Attack on MITTS system started in Cairo embassy - information extracted on Sept 4

American experts commissioned by MITTS, the government IT agency, have established that usernames and passwords belonging to 20,000 people were unlawfully extracted from the government computer network on September 4 and it was probable that the attack was made through the Maltese embassy in Cairo, IT Minister Austin Gatt told Parliament this evening.

Despite the extracted information, there was no evidence of unlawful access to any email account or back-end systems used by the government. This was strengthened by the fact that passwords used by MPs and senior government officials were quickly changed, the minister said.

He said the computer in this embassy was infected by malware which had permitted a connection between the government network and the Internet.

All evidence showed that the attack was not made by a professional.

Describing what had happened, Dr Gatt said in a statement to the House that on September 4 at about 10 a.m., officials noticed that one of the main servers at MITTS was showing performance problems. This server contained the usernames and passwords of more than 20,000 users.

At about 5 p.m. officials noticed that this server was operating an unauthorized program. Further investigation showed this program was being used for the illegal extraction of usernames and passwords.

Further investigations showed that a similar program had been executed on the same server on September 2 and 3. In all cases, the username and password of one of the MITTS team leaders was used.

A complete scan of all systems was made between September 5 and 6 and a copy of this program was found on the server of the Maltese embassy in Cairo and on a computer at Mater Dei Hospital.

HOSPITAL COMPUTER SEIZED

The relevant hospital computer was seized and a number of CDs with copies of software similar to that found on the server were discovered.

Investigations showed that this software, which could be downloaded for free from the internet, showed that extraction of information had probably failed on September 2 and 3 since software was incompatible, while that of September 4 had been stopped.

The persons suspected of involvement were suspended

Dr Gatt said that on September 7 he was told that it was highly unlikely that any information had been extracted.

At a MITTS board meeting on September 10 it was decided that although the probability that usernames and passwords had been extracted was low, the 20,000 users were ordered to immediately change their passwords. The process started and was concluded on September 11. Meanwhile, investigations continued by the MITTS officials and the police.

At a board meeting on September 17, a police officer said that the MITTS team leader who was under investigation had admitted that he had given his password to another employee by phone and other people could overhear. He had done so so that a technical problem could be resolved. The password was subsequently not changed.

On September 17 the same program was found on another computer used by a MITTS employee. Yet another computer used by another employee was found to have conducted aggressive pinging on the server. The employees were suspended and the investigation was widened by the police.

FRESH DOUBTS EXPRESSED

On September 24, for the first time, the MITTS executive management expressed doubts as to whether or not information had been extracted on September 4.

In view of this surprising change, the board gave the executive management two days to re-examine the facts and give a final opinion.

On September 26, the executive management said it was assuming that usernames and passwords had been extracted.

It was at that meeting that the board decided to call in an American company to conduct further investigations.

Dr Gatt said no employee was being investigated for, or had been suspected of accessing emails, including those belonging to Alfred Sant. To date, no case of hacking of the emails of MPs had been found.

It was obvious that this case was not hacking or an attack directed as particular persons.

He said the case did not stem from lack of investment on security systems, but unfortunately not all available security systems were being used. Furthermore, written policies and procedures had been regularly ignored, such as sharing of passwords.

The American experts submitted their report last Wednesday, where they said that information had been extracted on September 4 and it was highly probable that the attack was made from the Maltese embassy in Cairo.

The minster said the embassy has been disconnected form the government network and the embassy hard disks are being examined so that the origin of the attack could be traced.

NO EMAIL ACCOUNTS ACCESSED

At this stage, he was informed that no MITTS employee was being investigated for illegal access to emails. Although it was being assumed that usernames and passwords had been extracted, no email accounts or back-end systems had been accessed.

MITTS had also immediately approved a series of measures to strengthen security.

Among measures which could be disclosed, were the introduction of token/smart cards to MPs and people in sensitive posts, without which email accounts could not be accessed. Secure Mail was also being introduced immediately to encrypt email.

MITTS had also commissioned an External Review Team to analyze the circumstances which led to this incident and the MITTS reaction to it. The team would also recommend other security measures.

Dr Gatt said the MITTS board of directors had offered to resign but he turned down the resignations since the shortcomings which had developed were operational and not the result of some policy adopted by the board.

Dr Gatt said in the coming weeks he would launch the setting up of a National Information Security Agency to work had in hand with the Malta IT Agency and the Malta Communications Authority.