Trying to make some sense of the announcement (PDF) last week by Britain’s secretive National Infrastructure Security Coordination Centre (NISCC) that
Parts of the UK’s Critical National Infrastructure (CNI) are being targeted by an ongoing series of email-borne electronic attacks. While the majority of the observed attacks have been against central Government, other UK organisations, companies and individuals are also at risk.
The press release makes several points:
-
Not new, just newly publicised: These attacks have been underway “for a significant period of time” (grammar not being the NISCC’s strong point, apparently);
-
Not vanilla phishing: These attacks are separate from industrial espionage and phishing attacks: “the attackers are specifically targeting governmental and commercial organisations”;
-
The bad guys are in Asia: The attacks seem to be coming from “the Far East”;
-
After information: The goal seems to be “the covert gathering and transmitting of otherwise privileged information is a principal goal. The attacks normally focus on individuals who have jobs working with commercially or economically sensitive data.”
-
They’re not script kiddies: The attackers are sophisticated and focused, using email lists to target people with similar interests and are able to use newly available files as part of social engineering tricks to entice recipients to open the embedded trojans.
But we’re still a bit in the dark about much of this this. Who, for example, is behind it? Quite a few experts have been wheeled out to point out who the culprits may be:
“To have achieved what this gang are doing then it either has to be state-sponsored or the highest level or organised crime,” said Dr Andrew Blyth, head of Glamorgan University’s Computer Forensics Department, who has worked with the UK’s law enforcement agencies to develop technology to combat high-tech crime.
But not everyone thinks this is some massive government-level conspiracy:
Sophos security consultant Carole Theriault didn’t confirm the NISCC’s suspicion that the attack was an organized effort. “From the Trojans themselves there’s nothing to suggest that they’re any part of a real campaign,” she told Information Week. “It’s possible that what the NISCC is seeing is just a lot of Trojans that hit agencies in a lot of different ways.”
This is significant, since Theriault and Sophos were brought in to help NISCC analyse the attacks, so they have more knowledge than most, and would, one might expect, back in behind the NISCC view of things. Sophos acknowledges the problem has been getting worse — it says it “has seen a threefold increase in the number of keylogging Trojans alone in the last year” — but suggests that the malicious code is not so much espionage as pure financial theft: “Malicious code is increasingly being written not just to cause a nuisance, but to steal money – whether targeting individual users of online banking or massive global corporations and government institutions,” the press release quotes Theriault.
Interestingly my colleagues at the WSJ have done a thorough look at the report and its broader implications: In a piece that appears in Monday’s WSJ (not yet available online), Cassell Bryan-Low quotes authorities as saying
The problem appears to be more widespread than the U.K. government initially indicated. The attacks started at least two years ago and have targeted institutions in the U.S., Canada and Australia, among dozens of other countries, authorities say.
It also quotes an unidentified law enforcement official as pointing the finger that no other story seems to actually do:
U.S. institutions have suffered similar attacks for at least a couple of years, and investigators suspect that the hacking is coming mostly from computers in China, according to a law-enforcement official. Hundreds of U.S. institutions have been targeted, this official said. Many of the targets are involved in technology research and development but also include financial institutions, he said. Government agencies and suppliers, such as defense contractors, were also targeted, he added.
Of course, just because the computers are in China doesn’t mean that the Chinese government, or even groups in China, are behind the attack, since China’s vast network of unsecured computers is one of the biggest conduits for spam and other sleazeware. But it doesn’t take a genius to draw the conclusion that if the attacks are sourced from the ‘Far East’, then China stands out among the possible culprits. So why has the NISCC chosen to release this warning now. And what happens next?