Functionality of communications networks and malware observations

Published 06.08.2015

In early 2015, only a low number of malware observations were made in Finland compared to the previous year. So far, the number of disruption situations in communications networks is also fewer than last year.

Finland has the world's cleanest communications networks

Finland is a top country in the world in the cleanness of public communications networks when we compare the number of malware observations in different countries. Microsoft regularly conducts an international comparison of malware observations in a semi-annually published SIR report, according to which Finland had the lowest number of malware observations in the world at the end of 2014. FICORA and the telecommunications operators take active measures to preserve the situation unchanged. At the beginning of 2015, clearly fewer observations had been made than at the corresponding time last year. Last year, the total number of observations during the year was over 200,000. If the number of observations remains at the level of the beginning of the year, there will be fewer than 40,000 malware observations during the whole year.

During the early part of the year, Conficker, Tinba and ZeroAccess were the most common malware programs according to the observations of the Autoreporter service of the National Cyber Security Centre Finland. The highest number of observations was caused by SSDP, which is a protocol facilitating the cooperation of services. Incorrectly installed SSDP servers have been utilised in denial-of-service attacks to strengthen the volume of network traffic.

Save the graph data as a CSV file

Figure: Malware observations in January-May 2015 by program type

Only a few fault situations in communications networks in early 2015

As a whole, early 2015 was calm with regard to incidents in communications networks. During the first five months of the year, 2 incidents of the highest severity rationg (class A), 14 of class B incidents and 33 class C incidents occurred. If the situation continues like this, the total number of disruptions in communications networks will remain low compared to 2014. One large individual reason for disruptions is strong summer and autumn storms, so potential individual large storms may quickly increase the number of disruptions.

An individual significant problem cannot be observed at the background of the disruptions occurred in early 2015, but the reasons are divided between different factors, such as equipment faults, network updates and problems with power supply. Effort has been put into further developing the effective recovery from incidents due to storms in FICORA's cooperative working group for disruptions (HÄTY) by improving the cooperation between telecommunications operators and electricity companies in problem situations.

Serious observations in the HAVARO system in 2015

HAVARO is an information security violation detection and alert system directed at companies and operators critical to the security of supply. The HAVARO system detected a total of 1,200 "red observations" in January-May 2015. Red observations indicate that the system has observed harmful traffic, which points to a likely information security violation in the organisation. The majority of the observations concern abuse attempts performed on mass distribution platforms, and they have utilised the vulnerabilities of internet browser add-ons (in particular, Java, Flash, Silverlight and PDF).

On the basis of the first half of 2015, a few key trends arise from the observations made through HAVARO. During the first half of the year, approximately 200 observations were made of various data stealers related to the use of online banks, such as Dyre and Emotet programs. During the early part of the year, approximately 50 observations in a number of bursts were made of downloads of the malware program platform Fiesta, which utilises the vulnerabilities of Adobe Flash Player. There were approximately 25 observations from the early summer of the Ponmocup malware that downloads other malware programs. In March, May and June, there were also approximately 25 observations of the command server traffic of the CryptoWall malware that encrypts the files of a computer.

FICORA is involved in a new identification project

The amendments to the national Act on Strong Electronic Identification and Electronic Signatures and the eIDAS Regulation will introduce additional tasks for FICORA related to identification and trust services as of 2016. The preparation for the additional tasks will be managed during 2015–2016 in a project financed by the Ministry of Finance, "Preparation for the deployment and deployment of identification and trust services". The financing decision of the Ministry of Finance was received in March, and the project was launched at the beginning of April.

The project is divided into three main areas: the national trust network, transboundary identification services and trust services. In the first phase of the project, a feasibility study was conducted which mainly focused on the interface definitions between the operators in the national trust network and the auditing requirements. A Government Decree on the national trust network required by the Act on Strong Electronic Identification and Electronic Signatures is being prepared. The transboundary identification services and trust services are defined in the eIDAS Regulation and their operation must be uniform in the EU Member States. The organisation of national operations in accordance with the Regulation requires knowledge of the work of European groups handling the implementation of the Regulation. During the identification project, FICORA has participated in the work of several international groups. 

This article is a part of FICORA's Communications Sector Review 2/2015.

Key words: Information security , Malware , Articles , Reviews , Statistics

LinkedIn Print