|
An unprecedented cyberattack on the Canadian government also targeted Defence Research and Development Canada, making it the third key department compromised by hackers, CBC News has learned.
The attack, apparently from China, also gave foreign hackers access to highly classified federal information and also forced the Finance Department and Treasury Board—the federal government’s two main economic nerve centres—off the internet.
Highly placed sources tell CBC News the cyberattacks were traced back to computer servers in China.
They caution, however, that there is no way of knowing whether the hackers are Chinese, or some other nationality routing their cybercrimes through China to cover their tracks.
While there is no definitive proof, of course, that China was behind these attacks, there is a lot of circumstantial evidence that points in that direction. China (allegedly) has a long history of engaging in espionage activities in order to gain access to information. In the United States, this is sometimes referred to as cyber warfare, but I think that cyber espionage is a better choice of terms. The stealing of state secrets is a diplomatic past time. While the tools have evolved, the goals of the game has not.
The article continues:
Here’s how it worked:
Sources say hackers using servers in China gained control of a number of Canadian government computers belonging to top federal officials. The hackers, then posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks.
At the same time, the hackers sent other staff seemingly innocuous memos as attachments. The moment an attachment was opened by a recipient, a viral program was unleashed on the network. The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet.
One source involved in the investigation said spear-phishing is deadly in its simplicity: “There is nothing particularly innovative about it. It’s just that it is dreadfully effective.”
This is eerily similar to the Google attacks that occurred last year when a top ranking Google employee in China was sent a spear phishing attack over IM and clicked the link, which allowed the attackers access to Google’s internal network. From there, several bits of code was stolen. The opening description is a little vague, however. How did the hackers using servers in China gain control of a number of Canadian government computers belonging to top federal officials? Chances are they used the same technique as before. They sent phishing messages to these federal officials and tricked them into either opening up an email (or IM message) and then their machines became infected with a piece of malware. Either that, or (more likely) they sent them messages purportedly from the IT department urging them to login and reset or verify their credentials. Once they had those logins, they could send mass distributions to the internal staff at the government with more malicious pieces of malware. Since the mail came from someone they trust, and sent internally, anti-virus scanners could be more readily bypassed. Thus, I see the timeline more like the following:
The article then says the following:
“There are access controls that need to be fixed; there are a whole series of minimum security issues that are not being dealt with. There are vulnerabilities. Government needs to fix them.” Three years later, Fraser checked again and found not much had changed. “It is important that these things be dealt with and be fixed—the government is vulnerable to attacks.”
Evidently, it still is.
This statement isn’t entirely fair. The reality is that any organization could be vulnerable to this type of attack. The weakest link in the above is not the technological infrastructure but instead is the human component. So how could the Canadian government reduce their vulnerability footprint? Well, a lot of people pay a lot of money for this, but I’ll give them some free advice (note: if their is anyone from the Canadian IT department reading this, I’d be willing to allow you to make a donation to the Terry Zink Retirement Fund in exchange for this simple advice):
So, there are some suggestions for organizations to implement to reduce their vulnerability. The last one certainly isn’t easy, but I would think you’d get big bang for the buck there.
Sponsored byCSC
Sponsored byVerisign
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byDNIB.com
There’s definitely a case for multi-factor authentication here. So long as people can be fooled into divulging all their authentication credentials, phishing is going to remain dangerously effective. You need to include something the user can’t effectively divulge as an authentication factor.
There’s also a good case for cloud-based email here. I don’t worry so much about attachments, because I get Google to render them for me. The actual attachment never makes it as far as my computer, so it’s not my computer that’s immediately at risk. The attachments shouldn’t be downloadable at all without first running a gauntlet of AV scanners, of course.
Thanks for the overview. At last something like a positive note against the nothing can be done except disconnecting from the Internet choir I hear so often.