Feds' next challenge: targeted data attacks

'With the developments we've seen in spyware, it's not surprising we're seeing these attacks now.'

'Cyber security Industry alliance's Paul Kurtz

J. Adam Fenster

Federal agencies are facing a new set of low-level but targeted Trojan horse software cyberattacks aimed at obtaining specific information from PCs.

These malicious e-mail messages contain stealth programs that direct infected computers to transmit sensitive and confidential information elsewhere.

U.S.-CERT officials would not comment on the new rash of attacks, but private-sector security experts confirmed an increase in targeted Trojan horse activity aimed at federal departments.

Roger Thompson, director of malicious content research for Computer Associates International Inc., said 'it would be na've' to think government systems aren't being targeted.

'We have entirely too much evidence to believe it's circumstantial,' he said. 'I've been told by people that I know, believe and trust that it's happening.'

According to a report published by SecurityFocus.com, a Web site dedicated to cybersecurity issues and owned by IT security vendor Symantec Corp. of Cupertino, Calif., similar attacks have been detected during the past year targeting agencies in other countries in addition to the United States.

'These electronic attacks have been under way for a significant period of time, with a recent increase in sophistication,' the National Infrastructure Security Co-ordination Centre (NISCC), the U.K. equivalent of U.S.-CERT) said in a warning issued last month of attacks on British government and corporate systems. 'The attackers' aim ap- pears to be covert gathering and transmitting of commercially or economically valuable information.'

Agencies in Australia and Canada also issued alerts to government agencies and companies that are part of those nations' critical infrastructure.

One U.S.-CERT official, speaking on condition of anonymity, said 'the NISCC bulletin was good security hygiene.'

'The fact that we're starting to see tailored attacks targeting government information systems that may seek to extract or alter information really should not surprise anybody,' said Paul Kurtz, executive director of the Cyber Security Industry Alliance, based in Arlington, Va. 'Particularly with the developments we've seen in spyware, it's not surprising we're seeing these attacks now.'

Alan Paller, director of research for the SANS Institute in Bethesda, Md., said the government's silence on the issue is not surprising under the circumstances.

'This administration doesn't want to admit the problem [of cyberthreats] is much worse than they thought it was,' Paller said.

Bob Dix, former staff director of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, said the attacks 'are just another manifestation of the lack of investment' in security measures.

'For years the focus has been, for federal agencies particularly, around features and functionality rather than security,' Dix, now a vice president of Citadel Security Software Inc. of Dallas, said. Agencies have focused on such things as patch management instead of a comprehensive strategy for vulnerability management and remediation.

'This is just the latest call to arms for folks,' he said.

Executives with other major computer security companies confirmed the attacks have been under way for some time.

'What we're all seeing, starting last year and coming into this year, is a changing profile of attacks,' said Vincent Weafer, senior director with Symantec. 'What we saw [were] unremarkable Trojans, things you'd see regularly coming into us. What is different is, they're creating thousands of these variants [and] they're using spamware to target specific entities.'
Kurtz believes cyberattacks can be categorized into three waves:
  • Those that go after sensitive personal information

  • Those that are closely related to the first, but go after proprietary information, such as economic or government intelligence on plans, programs and other actions

  • Those that target control systems such as infrastructure for power grids.

'We need to anticipate' the third wave, Kurtz said.
To read the NISCC report, go to www.gcn.com and enter 441 in the GCN.com/search box.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above