Slashdot Mirror
UK Critical Structures Targeted by Trojan Attacks
ElGanzoLoco writes "The UK's National Infrastructure Security Coordination Centre is reporting that key british infrastructures (government, telecom, transports, banks among others) are under attack by specific, targeted e-mail trojans. According to their report (PDF), 'the emails use social engineering to appear credible, with subject lines often referring to news articles that would be of interest to the recipient. In fact they are "spoofed", making them appear to originate from trusted contacts, news agencies or Government departments.'. The attackers are apparently trying to gather sensitive or secret data. While the NISCC has not been able to precisely trace the attacks' origins, most IPs seem to trace back to Far-East Asia."
If this is a sustained attack:
1) block these emails
2) educate staff to be aware of this atleast in the short-term
3) hold educated staff atleast partly responsible for any infections that result from this attack
4) we need to vote in a government that actually knows how to use a computer
success through spam-jacking, comes the hit U.K. blockbuster 'Concerted Distributed National Espionage'. Let's get Nick Cage to play Tony Blair.
Perhaps the fabled North Korean Super Hackers at work?
Although why woudl they want anything to do with the UK? Isnt it the USA thats their bete noir?
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
Well since only old people target UK critical structures I'd say a good bet would be Korea
While the NISCC has not been able to precisely trace the attacks' origins, most IPs seem to trace back to Far-East Asia.
There's no doubt that these attacks will create a political spin, which could be their target in the first place. We all know there are many tensions between western and easter countries, particularly North Korea & China, and U.K. & U.S.A. This also goes hand-in-hand with previous stories saying there are highly skilled cracker armies in North Korea. I would say without a doubt that these are politically motivated.
Anonymous Coward
like most spam seems to originate in China but in reality its American spam gangs sending spam via China
iam sure this is no different
According to UK Government operational and configuration guidelines for classified system (primarily JSP440), any system containing CONFIDENTIAL or data with high protective marking just won't be connected to the internet so therefore won't get the mails and therefore won't be able to leak to the internet?
So how the hell would these PC leak SECRET data at all?
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Seems to be a lot coming from one IP address.
....
----------------------
"Rejected mail, The original message was received at Fri, 17 Jun 2005 08:05:12 +0800 from uniontrib.com [121.206.16.100]."
Actually its a trojan (a.COM) in a zip file.
Comes from 222.136.55.64 = China
-----------------------
"RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS"
Another from 222.136.55.64
I think they're just paranoid, we have nothing to do with security or government, yet we get these trojans all the time too.
No mention of North Korean superhackers, I was a little disappointed :-)
-- Nothing unusual happened today
Maybe the "far eastern" enemies think I'm part of the British government?Oh yeah. That's going to be GREAT!
No more of those "reboot and see if it fixes the problem" comments. Now it has to be "fully investigated".But I already do that.
Wow, my email system is more "secure" than the British governments! Who would have guessed!
I've got some balls alright, I simply tabbed once to often.
We have seen major phishing attemps on the big US corporations for a while now, and people have been faking mails from ebay and the banks and everywhere else.
Only now that UK organisations are targeted do they start moaning.
There should be a concerted effort to stamp out this kind of shit targeting whichever organisation WORLDWIDE, not just a namby pamby "oh look our companies is getting done over".
Organisations and ISPs should supply enough information about online fraud to everyone who needs it, and shouldnt wait until they get hit.
liqbase
By way of the user behind it
Who needs access to the actual data files when you can trick the person behind the machine into giving the data (be it the files, be it just some quotes/numbers, be it whatever) to you ?
That's how the vast majority of these things work after all.
The SANS community broke this news yesterday on the DShield listserv... Check out Incidents.org for the current news concerning it. As well as the ongoing investigation.
I question the tone of the headline and the content. The implication is that British sites are being targetted exclusively. Being a British Government publication, this would have been their remit. I think that if the net was thrown wider you'd see that this is a general problem for the internet as a whole, and also for personal as well as business and Government computers. The article is correct in so far as it goes, but is far to narrow its view to be newsworthy. It would have been far more interesting if they'd found that other territories weren't being targetted. My suspicion is that there isn't any targetting - only carpet bombing.
The obvious solution to this problem is to recruit Austin Powers and have him go back in time to around 1995 to Microsoft Headquarters and take over their security services department. Then by sheer mojo, he will re-engineer the software to prevent these types of intrusions. Problem solved, the Queen is saved!
He who knows best knows how little he knows. - Thomas Jefferson
Maybe I am missing something, but why do the Brit spooks perform classified work and put secret documents on Windows machines? If all they want is to provide a click-and-drool interface to their secretaries, the Mac is perfect, not to mention open-source OSes.
So why are the British taxpayers allowing them to weaken national security and waste their money, just to enrich a non-UK software company? Isn't it betrayal?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
There's always the possibility that someone other than the intended recipient reads the mail, such as a temp, who hasn't been trained against espionage. Most of these attempts fail but occassionally they do work! The more you try the better chance you have of succeeding.
The real issue is that they are describing massive targetted attacks, which is why it's not regular spam/worm/trojan stuff. Supposedly the targets are government and financial sector businesses.
... I've got a pretty good idea what these "convincing emails from government officials" look like.
GOOD DAY
MY NAME IS PRINCE NARIB ABDULLAH HERZEGOVINA OOGA-BOOGA. I RUN AN OIL COMPANY IN NIGERIA. I AM CONTACTING YOU BECAUSE I NEED YOUR HELP.
I HAVE $20,000,000 WHICH I NEED TO GET OUT OF NIGERIA AND INTO THE UK. I WANT TO USE YOUR BANK ACCOUNT IN ORDER TO DO THIS.
I HAVE GIVEN THIS MUCH THOUGHT AND I AM PREPARED TO OFFER YOU 20% ($4,000,000) FOR THIS SERVICE.
PLEASE CONTACT ME AT YOUR EARLIEST CONVENIENCE SO WE CAN DISCUSS THIS!!!oneoneoneOMGWTFBBQ!!
Yes and this is why privatisation of the government is a stupid idea. Why should greedy idiots get public funds so they can cut corners and turn a profit, when the whole point of the government is to organise and run the bloody country themselves - that's what we pay them for, or at least that's what we should be paying them for.
Yes I know how capitalism works, I just think the government is generally an exception.
This comment does not represent the views or opinions of the user.
We have seen major phishing attemps on the big US corporations for a while now, and people have been faking mails from ebay and the banks and everywhere else.
Only now that UK organisations are targeted do they start moaning.
There should be a concerted effort to stamp out this kind of shit targeting whichever organisation WORLDWIDE, not just a namby pamby "oh look our companies is getting done over". Organisations and ISPs should supply enough information about online fraud to everyone who needs it, and shouldnt wait until they get hit.
Umm these sort of attacks have been known about for a long time this is information about a specific problem its called a warning it alows others to be aware that there is a new round of attacks going on and to be prepared if these e-mails come there way, that way less damage is done.
Do you think it's better that no one knows about this latest round of attacks or should we twiddle our thumbs saying "everyone else should know about this we have no responsibility to help"?
Saying Apple is better than MS is like saying Botulism is better than rabies.
First of all phishing is an attack against account holders of "Major US Corporations" not against those organizations. Vulnerability to targeted attacks using modified Trojans, while not new, is the weak underbelly of corporate security. No amount of security awareness training is going to stop somone from opening an email apparently from their boss that says: "Here is your performance appraisal, open immediately". There was a concerted (unreported in the media) attack against 5 big banks in New York a year ago. Customized viruses were used. It took major pressure to get the AV vendors to add sigs for these "non-wild" viruses. more at http://www.threatchaos.com/
just the same trojans that everyone gets. ;)
I get emails from ebay.com, but they're sent from hackers who want my ebay information. If I was to block the email, I wouldn't get anything else further from ebay when they sent legitamate emails.
If I wasn't moral, I'd have been doing this crap since the early 90s. Luckily, so few people do it, that the FEDS could generally bust people by simply walking into the trap, then tracing the information.
The problem comes when the attack is from oversea. The feds want to bust them, but they people they want to bust are foreign hackers, hired by the government. When someone is doing some sort of trivial hate crime at you, you can't do anything but say,"please stop it." Its like little kids on the playground that get poked by someone else. Its not worthy of a punch in return, but its still annoying.
God spoke to me.
Government agencies in the United States are Microsoft Lapdogs.
And yes, they use Outlook. Until Mozilla Lightning comes out there won't really be any viable options.
But what really has to happen is for a drop-in replacement for MS Exchange with it's calendaring, groups, etc.
From what I recall, the Mozilla folks are working on that but it's a project thats 5 years down the pike.
Once again charisma and believabilty > Technology. So many Network Admins become enamored with firewalls, IDS, and other kinds of tech savvy protection, that they usually will hold the door open for social engineers. Until employees and users are better educated and social engineering becomes part of the corporate threat model, we're going to see these types of attacks continue to grow in number
Any other admins see an increase in virus' and spoofed or phishing emails this week?
Get up!
The Critical National Infrastructure is private infrastructures such as Water Boards/Eletricity, Electricity, banks etc, it doesnt carry anything approaching a secret classification.
The CNI is completely different from the GSI (government secure intranet) which links low level government departments and
and public authorities, police, hospitals, etc.
Those are also completely different and unconnected with the GDN (Government data network) which links confidential but lowish security government departments.
The GDN has a secure overlay which allows for more secure traffic using dedicated cryptographic and scrambling technologies.
These are all complete unconnected with military and intelligency data networks.
Most "Far East" countries have all kinds of selfserving laws that let them execute and imprison people who interfere with the government policies. We've heard for years that Western governments opening trade with countries like China, Vietnam, Cambodia, Korea and their neighbors will give us more leverage to influence their policies. Usually about human rights, labor, and military agression. Well, those countries abuse their populations with those tyrannies to keep their production costs low, which has scored them huge trade surpluses with us. It's time to use that "influence" we've supposedly developed to get them to rein in the "criminals" they're allowing to attack us. Or it's time to cut off our markets, because that political/economic experiment has failed, miserably.
--
make install -not war
The US has begun a targeted campaign against the british government in an attempt to uncover the person who released the so-called "Downing Street Memos" www.afterdowningstreet.org
Right, but even if the public doesn't condone going after North Korea, they might condone more funding or even powerful legislation that allows law enforcement more powers.
For some reason, the British Government has been a great supporter of Microsoft. The results are predictable.
Have you got your LWN subscription yet?
I know a fellow who has over the past 3 years analyzed several viruses created by the Chinese government and inserted into fake Falun-Gong websites, to install keyloggers into the computers of Falun-Gong practitioners overseas. So I know the Chinese government is using electronic warfare aggressively. As to whether China would go after the UK that way, I don't know.
If you'd been targetted by these attacks, you wouldn't know about it because your anti-virus software would not detect it. You seem to have read the fsckin article but not understood a word of it. Go back and read it again.
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
http://www.niscc.gov.uk/niscc/docs/ttea.pdf
That NISCC advisory exactly describes exactly what I'm seeing. Even down to the 'newspaper article' reference, e.g. the one I shows as an example was from uniontrib.com = San Diego Union Tribune.
I don't see the difference, what they describe is exactly what is normal for this sort of attack, custom backdoor variants, social engineering, website or attachment delivery, sender spoofed, IP address typically Asian.
What exactly is this 'critical infrastructure' thats connected to the NET and why exactly is it connected to the NET when these sorts of things are so common?
Add 221.227.27.154 to the list.
Surely critical infrastructure is stuff thats critical! i.e. Indispensable.
So intangible things, economic confidence etc. aren't critical because you can live without them. (and given the state of the US$ you ARE living without economic confidence right now!).
Knock a bank off the Internet, what happens? Nothing, Citibank website was down recently, I used the telephone banking instead!
"The business model, and hence attack strategy, adopted by the present attackers is significantly differnt,"
Except it isn't, nothing NISCC describes is anyway different from a normal trojan attack. Everything from the social engineering to the customized variants of backdoors, to the delivery via attachment or website, *everything* is exactly as it is normally with these attacks.
You say they are targetting critical infrastructure, no they're not, I'm seeing it right across all my non-critical websites!
" if you're in the UK and you recklon you see this stuff perhaps you should get in touch with the NISCC"
Why? They sound like clueless newbies!