The European Network and Information Security Agency (ENISA) issued the so-called Flash Note in the wake of “recent major cyber-attacks”, calling for Europe’s businesses and governments to take urgent action to combat emerging cyber-attack trends.
The report cites three clear attacks against EU government and "critical infrastructure" targets in the first three months of this year.
In the last days of February, the so-called ‘MiniDuke’ cyber attack was discovered by cyber-analysts Kaspersky and Crysys. It affected “users in governmental organisations across the EU,” according to ENISA.
The news came only weeks after US cyber security firm, Mandiant, published a report detailing a range of cyber espionage involving the theft of terabytes of data from hundreds of organisations, including operators in the EU’s critical sectors.
Hunt for ‘Red October’ continues
“Another cyber espionage attack, known as Red October, was discovered in January of this year and is said to have been targeting governmental and diplomatic organisations across the globe for several years,” the report said.
ENISA is calling for Europe’s businesses and government organisations to take urgent action to combat these emerging attack trends.
All the attacks follow a common pattern, ENISA claims. Attackers send apparently genuine emails, which are “spear-phishing” attempts. Such emails contain links to an internet page containing malware, or maliciously prepared attachments.
The malware then exploits software vulnerabilities in the host computer system to propagate and infect other parts of the network.
In the case of Miniduke a flaw in Adobe’s Acrobat reader, commonly known under its "PDF" file name, allowed the attackers to gain sufficient control over the target to start gathering intelligence, ENISA claims.
“Often the attacker uses the intelligence gathered to attack other victims or other machines in the same organisation (this is sometimes called ‘lateral movement’),” the report said.
The report gives specific warnings on email, claiming the now ubiquitous communications are insecure. Since most email systems do not provide any kind of authentication, the security agency said: “It is very hard for users to understand where the message originates from and whether or not the sender is a trusted party.”
Investigate new models for email
This makes it very easy for attackers to send fake messages or to pretend they are someone else, according to ENISA.
As a short-term remedy the agency recommended that “organisations in critical sectors should mitigate by using encryption solutions and/or sender authentication frameworks to avoid becoming an easy target of spear-phishing.”
More alarmingly, in the long term, ENISA recommends that “industry, government and businesses should investigate alternative communication channels [to email] which better protect users from spoofing or phishing.”
The security agency also drew attention to the ‘trade-offs’ computer systems operators must make between software features and software security.
“The more features and interoperability features software has, the more difficult it is to ensure that the software is free of vulnerabilities,” the warning note says, adding that governments and businesses should “proactively reduce the attack surface by reducing the complexity of software installed on user devices”, and also reduce the permissions of users to access corporate and government digital networks.
Do not point the finger at specific attackers
The ENISA report is cautious about attributing attacks to specific groups or countries.
“Cyber attackers operate across borders and attackers can easily operate across continents. It should be stressed that attribution of cyber-attacks is in general difficult,” the report claimed, reflecting the EU’s unwillingness to pin the blame on a specific country.
Last August, in the wake of other cyber attacks, a source with knowledge of Europe’s security agenda said on condition of anonymity: “There is a reluctance [in Brussels] to point the finger at China.”
“It is also possible that the source of the attacks could be different countries. For example it is possible that agents could be operating through hijacked IP addresses in China and using these stolen IP addresses as the basis of another attack, to confuse targets as to the true identity of the hackers,” the source said.
ENISA concluded its alert by endorsing the importance of the EU’s recently published European Cyber Security Strategy, which “provides a roadmap for enhancing prevention against cyber-attacks and failures while setting important cornerstones.”