Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Critical Structures Targeted by Trojan Attacks

Posted by Zonk on from the beware-greeks-bearing-gifts dept.

ElGanzoLoco writes "The UK's National Infrastructure Security Coordination Centre is reporting that key british infrastructures (government, telecom, transports, banks among others) are under attack by specific, targeted e-mail trojans. According to their report (PDF), 'the emails use social engineering to appear credible, with subject lines often referring to news articles that would be of interest to the recipient. In fact they are "spoofed", making them appear to originate from trusted contacts, news agencies or Government departments.'. The attackers are apparently trying to gather sensitive or secret data. While the NISCC has not been able to precisely trace the attacks' origins, most IPs seem to trace back to Far-East Asia."

22 of 102 comments (clear)

  1. lol? by Anonymous Coward · · Score: 3, Interesting

    If this is a sustained attack:
    1) block these emails
    2) educate staff to be aware of this atleast in the short-term
    3) hold educated staff atleast partly responsible for any infections that result from this attack
    4) we need to vote in a government that actually knows how to use a computer

    1. Re:lol? by BiggyP · · Score: 3, Interesting

      It could be that a lot of these links, the ones that appear dead, do so only because the spoofing vulnerability in use doesn't work in the browser you're using.

      Imagine if the UK government stopped wasting vast amounts of money licensing windows for their end users and switched to something a little less bug ridden.

      --
      Software Freedom Day!.
    2. Re:lol? by Bob3141592 · · Score: 2, Funny

      At least we can be confident that the highly trained, tech savy American Homeland Security systems will be perfectly secure.

      --
      In theory, there's no difference between theory and practice. In practice, there is.
  2. Far East Asia? by EQ · · Score: 3, Interesting

    Perhaps the fabled North Korean Super Hackers at work?

    Although why woudl they want anything to do with the UK? Isnt it the USA thats their bete noir?

    --
    Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
    1. Re:Far East Asia? by koi88 · · Score: 5, Funny


      Although why woudl they want anything to do with the UK? Isnt it the USA thats their bete noir?

      Maybe they're after James Bond...

      --

      I don't need a signature.
  3. Political Spin? by Kinky+Bass+Junk · · Score: 5, Insightful

    While the NISCC has not been able to precisely trace the attacks' origins, most IPs seem to trace back to Far-East Asia.

    There's no doubt that these attacks will create a political spin, which could be their target in the first place. We all know there are many tensions between western and easter countries, particularly North Korea & China, and U.K. & U.S.A. This also goes hand-in-hand with previous stories saying there are highly skilled cracker armies in North Korea. I would say without a doubt that these are politically motivated.

    --
    Anonymous Coward
  4. Just like spam by Anonymous Coward · · Score: 2, Informative


    like most spam seems to originate in China but in reality its American spam gangs sending spam via China
    iam sure this is no different

    1. Re:Just like spam by scsirob · · Score: 2, Funny

      I would be very interested to know how they find ways to hop the Great Firewall of China twice...

      --
      To Terminate, or not to Terminate, that's the question - SCSIROB
    2. Re:Just like spam by 1u3hr · · Score: 3, Informative
      I would be very interested to know how they find ways to hop the Great Firewall of China twice...

      China doesn't really care about through traffic, but about what their citizens are reading and writing. The "firewall" is just a wordplay, not a useful metaphor for how China manages its part of the net.

  5. "Secret" data? by ssimpson · · Score: 4, Informative

    According to UK Government operational and configuration guidelines for classified system (primarily JSP440), any system containing CONFIDENTIAL or data with high protective marking just won't be connected to the internet so therefore won't get the mails and therefore won't be able to leak to the internet?

    So how the hell would these PC leak SECRET data at all?

    --
    "Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
    1. Re:"Secret" data? by Kinky+Bass+Junk · · Score: 2, Interesting

      So how the hell would these PC leak SECRET data at all?

      IANA, but in my understanding if a PC is compromised by a trojan, there is a lot it can do. Now confidential data may only be held on secure systems, but what happens when Joe from upstairs needs a copy of this, and for ease of work Jim (with a compromised machine) emails it to him, after getting it manualy? A combination of social engineering and use of compromised machines could get you a plethora of sensitive information.

      --
      Anonymous Coward
    2. Re:"Secret" data? by kc0re · · Score: 2, Interesting

      No, what's he's saying is.. SECRET and CONFIDENTIAL machines are connected to a "net" but not /the/ net. See there are other "nets" that never ever touch the internet. So his question is, how did information on a totally seperate net get onto the internet... The answer to that question is thumbdrives, floppies, or god forbit, a SECRET machine plugged into the Internet.

    3. Re:"Secret" data? by Jon+Chatow · · Score: 2, Interesting
      All government departments now live on email - email over the Internet, that is - including with non-governmental parties and non-secure systems, all the time. The idea that they could function without being connected to the Internet, but simply some private internet, is unworkable.

      Nor, for that matter, could they do what bits of the Armed Forces do - all emails to the outside world go to a special room where trained security operatives read the outbound email on one screen (a computer on the white network) and type it into another machine (on the black network), checking for release of documents. This is because "Here is today's draft of the Green Paper - any further comments", with a 500-page confidential document attached, is not something that can be readily re-typed. For "confidential"-tagged (and even sometimes "secret"-tagged) such situations, think of the CSRs (comprehensive spending reviews), where the Treasury gets terribly uppity about security.

      --
      James F.
  6. There's a lot coming from 222.136.55.64 by NigelJohnstone · · Score: 4, Informative

    Seems to be a lot coming from one IP address.

    ----------------------
    "Rejected mail, The original message was received at Fri, 17 Jun 2005 08:05:12 +0800 from uniontrib.com [121.206.16.100]."
    Actually its a trojan (a.COM) in a zip file.
    Comes from 222.136.55.64 = China
    -----------------------

    "RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS"
    Another from 222.136.55.64 ....

    I think they're just paranoid, we have nothing to do with security or government, yet we get these trojans all the time too.

  7. China and Russia according to Radio 4 by lxdbxr · · Score: 4, Interesting
    On the Radio 4 "Today" program this morning they covered this story, the correspondent basically said that NISCC knows where the attacks are coming from (& I would be surprised if they didn't, NISCC are pretty competent people), but did not spell it out in the report to avoid diplomatic complications. The Radio 4 guy reckoned that these specific, targeted attacks (mostly against gov.uk) were coming from China and Russia, though whether private or state actors he didn't say.

    No mention of North Korean superhackers, I was a little disappointed :-)

    --
    -- Nothing unusual happened today
  8. British government hit by spam! Declares emergency by khasim · · Score: 4, Insightful
    A number of open source3 and bespoke trojans, altered to avoid antivirus
    detection, have been used. The wide variety and constant evolution of
    the trojans used appears to be an attacker strategy to identify the conditions
    needed to successfully penetrate a network.
    Sounds like the regular spam and virus crap I get.

    Maybe the "far eastern" enemies think I'm part of the British government?
    Investigate anomalous slow-running machines, looking for unknown processes or unexpected Internet connections, as this may be an indication of malicious programs operating in the background. User reports of such behaviour should be encouraged and fully investigated.
    Oh yeah. That's going to be GREAT!

    No more of those "reboot and see if it fixes the problem" comments. Now it has to be "fully investigated".
    Implement spam filtering to guard against infrastructures commonly used by the attackers. Anti-spam measures such as greylisting/blacklisting of dial-ups, open proxies and open relays, in addition to more sophisticated methods (e.g. Bayesian filtering) can be effective protective measures.
    But I already do that.

    Wow, my email system is more "secure" than the British governments! Who would have guessed!
  9. SANS Community by kc0re · · Score: 4, Informative

    The SANS community broke this news yesterday on the DShield listserv... Check out Incidents.org for the current news concerning it. As well as the ongoing investigation.

  10. British or Global problem? by Claws+Of+Doom · · Score: 3, Insightful

    I question the tone of the headline and the content. The implication is that British sites are being targetted exclusively. Being a British Government publication, this would have been their remit. I think that if the net was thrown wider you'd see that this is a general problem for the internet as a whole, and also for personal as well as business and Government computers. The article is correct in so far as it goes, but is far to narrow its view to be newsworthy. It would have been far more interesting if they'd found that other territories weren't being targetted. My suspicion is that there isn't any targetting - only carpet bombing.

  11. Send in Austin Powers, he knows Trojans by digitaldc · · Score: 5, Funny

    The obvious solution to this problem is to recruit Austin Powers and have him go back in time to around 1995 to Microsoft Headquarters and take over their security services department. Then by sheer mojo, he will re-engineer the software to prevent these types of intrusions. Problem solved, the Queen is saved!

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  12. Re:Shocking by goatan · · Score: 2, Interesting
    I've got some balls alright, I simply tabbed once to often.

    We have seen major phishing attemps on the big US corporations for a while now, and people have been faking mails from ebay and the banks and everywhere else.

    Only now that UK organisations are targeted do they start moaning.

    There should be a concerted effort to stamp out this kind of shit targeting whichever organisation WORLDWIDE, not just a namby pamby "oh look our companies is getting done over". Organisations and ISPs should supply enough information about online fraud to everyone who needs it, and shouldnt wait until they get hit.

    Umm these sort of attacks have been known about for a long time this is information about a specific problem its called a warning it alows others to be aware that there is a new round of attacks going on and to be prepared if these e-mails come there way, that way less damage is done.

    Do you think it's better that no one knows about this latest round of attacks or should we twiddle our thumbs saying "everyone else should know about this we have no responsibility to help"?

    --
    Saying Apple is better than MS is like saying Botulism is better than rabies.

  13. Re:Shocking by krowten21 · · Score: 2, Insightful

    First of all phishing is an attack against account holders of "Major US Corporations" not against those organizations. Vulnerability to targeted attacks using modified Trojans, while not new, is the weak underbelly of corporate security. No amount of security awareness training is going to stop somone from opening an email apparently from their boss that says: "Here is your performance appraisal, open immediately". There was a concerted (unreported in the media) attack against 5 big banks in New York a year ago. Customized viruses were used. It took major pressure to get the AV vendors to add sigs for these "non-wild" viruses. more at http://www.threatchaos.com/

  14. Ahh Social Engineering by snortCrush69 · · Score: 3, Insightful

    Once again charisma and believabilty > Technology. So many Network Admins become enamored with firewalls, IDS, and other kinds of tech savvy protection, that they usually will hold the door open for social engineers. Until employees and users are better educated and social engineering becomes part of the corporate threat model, we're going to see these types of attacks continue to grow in number