EU Commission Disables Remote Email Access After Massive Malware Attack

The European Commission has disabled all remote email access following a serious and targeted attack days before a summit to discuss Libya.

A large-scale malware-driven attack on the European Commission and its foreign ministry European External Action Service was discovered on March 22. Employees have been asked to change their passwords and all remote access to email and internal intranet have been revoked, the commission said.

"We're often hit by cyber-attacks, but this is a big one," an EC source told BBC News.

The Security Directorate, the EC’s security team, was investigating the breach, according to Antony Gravili, inter-institutional relations spokesman for the Commission. The team will also be focusing on how to avoid similar attacks in the future. The EEAS will be using its intelligence capabilities to minimize the effects of the breach, as well.

Gravili blamed the breach on malware and not on a direct assault to steal documents. “In reality it’s very difficult to draw the line between those two eventualities,” countered Rik Ferguson, director or security research and communication at Trend Micro, in a blog post. “Malware is simply one of the tools in the criminal and international espionage bag of tricks,” he said.

The EC still did not know how long the attack had been on-going or the type of malware used, Gravili said. He also declined to reveal whether hackers had launched the attack via email or whether any data had been compromised.

The breach was discovered just days before the summit that opened March 24 to discuss the Libyan crisis, European debt and nuclear power. However, Gravili downplayed the timing of the attacks. “I have no information at all linking the attack to the summit, we don't only suffer attacks at these times,” he said.

The breach is similar to the sophisticated hack that stole G20 documents from the French Ministry of Finance earlier this year. In that attack, more than 150 computers were compromised and the attackers were after files on the G20 summit held in Paris in February. The attackers were professional, determined and persistent, and had launched “the first attack of this size and scale against the French state,” Patrick Pailloux, director general of the French National Agency for IT Security, said at the time.

Gravili said no evidence had been found yet to link these two incidents. While Gravili refused to speculate on the attackers’ origin, a different EU source suggested to EUObserver that China may be among the suspects.

Also earlier this month, nearly 40 government and commercial Web sites in South Korea were hit by a massive malware-driven denial-of-service attack. The attack affected the president’s office, the Foreign Ministry, National Intelligence Service and sites belonging to the United States military in Korea.

The malware, NetBot infected computers and then configured them as zombies the joined into the large-scale denial-of-service attacks, according to Ron Meyran, director of security products at Radware.

Along with launching a DDOS attack, the malware also destroyed the master boot records of the infected zombies, according to an analysis of the attack by Georg Wicherski, a security researcher at McAfee. 

Ferguson called the attacks on government organizations the “new reality” and that cyber-espionage is easier to initiate and carries less risk than traditional espionage, Ferguson said. It is also much more difficult to spot, he said.