Intellectual property is now a prime target for cyber attacks
07 November 2011
On the eve of a major international conference on cyber security last week in London, the California based IT security specialist, Symantec announced the results of its 2011 Critical Infrastructure Protection (CIP) Survey - and it didn't make for comfortable reading. Critical infrastructure providers come from industries that are of such importance that if their cyber networks were successfully attacked and disabled, it would likely pose a threat to national security.
The key finding published in the 2011 report is a significant drop in awareness and engagement on a global basis, as measured by the CIP Participation Index. Compared with 2010, companies surveyed this year show a CIP Participation Index of 82 percent in government protection programmes, down 18 points from last year. Symantec's Global Intelligence Network director, Dean Turner described the findings of the latest survey as being "somewhat alarming", given recent attacks like 'Nitro' and 'Duqu' that have targeted critical infrastructure providers.
"Limitations on manpower and resources, as mentioned by respondents, help explain why critical infrastructure providers have had to prioritise and focus their efforts on more day-to-day cyber threats," says Mr Turner. "However, we think that targeted attacks against critical infrastructure providers in the form of Stuxnet, Nitro and Duqu will continue. Businesses and governments around the world should be very aggressive in their efforts to promote and co-ordinate protection of critical industry cyber networks. These latest attacks are likely just the beginning of more targeted attacks directed at critical infrastructure.”
A number of chemical and defence sector companies were targeted with the 'Nitro' malware between April and September this year, as part of a co-ordinated campaign by an unknown group. Some of these targets were household names, involved in research and development of chemicals and advanced materials. According to Symantec’s recent report on the issue, the majority of infected machines were located in the US (27 per cent), Bangladesh (20 per cent) and the UK (14 per cent).
Symantec says the attackers’ modus operandi was first to identify desired targets and then send an email specifically to them. Each organisation typically only saw a handful of employees at the receiving end of these emails. However, in one organisation almost 500 recipients received a mail, while in two other organisations, more than 100 were selected. While the attackers used different pretexts when sending these malicious emails, two methodologies stood out.
First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update. The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email.
In both cases, says Symantec, the executable file was a self-extracting executable containing 'PoisonIvy', a common backdoor Trojan developed by a Chinese hacker. When the recipient attempted to open the attachment, they would inadvertently execute the file, causing PoisonIvy to be installed. The attackers were then able to instruct the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain, and dumps of Windows cached password hashes.
Typically, the primary goal of the hackers is to obtain domain administrator credentials and/or gain access to a system storing intellectual property. Symantec says that once the attackers have identified the desired intellectual property, they copy the content to archives on internal systems they use as internal staging servers, then upload it to a remote site outside of the compromised organisation, thus completing the attack.
In summary, Symantec says these attacks are primarily targeting private industry in search of key intellectual property for competitive advantage, military institutions, and governmental organisations - often in search of documents related to current political events and human rights organisations. The attack campaign focused on the chemical sector set out to obtain sensitive documents such as proprietary designs, formulas, and manufacturing processes.
Fracking and earthquakes
In a recent leader, I reported (perhaps a little cynically) that fracking had been blamed for a series of small earthquakes in the North West of England earlier this year; even the British Geological Survey was unwilling to rule out the possibility of a connection altogether.
Well, Cuadrilla Resources, the British company exploring for natural shale gas in the Bowland Basin in Lancashire, last week released the findings of a report it commissioned in consultation with DECC following this unusual seismic activity. In it, researchers conclude that it is “highly probable” that the hydraulic fracturing (fracking) of Cuadrilla’s Preese Hall-1 well did trigger a number of minor seismic events. However, none of these, including one in April of 2.3 and one in May of 1.5 on the Richter scale, had any structural impact on the surface above.
Cuadrilla says the seismic events were due to an unusual combination of geology at the well site, coupled with the pressure exerted by water injection as part of operations. This combination of geological factors was extremely rare, the company claims, and would be unlikely to occur together again at future well sites. However, if these factors were to combine again in the future, local geology limits seismic events to around magnitude 3 on the Richter scale as a “worst-case scenario”.
Cuadrilla chief executive, Mark Miller says his company unequivocally accepts the findings of the report, and that it is ready to put in place an early detection system (as proposed by the report) so that it can provide additional confidence and security to the local community. The company says it is currently working towards implementing the report’s recommendations so that it can safely resume its operations.
The report, entitled Geo-mechanical Study of Bowland Shale Seismicity, is the most comprehensive scientific study ever undertaken on the geology of the Bowland Basin. Cuadrilla says it intends to seek a peer review and has committed to publishing that review in due course.
Les Hunt
Editor