#12841366)
    Once again charisma and believabilty > Technology. So many Network Admins become enamored with firewalls, IDS, and other kinds of tech savvy protection, that they usually will hold the door open for social engineers. Until employees and users are better educated and social engineering becomes part of the corporate threat model, we're going to see these types of attacks continue to grow in number
    • I think you see the condundrum for what it is...

      We now have a system where it doesn't take a big investment to make a perfect impression. Just about anybody with any machine can easily produce web content that is at least equal to, and in many cases, far superior to what corporate entities can do ( as corporate entities are likely to use canned authoring solutions that are a thinly veiled coercion to force the public to use an OS which is compatible with them. ) Exact replicas of corporate logos are mad

  • Any other admins see an increase in virus' and spoofed or phishing emails this week?
  • Most "Far East" countries have all kinds of selfserving laws that let them execute and imprison people who interfere with the government policies. We've heard for years that Western governments opening trade with countries like China, Vietnam, Cambodia, Korea and their neighbors will give us more leverage to influence their policies. Usually about human rights, labor, and military agression. Well, those countries abuse their populations with those tyrannies to keep their production costs low, which has scor
  • The US has begun a targeted campaign against the british government in an attempt to uncover the person who released the so-called "Downing Street Memos" www.afterdowningstreet.org
  • For some reason, the British Government has been a great supporter of Microsoft. The results are predictable.
  • I know a fellow who has over the past 3 years analyzed several viruses created by the Chinese government and inserted into fake Falun-Gong websites, to install keyloggers into the computers of Falun-Gong practitioners overseas. So I know the Chinese government is using electronic warfare aggressively. As to whether China would go after the UK that way, I don't know.

To be is to program.

Working...