The UK government fell victim to a cyberattack that infected systems, foreign secretary William Hague has admitted.
Foreign secretary William Hague has confirmed that UK government systems fell victim to a Zeus Trojan attack. Photo credit: Foreign and Commonwealth Office
In late December, spoofed emails claiming to come from the White House bypassed government filters and infected systems with a variant of the Zeus information-stealing Trojan, Hague told the Munich Security Conference on Friday.
"The UK Government was targeted in this attack and a large number of emails bypassed some of our filters," said Hague. "Our experts were able to clear up the infection, but more sophisticated attacks such as these are becoming more common."
The emails directed users to click on a link, which downloaded a variant of the Zeus Trojan, said Hague. MessageLabs, which filters emails for the UK government, had not responded to a request for comment at the time of writing. The Cabinet Office, which oversees government cybersecurity efforts, had also not responded to a request for comment.
Peter Sommer, a cybersecurity expert with the London School of Economics, told ZDNet UK that attribution of cyberattacks was difficult, so governments should focus more on defence than attacks.
– William Hague, foreign secretary
Our experts were able to clear up the infection, but more sophisticated attacks such as these are becoming more common.
"Nations still need to focus their cyber-defence policies on resilience — hardening the protection of computer systems and having detailed contingency plans to enable them to recover from an attack," Sommer said.
In his speech, Hague called for new rules to establish how countries should behave in cyberspace.
"In Britain, we believe that the time has come to seek international agreement about norms in cyberspace," Hague said. "We believe there is a need for a more comprehensive, structured dialogue to begin to build consensus among like-minded countries and to lay the basis for agreement on a set of standards on how countries should act in cyberspace."
Hague said the UK government wanted to host a cybersecurity conference in the summer "to explore mechanisms for giving [cyber] standards real political and diplomatic weight."
The UK government will push for agreements that aim for "governments to act proportionately in cyberspace and in accordance with national and international law", Hague said. Additional aims include more accessibility, tolerance, open flow of ideas, privacy, protection of intellectual property, collective action against criminals, and the promotion of competition, he added.
Think tank report
A report issued by US think tank the EastWest Institute on Thursday also called for "rules of the road", to be agreed between the US, Russia and other countries.
"Cybersecurity has quickly emerged as the linchpin of our mutual safety, stability and security," the report stated. "Yet the 'rules of the road' for cyber-conflict, or even the norms for behaviour, are blatantly absent."
Read this
ITU head: Cyberwar could be 'worse than tsunami'
Hamadoun Toure, the UN agency's secretary-general, has called for a global 'cyber peace treaty' in the context of the 'new world order' of cyberspace
The report said that countries need to establish whether humanitarian critical infrastructure should be disentangled from 'non-protected' infrastructures. Russia and the US need to examine whether humanitarian infrastructure, such as medical systems, needs to be clearly marked in cyberspace to avoid fallout, in a similar way to physical infrastructure being marked with a red cross or crescent.
A cyber-war convention should recognise that 'non-state actors' such as individuals or groups of citizens have more power in cyberspace than in the physical world, the report said, and that governments should be open to new levels of co-operation with non-state actors, non-governmental organisations and corporations.
Cyber-weaponry needs to be examined to see if any attack tools or methods have attributes that are proscribed under the Geneva Protocol, the report added, noting that Russia, the US and other countries should examine 'cyber-war' to see if a third state other than 'war' or 'peace' is applicable to cyberattacks.
The report was overseen by Karl Rauscher, who used to work for Bell Labs as executive director of network reliability and security, and Andrey Korotkov, a former Russian deputy 'informatisation' minister.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Talkback
The lower levels of the Civil service have machines totally locked down. The idiots in Whitehall who did this are the least tech savvy people on the planet, they have been Administrator rights over there own machines and allowed emails from external sources which are not security properly cleared or spam/virus filtered.
The emails should be encrypted at all levels between staff/departments and governments anyway - that would be a dead give away - ones which are plain text or cannot be decrypted go into spam. Even Churchill and Roosevelt spoke across an encrypted line. You have to ask why give the top Echelons of the Civil Service internet access anyway when it is proven that it is they the user who are the weakest security link, losing laptops with millions of records, pendrives, documents etc.
GCHQ is sitting on its hands when it should be taking charge.
we need to be a lot more proactive in measures introduced in our country, innovative methods to deal with incoming/outgoing traffic
OT : Phone hacking ... its so easy to precisely locate a mobile phone over compromised networks, now why isn't the possible hacking of senior politicians mobile phones as a matter of national security instead of a police / privacy matter ?
GCHQ / MI5, the other organs of national security and the MoD need to be far more involved with these issues - i can guarantee that their counterparts abroad are involved
So long as our national (security) IT infrastructure is based on inherently insecure operating systems such as Windows we'll always live in fear.
I have to agree with Andy, it all starts with the operating system. And since you can't buy a PC without windows pre-installed, and then add IE, you start without security.
There are no simple answers to this. The most difficult and complicated answer of all is that of educating the people using the systems. This a serious uphill battle as I know from direct experience. However there are measures that could be taken that would go a long way towards reducing the risk - regardless of what operating system was in use. Unfortunately all of then cost money and everyone (who is a bean counter) knows that bean counting is more important that security!
One of the first things that could be done (which would of course raise howls of protest) would be to supply an e-mail program that would display nothing but plain text. For real day-to-day information exchange nothing else is necessary.
There should be no possibility of in-line display of any other media, although a download option should be available, and the system fitted with read-only programs for relevant media, such as a dedicated PDF viewer that will NOT recognise any executable code.
Almost all web browsers are full of security holes, so again, at risk of having the poor users rolling around the floor in an agony of withdrawal symptoms. any organisation working in a supposedly secure environment needs to consider whether that can actually manage without - hint: they did previously.
The current situation didn't go 'Splot' on the pavement one dark stormy night. It developed over the last 20 years, with plenty of warning on the way. Maybe if organisations actually listened to their IT people things could improve - although of course most IT has been outsourced so there aren't many people with a real interest in doing anything other than making money out of the existing system.
I guess we're stuck with it indefinitely then :(
@ator1940
> And since you can't buy a PC without windows pre-installed
Not true, obviously. Even if you were by some happy accident correct, the operating system as shipped wouldn't usually be the one installed by a large company or government department: they have disk images for that.
@Tezzer
> Almost all web browsers are full of security holes
But it's not rocket science to run the browser in a sandbox, and Google Chrome does that without even asking you.
> Maybe if organisations actually listened to their IT people things could improve
I agree with most of your comment, but their IT people are the ones who coded stuff for IE6 (preventing the use of a modern browser) and who still install an insecure 10 year old operating system when far better options are available, even from Microsoft ;-)
The fact that the UK government, NASDAQ and London Stock Exchange have alll experienced targetted attacks demonstrates how cybercriminals are evolving their tactics to specify certain organisations. As a result, organisations need to look to invest in the defence and protection of their assets http://bit.ly/fSPDJS, rather than trying to source the attackers, which is almost impossible.
This post has been removed by a moderator.
This post has been removed by a moderator.
You have gotta be kidding. Here in " aussieland " or 'downunder', we are still in the stoneage of computer development. Our much flaunted Federal NBB which cost $ 64B is still being rolled out, and by the time it finally gets to major cities, the final cost will be prohibitive, and by Law will ban local ISP's ( inevitably cheaper ) from the market. 4G is the way to go, but try telling it to the Politicians in Canberra.
Disillusioned !