Those pesky state-sponsored hackers under the control of foreign governments have been up to their old tricks again.
That's the claim of British Cabinet Office minister Francis Maude, who claimed during a speech this week that a "state-sponsored hostile group [had] gained access to a system administrator account on the Government Secure Intranet."
Below you can read the relevant part of the speech, given at IA14, the British government's conference for cyber security and information assurance decision makers. (The highlighting is mine)
Most recently, we’ve faced Gameover Zeus – not just a virus, but a worldwide pandemic – with the power to intercept and redirect financial transactions from infected computers. These are just the ones we hear about; the ones that got through – others have been thwarted.
I can tell you of a recent case where a state-sponsored hostile group gained access to a system administrator account on the Government Secure Intranet. Fortunately this attack was discovered early and dealt with to mitigate any damage.
For that – and in many other cases – we can be thankful that we have some brilliant people working to keep us safe. They’re drawn from GCHQ and the security services, the armed forces, the police and National Crime Agency, the civil service, and of course the private sector too, but they share much in common. They’re bright, motivated and have bucket loads of expertise.
Just like his boss David Cameron, Maude thinks that GCHQ are "brilliant".
Although The Rt Hon Francis Maude MP says in his speech he "can tell us about a recent case", he actually tells us very little indeed. In fact, he says less than 30 words on the subject of this hacker attack.
What we aren't told is:
- Which country or state was backing the "hostile group"?
- How did the authorities confirm which country was involved?
- How did the authorities confirm that the hostile group was backed and supported by the country? (as opposed to launching the attack independently)
- How did the hackers gain access to the system administrator account? (Vulnerabilty? Poor patching regime? Lousy choice of password? Human error?)
- How was the attack identified? (It's claimed it was "discovered early", but was that because sensitive data was spotted being exfiltrated to a third-party server?)
- Was it just a government server that was targeted, or were others at risk?
- The list goes on...
All I know is that attributing internet attacks to a particular country - let alone to being backed by foreign governments - is enormously difficult, because of the ease with which hackers can hide their tracks and bounce between different computers around the world.
A "professional" hacker is unlikely to leave breadcrumbs lying around making it easy to identify their origin, let alone clues proving that their home country's intelligence agency is supporting their activity.
The truth is that it is enormously difficult to determine who is ultimately responsible for a targeted attack. A large amount of technical information and contextual data needs to be analysed to piece together clues over time. And time is, most likely, not what was available on this occasion as the "attack was discovered early and dealt with to mitigate any damage."
It's easy for a researcher to misattribute an attack based upon information which has been spoofed by the attacker - such as IP addresses - leading to a misguided verdict.
Does it matter that it is unlikely that the authorities really identified who was responsible for the security breach on that government computer? Perhaps not - after all, we can feel fairly confident that many countries are engaged in internet espionage, and we know that the UK itself has expressed no qualms about launching a cyberstrike.
But I still feel uneasy when politicians stir up concern over attacks on government infrastructure, without providing any detail which stands up to inspection by dispassionate independent experts in the field.
In fact, I would like to feel that I could trust my elected representatives to tell the full truth, even if they find it unsatisfactory as they failed to produce the "smoking gun" evidence that proved a particular country was involved.