State-sponsored hackers breached UK government network, claims minister

Francis MaudeThose pesky state-sponsored hackers under the control of foreign governments have been up to their old tricks again.

That's the claim of British Cabinet Office minister Francis Maude, who claimed during a speech this week that a "state-sponsored hostile group [had] gained access to a system administrator account on the Government Secure Intranet."

Below you can read the relevant part of the speech, given at IA14, the British government's conference for cyber security and information assurance decision makers. (The highlighting is mine)

Part of Francis Maude's speech

Most recently, we’ve faced Gameover Zeus – not just a virus, but a worldwide pandemic – with the power to intercept and redirect financial transactions from infected computers. These are just the ones we hear about; the ones that got through – others have been thwarted.

I can tell you of a recent case where a state-sponsored hostile group gained access to a system administrator account on the Government Secure Intranet. Fortunately this attack was discovered early and dealt with to mitigate any damage.

For that – and in many other cases – we can be thankful that we have some brilliant people working to keep us safe. They’re drawn from GCHQ and the security services, the armed forces, the police and National Crime Agency, the civil service, and of course the private sector too, but they share much in common. They’re bright, motivated and have bucket loads of expertise.

Just like his boss David Cameron, Maude thinks that GCHQ are "brilliant".

Although The Rt Hon Francis Maude MP says in his speech he "can tell us about a recent case", he actually tells us very little indeed. In fact, he says less than 30 words on the subject of this hacker attack.

What we aren't told is:

  • Which country or state was backing the "hostile group"?
  • How did the authorities confirm which country was involved?
  • How did the authorities confirm that the hostile group was backed and supported by the country? (as opposed to launching the attack independently)
  • How did the hackers gain access to the system administrator account? (Vulnerabilty? Poor patching regime? Lousy choice of password? Human error?)
  • How was the attack identified? (It's claimed it was "discovered early", but was that because sensitive data was spotted being exfiltrated to a third-party server?)
  • Was it just a government server that was targeted, or were others at risk?
  • The list goes on...

All I know is that attributing internet attacks to a particular country - let alone to being backed by foreign governments - is enormously difficult, because of the ease with which hackers can hide their tracks and bounce between different computers around the world.

A "professional" hacker is unlikely to leave breadcrumbs lying around making it easy to identify their origin, let alone clues proving that their home country's intelligence agency is supporting their activity.

The truth is that it is enormously difficult to determine who is ultimately responsible for a targeted attack. A large amount of technical information and contextual data needs to be analysed to piece together clues over time. And time is, most likely, not what was available on this occasion as the "attack was discovered early and dealt with to mitigate any damage."

gov.ukIt's easy for a researcher to misattribute an attack based upon information which has been spoofed by the attacker - such as IP addresses - leading to a misguided verdict.

Does it matter that it is unlikely that the authorities really identified who was responsible for the security breach on that government computer? Perhaps not - after all, we can feel fairly confident that many countries are engaged in internet espionage, and we know that the UK itself has expressed no qualms about launching a cyberstrike.

But I still feel uneasy when politicians stir up concern over attacks on government infrastructure, without providing any detail which stands up to inspection by dispassionate independent experts in the field.

In fact, I would like to feel that I could trust my elected representatives to tell the full truth, even if they find it unsatisfactory as they failed to produce the "smoking gun" evidence that proved a particular country was involved.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

5 Responses

  1. Philip Le Riche

    June 18, 2014 at 9:44 am #

    … and in other news: the sky is blue and the sea is wet.

    No surprises there then. I suspect Francis Maude asked GCHQ for a bland example he could use in a speech and this is what they came up with. I wouldn't expect him to reveal any more.

    It's a given that HMG is constantly under attack and GCHQ will naturally be investigating attempted and sometimes successful breaches all the time. In this way, they will undoubtedly have learned the modus operandi of different groups and hence been able to take attribution well beyond simple IP geolocation, just as Mandiant did.

    The GSi has many, many thousands of users across every Government department as well as in government agencies and local government. It would be completely unrealistic to imagine that breaches wouldn't occur, and some will undoubtedly obtain admin privileges. As has been observed before, the biggest vulnerability is always between the keyboard and the back of the chair.

    And yes, I believe GCHQ does have some pretty bright guys and gals. An organisation like that would be looking to recruit a good number of first class honours graduates.

  2. Scott Herbert

    June 18, 2014 at 12:02 pm #

    And in other news… A shady government has admitted hacking into a computer network located within another country

    http://www.bbc.co.uk/news/technology-27887639

    OK it's a stretch, but not much of one.

  3. Hilary Minor

    June 18, 2014 at 1:07 pm #

    "In fact, I would like to feel that I could trust my elected representatives to tell the full truth, even if they find it unsatisfactory . . . "

    Dear Graham,

    You can never, ever, trust your elected representative to tell the full truth. Politicians are Past Masters in the Art of Being Economical with the Truth and twist information into whatever shape is expedient at the moment. You must read the recent Huff Post article on the way the current government has lied about the UK's so-called financial deficit. It will blow your socks off. No, they are not to be trusted under any circumstances.

  4. Vito

    June 18, 2014 at 1:44 pm #

    "…I would like to feel that I could trust my elected representatives…"

    People in hell want ice water, Graham. They'll get their wish sooner than you'll get yours.

    When people stop dismissing the growing criticism of politicians and the corrupt system they represent as "cynicism" and recognize that the system itself is the problem, then we'll begin to make some progress.

    The solution to state fraud and the abuse of power is not "better elected representatives", because no matter whom you elect, electing them to power is the problem. Power corrupts.

    The way to end abuse of power is not to give these clowns any power in the first place. It's not rocket science.

  5. Simba “CyboPedia” Mudonzvo

    June 19, 2014 at 3:30 pm #

    Regarding issues of cyber crime for the victim it becomes a question of

    "To tell all or not to tell"

    It is an interesting conundrum because the government cannot go into detail about the attack as other cyber criminals might use that information to conduct further attacks.

    Whilst at the same time you cannot go to the house of commons and give little information about an attack which is of great concern to the nation.

    And so the world continues in its ignorance:-(

Leave a Reply