The Cologne-based German Aerospace Centre (DLR) confirmed on Monday that it had suffered a cyber attack lasting for months by a foreign intelligence service which planted malware on computers used by its scientists and systems admins, said the Associated Press news agency. DLR has called in Germany's national cyber defence centre to investigate the breach.
German publication Der Spiegel, which broke the news on Sunday, said the investigators found clues that point to the attack coming from China, but added that those signs could also be “camouflage”.
The investigators found traces of malware designed to destroy itself if detected and other code that could be activated after lying dormant for months, Spiegel said, in what appears to be a classic ‘APT' attack.
DLR is a critical target which runs Germany's space programme and is the country's national centre for aerospace, energy and transportation research. It recently announced a partnership with US space agency NASA to test alternative fuels.
Commenting on the case, security expert Adrian Culley, a former cyber crime detective with the Met Police, said the fact that with evidence indicating that China or western governments might be responsible, shows that it will be difficult to trace the spies involved.
“This case highlights the difficulties of attribution in cyber investigations, and is also a great example of the need to presume you are under active attack and/or are post-compromise,” Culley told SCMagazineUK.com. “Seasoned investigators tread warily in such cases as it is not at all difficult to lay a trail of false evidence.”
Culley added: “There is little new in Governments seeking covert access to each other's space programmes.”
Graeme Batsman, security director at independent UK-based IT security EncSec, said the DLR reports confirm how easily organisations can be infiltrated by attacks likely started by spear phishing.
He told SCMagazineUK.com: “Conventional singular defences such as anti-virus, anti-spam, firewalls and IDP today are failing to identify even semi-advanced malware, let alone something targeted. What is needed is a multi-tiered defence with modules focusing on common loopholes such as links and files which users suspect less (PDF, Excel, Word etc).”
Batsman added: “A simple tactic to nearly bullet-proof your data is have two screens, two desktops and two servers. Each setup is isolated and the one for core data has no links to the outside world. Many western governments have a set policy and if the data classification is above ‘restricted' for instance, it has to be stored on a closed network. A well-known UK defence contractor uses such methods.”
The DLR case is the latest in a series of reported cyber attacks on German targets. Earlier this month, Spiegel published claims based on the Edward Snowden archive that GCHQ and the US's NSA had targeted German satellite and communications companies Stellar, Cetel and IABG to spy on internet traffic and carry out apparent industrial espionage.
IABG is a German aerospace firm whose customers include the German Defence Ministry and armed forces, and which was involved in projects like the Airbus A380 super jumbo jet and the Ariane European space rocket.
But the most high-profile attack on Germany was the allegation last October that the US had been bugging Angela Merkel's mobile for four years.
GCHQ issued its standard statement in response to the Spiegel claims earlier this month, saying it does not comment on intelligence-related issues but "all of its work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate".