A U.K. critical infrastructure monitoring group is warning public and private sector organizations about a wave of electronic attacks that have compromised critical networks in Britain with Trojan horse programs in recent months.
The National Infrastructure Security Co-ordination Center, or NISCC, said on Thursday that it detected a series of e-mail attacks targeting U.K. companies and government agencies with Trojan programs that gather and transmit information to IP addresses in the Far East. Organizations that are part of the U.K. Critical National Infrastructure were advised to step up user education and detection measures to spot the Trojan programs, NISCC officials said.
The group acknowledged that most of the attacks were on U.K. government institutions, but did not say whether any information was stolen. Private companies and even individuals may also have been targeted, NISCC officials said.
“By providing information, practical help and advice, NISCC is working to enable organisations to take the steps needed to protect themselves and their data as best they can,” the U.K. Home Office said in an e-mail statement.
The NISCC discovered 17 Trojan or remote monitoring programs within the last one or two months, according to Stuart Taylor, manager of Sophos plc. in the United Kingdom, which analyzed the programs for NISCC.
The files submitted to Sophos included multiple variants of the Riler, Nethief and Dloader Trojans, which give remote users unauthorized access to compromised computers and allow them to open files and transmit them to remote servers.
Around two thirds of the programs submitted by NISCC to Sophos were known Trojan programs. Others were previously undetected variants of known Trojan families, Taylor said.
The programs were sent as attachments to e-mail messages that used so-called “social engineering” techniques such as faked sender addresses to trick the recipient into opening the attachment that installed the Trojan. In one case, the malicious program might also have been installed without user interaction using a software vulnerability in Microsoft Corp.s Windows DCOM (Distributed Component Object Model) RPC (Remote Procedure Call), he said.
While Trojans are a common malicious payload on the Internet, there is evidence that the reported attacks were targeted, NISCC officials said.
In some cases, the e-mail messages carrying the Trojan horse programs contained information about the job or interests of individuals at the victim organizations who handle commercially or economically sensitive data. For example, the messages were spoofed to appear to come from trusted contacts, news agencies or government agencies, to entice the recipients into opening the malicious attachment, according to NISCC.
A machine or machines in Asia was set up to receive stolen information. However, those machines may have only been the first stop for any stolen data, and are not proof that groups or governments in that part of the world are responsible for the Trojan attacks, Taylor said.
NISCC advised organizations that might be affected by the attack to harden their defenses against Trojan attacks by updating anti-virus definitions, applying software patches to vulnerable operating systems and educating users not to open suspicious attachments.
In May, the Israeli newspaper Haaretz published news of a massive industrial espionage ring that used custom-designed Trojans to steal trade secrets and other sensitive information from leading companies.
The two cases illustrate the growing threat to enterprises from Trojans, said Carole Theriault, security consultant at Sophos.
Sophos researchers identify around 15 new Trojans a day that require immediate definition updates for Sophos products. That is three times the volume of Trojan horse programs researchers were seeing last year at this time, she said.
It is possible that the agencies and companies affected were already using desktop or gateway anti-virus products, and that the Trojan variants eluded detection, Taylor said.
“We see so many of them, some will get through,” Taylor said. “You just have to use good common sense when dealing with this problem. Its an unavoidable part of doing business.”´
