British parliament attacked using WMF exploit
The U.K. Government's e-mail security provider confirms hackers in China orchestrated attack.
MessageLabs, the e-mail-filtering provider for the U.K. government, told ZDNet UK that targeted e-mails were sent to various individuals within government departments in an attempt to take control of their computers. The e-mails harbored an exploit for the Windows Meta File vulnerability.
The attack occurred over the Christmas period and came from China, said Mark Toshack, manager of antivirus operations at MessageLabs, who added that the e-mails were intercepted before they reached the government's systems.
"The attack definitely came from China--we know that because we log the IP addresses. The U.K. Government was targeted but none (of the e-mails) got through. No one was affected. They were attacked, but they (the government) didn't know about it until we told them," Toshack said.
The vulnerability with the way that WMF images are handled by Windows was discovered in November 2005. In a WMF attack, exploit code is hidden within a seemingly normal image that can be spread via e-mail or instant messages.
The first exploit code targeting the flaw was detected on Dec. 29, but Microsoft did not issue a patch until Jan. 5, after a security researcher released his own unofficial patch.
The British parliament attack occurred on the morning of Jan. 2, before Microsoft's official patch was available. The hackers tried to send e-mails that used a social-engineering technique to lure people into opening an attachment containing the WMF/Setabortproc Trojan horse.
The Trojan, had it been downloaded, would have allowed the attackers to view files on the PC. The hackers may also have been able to install keylogging malicious software, said Toshack, enabling attackers to see classified government passwords.
The attack was individually tailored and sent to 70 people in the government, MessageLabs said. It played on people's natural curiosity by purporting to come from a government security organization. The Trojan was hidden as an attachment called "map.wmf".
The body text of one of the e-mails read:
"Attached is the digital map for you. You should meet that man at those points separately. Delete the map thereafter. Good luck. Tommy"
The hackers could have been successful if the e-mails had reached their destinations, said Toshack. "It's like something you get from 'Spooks'--you can think 'I'm suddenly an MI5 agent.' You can see how it could work--it plays on people's romanticism about spies," Toshack suggested.
Speaking last November, Alan Paller, director of the SANS Institute, claimed that the Chinese government was employing malicious hackers.
"Of course it's the government. Governments will pay anything for control of other governments' computers. All governments will pay anything. It's so much better than tapping a phone," Paller said.
Toshack could not confirm whether the Chinese government had been involved. "It is a Chinese hacker gang. I don't know if it is the Chinese government, and I don't know if it's the Chinese government paying a hacker gang," he said.
According to a Home Office source, the U.K. government is concerned about the threat posed by Trojan attacks. A Home Office representative would not confirm or deny that an attack took place over Christmas.
"We do not comment on security matters, but have had discussions with many governments and computer emergency response teams from around the world on the matter of targeted Trojan attacks," the Home Office representative told ZDNet UK.
The attempted attack on Parliament was first reported by The Guardian last week.
Tom Espiner of ZDNet UK reported from London.