European governments and businesses should investigate alternative communication channels to e-mail in the longer term after a string of alarming attacks, the EU’s cyber security agency warned today (13 March) in a special alert.
The European Network and Information Security Agency (ENISA) issued the so-called Flash Note in the wake of “recent major cyber-attacks”, calling for Europe’s businesses and governments to take urgent action to combat emerging cyber-attack trends.
The report cites three clear attacks against EU government and "critical infrastructure" targets in the first three months of this year.
In the last days of February, the so-called ‘MiniDuke’ cyber attack was discovered by cyber-analysts Kaspersky and Crysys. It affected “users in governmental organisations across the EU,” according to ENISA.
The news came only weeks after US cyber security firm, Mandiant, published a report detailing a range of cyber espionage involving the theft of terabytes of data from hundreds of organisations, including operators in the EU’s critical sectors.
Hunt for ‘Red October’ continues
“Another cyber espionage attack, known as Red October, was discovered in January of this year and is said to have been targeting governmental and diplomatic organisations across the globe for several years,” the report said.
ENISA is calling for Europe’s businesses and government organisations to take urgent action to combat these emerging attack trends.
All the attacks follow a common pattern, ENISA claims. Attackers send apparently genuine emails, which are “spear-phishing” attempts. Such emails contain links to an internet page containing malware, or maliciously prepared attachments.
The malware then exploits software vulnerabilities in the host computer system to propagate and infect other parts of the network.
In the case of Miniduke a flaw in Adobe’s Acrobat reader, commonly known under its "PDF" file name, allowed the attackers to gain sufficient control over the target to start gathering intelligence, ENISA claims.
“Often the attacker uses the intelligence gathered to attack other victims or other machines in the same organisation (this is sometimes called ‘lateral movement’),” the report said.
The report gives specific warnings on email, claiming the now ubiquitous communications are insecure. Since most email systems do not provide any kind of authentication, the security agency said: “It is very hard for users to understand where the message originates from and whether or not the sender is a trusted party.”
Investigate new models for email
This makes it very easy for attackers to send fake messages or to pretend they are someone else, according to ENISA.
As a short-term remedy the agency recommended that “organisations in critical sectors should mitigate by using encryption solutions and/or sender authentication frameworks to avoid becoming an easy target of spear-phishing.”
More alarmingly, in the long term, ENISA recommends that “industry, government and businesses should investigate alternative communication channels [to email] which better protect users from spoofing or phishing.”
The security agency also drew attention to the ‘trade-offs’ computer systems operators must make between software features and software security.
“The more features and interoperability features software has, the more difficult it is to ensure that the software is free of vulnerabilities,” the warning note says, adding that governments and businesses should “proactively reduce the attack surface by reducing the complexity of software installed on user devices”, and also reduce the permissions of users to access corporate and government digital networks.
Do not point the finger at specific attackers
The ENISA report is cautious about attributing attacks to specific groups or countries.
“Cyber attackers operate across borders and attackers can easily operate across continents. It should be stressed that attribution of cyber-attacks is in general difficult,” the report claimed, reflecting the EU’s unwillingness to pin the blame on a specific country.
Last August, in the wake of other cyber attacks, a source with knowledge of Europe’s security agenda said on condition of anonymity: “There is a reluctance [in Brussels] to point the finger at China.”
“It is also possible that the source of the attacks could be different countries. For example it is possible that agents could be operating through hijacked IP addresses in China and using these stolen IP addresses as the basis of another attack, to confuse targets as to the true identity of the hackers,” the source said.
ENISA concluded its alert by endorsing the importance of the EU’s recently published European Cyber Security Strategy, which “provides a roadmap for enhancing prevention against cyber-attacks and failures while setting important cornerstones.”
Commenting on the latest wave of cyber attacks, ENISA’s executive director, professor Udo Helmbrecht said: “Well known cyber-attack methods, such as spear-phishing, are still very effective. However, much can be done to counter these attacks - by making users aware of traps, and by ensuring that better security measures are in place.
“In cyberspace, it is difficult to be sure where attacks originate, so the focus should be on preventing and mitigating attacks, regardless of where the attackers are based.”
"As communications infrastructure and systems become more complicated and ICT products integrate more hardware, software, and service applications, the global supply chain necessitates ICT products being designed, manufactured, and assembled in different countries or regions," according to Wout van Wijk, EU public affairs manager with tech company Huawei.
"As a result, it is very difficult to locate and trace the source of threats when cyber security issues arise. In light of this global supply chain, international cooperation across the board is needed. A fair and open discussion will ultimately lead to a better understanding of this global challenge, which will allow us to better harness our own skills, our data and our systems to act against these threats. I therefore hope the European Union intensifies its efforts to engage with governments, users and industry players worldwide, in an open debate," van Wijk concluded.
Most cybersecurity incidents are often not reported or detected even though they can affect millions of citizens and businesses, according to the European Network and Information Security Agency (ENISA). Cyber attacks can lead to losses of millions of euros or even bankruptcy.
According to figures from the office of Internal Affairs Commissioner Cecilia Malmström, 95% of companies are "aware" of cyber attacks made to their business. 76% of SMEs faced breaches 2012.
- 2013: EU Council and Parliament to consider Commission's proposed cybersecurity strategy
- European Network and Information Security Agency (ENISA): Flash Note: Cyber-attacks – a new edge for old weapons (13 March 2013)
- European Commission: EU Cybersecurity Strategy
- European Commission: Press release: EU Cybersecurity plan to protect open internet and online freedom and opportunity (7 Feb. 2013)