The government is warning civil servants and critical UK businesses that they need to update IT security systems or risk attack from hackers intent on stealing commercially and economically valuable information.

The National Infrastructure Security Co-ordination Centre (NISCC), the governmental agency that protects computer-reliant industries from cyber attacks, issued the alert after discovering that government departments have been the target of Trojan email attacks in recent months.

More than 250 government departments and critical national infrastructure (CNI) companies such as utilities have been alerted to the danger by NISCC, after discovering that criminals have been using highly sophisticated methods to try to trick staff who handle commercially and economically sensitive data.

'For some time now we have been monitoring a number of email-borne electronic attacks against the UK critical national infrastructure,' said Roger Cumming, director of NISCC.

'The majority have been against government, but a number of other UK companies and individuals could be at risk.'

Although the attacks use similar methods to those seen in recent corporate phishing attempts in Israel (see below), they are unrelated and of 'industrial strength', says Cumming.

The emails use tactics such as mentioning news articles to try to trick the recipient into clicking on a link that downloads the Trojan software. Sender addresses are also spoofed to make it look as though emails have come from a trusted government department, news agency or individual.

'When you start to measure these attacks, it is clear they come from more than a couple of teenagers, and it's not about stealing money from firms,' said Cumming. 'They are aimed at information-gathering, and the characteristics show that they are extremely well-organised and structured.'

The hackers' motives are still unclear, but NISCC says the attacks are focused on covert gathering and transmission of privileged information, and are unlike normal phishing scams which try to trick employees into giving out financial details.

While it is hard to pinpoint the hackers, NISCC says the IP addresses used for sending emails and controlling the Trojans, as well as email header information, originate from the Far East.

Once opened, the Trojan installs itself on the user's machine and can be activated to obtain passwords, scan networks, download further Trojans, launch attacks on connected PCs and send stolen data back to the hacker's remote machine.

'They are collecting user names and passwords, uploading documents and downloading further malicious programmes,' says Cumming.

The attacks are hard to spot among legitimate network traffic, because standard application ports can be used by the hackers to transmit the stolen data out of the company.

NISCC says it is not aware of any information loss resulting from these specific Trojan email attacks, but it is urging businesses to upgrade IT systems before data is stolen.

Hackers can use the software to take full control of a user's compromised machine, and the security breach poses a threat to the confidentiality, integrity and availability of any data stored on the computer and its associated network, says NISCC. The centre has been working behind the scenes with governments and ISPs located where they believe the emails have originated, to try to stop the attacks.

IT security vendors have also been sent signatures of the particular Trojans used in these attacks, but NISCC warns the malicious code is being constantly modified to avoid detection by anti-virus software.

'We also advise firms to patch computer software, as 99.9 per cent of these attacks are exploiting existing vulnerabilities in technology products,' says Cumming. 'If everyone in the UK was to adopt our advice then the attacks would not have any affect whatsoever on UK plc.'

Cumming also told Computing that employees need to be educated about the dangers of attacks.

'Part of it is about having an educated workforce. It is also about knowing your networks and having a policy in terms of employees connecting to the internet,' he says.

'Surfing on untrusted web sites or opening up untrusted emails can have an adverse affect on the company that you work for. Firms need to adopt a strategy of strength and depth.'

For further advice on detection and protection against attacks visit: www.niscc.gov.uk

Virus writers are in it for the money

Last month's arrest of two computer consultants by the Metropolitan Police illustrates the changing nature of virus writing.

Computer specialist Michael Haephrati, 41, and his wife Ruth, 28, were arrested on suspicion of computer hacking. The arrests have been linked to Trojan software used by Israeli private detective agencies to spy on businesses' computer networks.

Police are investigating a number of Israeli companies that allegedly hired private detective firms to steal confidential data from competitor's computer networks.

'It used to be script kiddies that were writing viruses to impress their peers, but now people are doing it for financial gain,' said Fran Howarth, security practice leader at analyst Bloor Research.

'Criminals are getting the information so they can sell it, and they are specifically looking for things such as intellectual property, which they can sell for millions of dollars. This could bankrupt some companies,' she said at an Adobe security event.

Virus writers are also learning to change the characteristics of Trojan software to avoid detection by anti-virus firms, says Nigel Beighton, head of threat intelligence for Europe at information security firm Symantec.

'As well as regularly updating security software, firms need to realise that enterprise phishing relies on tricking people. They need to instill a healthy dose of scepticism into employees when it comes to trusting emails and web sites,' he said.