The European Commission has said it will overhaul cybersecurity guidelines after cybercriminals launched successful phishing attacks that netted carbon credits worth €3m.
The cyberattack targeted emissions trading registries on the EU Emissions Trading System, as well as similar registries worldwide. German companies lost 250,000 carbon emissions certificates, valued at €12 (£10) each, according to the German environment agency. Businesses in the Czech Republic were also taken by the scam.
"In the light of the attack, the Commission intends to review the security measures applicable to ETS registries and will prepare revised security guidelines for registries and an action plan aiming at harmonising their approach in case of future such incidents," the Commission said in a statement on Thursday.
Pending the outcome of an investigation, EU carbon emissions security guidelines will be updated to explicitly warn against phishing, European Commission environment spokeswoman Barbara Helfferich told ZDNet UK.
Responsibility for carbon emissions trading security lies with individual member states.
In the phishing attempts, which took place on 28 January, scammers sent emails asking employees at customers of the registries to click on a link to sort out problems with their account. The link took them to a fake website, designed to look exactly like the real Commission certificate-trading site, where the company user identification code and password was requested for 'verification'.
The password-stealing website has not yet been taken down, according to Helfferich.
Once the password was given, the cybercriminals were then free to steal the companies' carbon emissions certificates, known as EU Allowances or EUAs, by transfer for resale at a later date, Helfferich added.
"We can try to trace [the certificates], but it's like trying to trace an offshore account," Helfferich said. "It's possible to trace the transactions, but [the criminals] will salt the EUAs away somewhere for a while."
The Commission said it was alerted to the phishing by Norway and the Netherlands. Police in Germany and the Czech Republic are investigating the transactions performed in their countries."There were only two countries where passwords were given," said Helfferich.
On Tuesday, some of the registries in EU member states took the step of closing down their websites due to the attacks, according to Helfferich. In addition, international transactions with the United Nations Emissions Trading scheme were temporarily locked.
"The UN system closed communications with the national registries and asked them to verify [themselves]," Helfferich said.
Nine countries have been scammed in the attack, the UN Framework on Climate Change (UNFCCC) said in a statement. It added that it is working with national registries to make sure their systems are secure.
"Many national registries have already confirmed that they have taken appropriate security measures and that access to their system is now secured," the UNFCCC said. "The secretariat has also been informed that the software of national registries does not appear to have been compromised."
The European Commission plans to set up a new European Community carbon-trading registry in 2012, and the security of the trading process will be tightened through that, Helfferich said.