Tag Archives: Cyber Attack

Ukraine imposes sanctions on Russian web firms, citing cyber threat

A Yandex taxi is seen in central Kiev, Ukraine, May 16, 2017. REUTERS/Gleb Garanich

By Natalia Zinets

KIEV (Reuters) – Ukraine imposed sanctions on Russia’s largest internet group Yandex and other popular online firms on Tuesday, saying it wanted to guard against cyber attacks, and the Kremlin threatened retaliation.

The restrictions froze any assets held by the Russian businesses inside Ukraine and banned hosts there from linking to them, though the websites were all still accessible in Kiev on Tuesday afternoon.

The ban was imposed partly to protect against companies “whose activities threaten the information and cyber security of Ukraine”, the Kiev government’s Security and Defence Council said in a statement.

They added to a list of more than 400 Russian firms blacklisted by Kiev since Moscow’s annexation of Crimea in 2014 and the ensuing pro-Russian separatist uprising in eastern Ukraine.

Mail.ru Group, which owns the Odnoklassniki social network and Vkontakte, Russia’s version of Facebook, said that around 25 million Ukrainians could be affected by the “politically motivated” decision.

“We have never been involved in politics. We have not broken a single law of Ukraine,” it said in a statement. It said the Ukrainian market contributed an “immaterial” amount of revenue and so Mail.ru would not revise its financial plans.

Yandex declined comment and there was no immediate comment from other companies on the list.

Kremlin spokesman Dmitry Peskov told journalists that Moscow had not forgotten the principle of reciprocity when it came to such disputes, calling the move “short-sighted.”

Many of the affected sites are hugely popular in Ukraine.

Vkontakte was the second-most visited website in Ukraine as of March, according to data cited by the Ukrainian Internet Association. Yandex, Odnoklassniki and Mail.ru were also in the top five most popular sites that month.

In comments to Russian newspaper Kommersant, Russian Foreign Ministry spokesman Maria Zakharova called the sanctions a “manifestation of politically motivated censorship”.

Moscow has repeatedly denied accusations from Kiev that it has been waging a “cyber war” on Ukraine at the same time as it fuels Ukraine’s separatist conflict by supporting rebels with troops and weapons.

Ukraine has also accused Russian computer hackers of targeting its power grid, financial system and other infrastructure with viruses.

(Additional reporting by Maria Kiselyova and Anastasia Teterevleva in Moscow; writing by Alessandra Prentice; editing by Matthias Williams and Mark Heinrich)

Oddities in WannaCry ransomware puzzle cybersecurity researchers

Cables and computers are seen inside a data centre at an office in the heart of the financial district in London, Britain May 15, 2017. REUTERS/Dylan Martinez

By Jeremy Wagstaff

SINGAPORE (Reuters) – The WannaCry malware that spread to more than 100 countries in a few hours is throwing up several surprises for cybersecurity researchers, including how it gained its initial foothold, how it spread so fast and why the hackers are not making much money from it.

Some researchers have found evidence they say could link North Korea with the attack, but others are more cautious, saying that the first step is shedding light on even the most basic questions about the malware itself.

For one thing, said IBM Security’s Caleb Barlow, researchers are still unsure exactly how the malware spread in the first place. Most cybersecurity companies have blamed phishing e-mails – e-mails containing malicious attachments or links to files – that download the ransomware.

That’s how most ransomware finds its way onto victims’ computers.

The problem in the WannaCry case is that despite digging through the company’s database of more than 1 billion e-mails dating back to March 1, Barlow’s team could find none linked to the attack.

“Once one victim inside a network is infected it propagates,” Boston-based Barlow said in a phone interview, describing a vulnerability in Microsoft Windows that allows the worm to move from one computer to another.

The NSA used the Microsoft flaw to build a hacking tool codenamed EternalBlue that ended up in the hands of a mysterious group called the Shadow Brokers, which then published that and other such tools online.

But the puzzle is how the first person in each network was infected with the worm. “It’s statistically very unusual that we’d scan and find no indicators,” Barlow said.

Other researchers agree. “Right now there is no clear indication of the first compromise for WannaCry,” said Budiman Tsjin of RSA Security, a part of Dell.

Knowing how malware infects and spreads is key to being able to stop existing attacks and anticipate new ones. “How the hell did this get on there, and could this be repeatedly used again?” said Barlow.

PALTRY RANSOM

Some cybersecurity companies, however, say they’ve found a few samples of the phishing e-mails. FireEye said it was aware customers had used its reports to successfully identify some associated with the attack.

But the company agrees that the malware relied less on phishing e-mails than other attacks. Once a certain number of infections was established, it was able to use the Microsoft vulnerability to propagate without their help.

There are other surprises, that suggest this is not an ordinary ransomware attack.

Only paltry sums were collected by the hackers, according to available evidence, mostly in the bitcoin cryptocurrency.

There were only three bitcoin wallets and the campaign has far earned only $50,000 or so, despite the widespread infections. Barlow said that single payments in some other ransomware cases were more than that, depending on the victim.

Jonathan Levin of Chainalysis, which monitors bitcoin payments, said there were other differences compared to most ransomware campaigns: for instance the lack of sophisticated methods used in previous cases to convince victims to pay up. In the past, this has included hot lines in various languages.

And so far, Levin said, the bitcoin that had been paid into the attackers’ wallets remained there – compared to another campaign, known as Locky, which made $15 million while regularly emptying the bitcoin wallets.

“They really aren’t set up well to handle their bitcoin payments,” Levin said.

The lack of sophistication may bolster those cybersecurity researchers who say they have found evidence that could link North Korea to the attack.

A senior researcher from South Korea’s Hauri Labs, Simon Choi, said on Tuesday the reclusive state had been developing and testing ransomware programs only since August. In one case, the hackers demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall.

Choi, who has done extensive research into North Korea’s hacking capabilities, said his findings matched those of Symantec and Kaspersky Lab, who say some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

The Lazarus hackers have however been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cybersecurity firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

Whoever is found to be behind the attack, said Marin Ivezic, a cybersecurity partner at PwC in Hong Kong, the way the hackers used freely available tools so effectively may be what makes this campaign more worrying.

By bundling a tool farmed from the leaked NSA files with their own ransomware, “they achieved better distribution than anything they could have achieved in a traditional way” he said.

“EternalBlue (the hacking tool) has now demonstrated the ROI (return on investment) of the right sort of worm and this will become the focus of research for cybercriminals,” Ivezic said.

(Additional reporting Ju-Min Park in Seoul, Editing by Raju Gopalakrishnan)

More disruptions feared from cyber attack; Microsoft slams government secrecy

Indonesia's Minister of Communications and Information, Rudiantara, speaks to journalists during a press conference about the recent cyber attack, at a cafe in Jakarta, Indonesia

By Dustin Volz and Eric Auchard

WASHINGTON/FRANKFURT (Reuters) – Officials across the globe scrambled over the weekend to catch the culprits behind a massive ransomware worm that disrupted operations at car factories, hospitals, shops and schools, while Microsoft on Sunday pinned blame on the U.S. government for not disclosing more software vulnerabilities.

Cyber security experts said the spread of the worm dubbed WannaCry – “ransomware” that locked up more than 200,000 computers in more than 150 countries – had slowed but that the respite might only be brief amid fears new versions of the worm will strike.

In a blog post on Sunday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool, built by the U.S. National Security Agency, that leaked online in April.

“This is an emerging pattern in 2017,” Smith wrote. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”

He also poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the internet.

“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Smith wrote. He added that governments around the world should “treat this attack as a wake-up call” and “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

The NSA and White House did not immediately respond to requests for comment about the Microsoft statement.

Economic experts offered differing views on how much the attack, and associated computer outages, would cost businesses and governments.

The non-profit U.S. Cyber Consequences Unit research institute estimated that total losses would range in the hundreds of millions of dollars, but not exceed $1 billion.

Most victims were quickly able to recover infected systems with backups, said the group’s chief economist, Scott Borg.

California-based cyber risk modeling firm Cyence put the total economic damage at $4 billion, citing costs associated with businesses interruption.

U.S. President Donald Trump on Friday night ordered his homeland security adviser, Tom Bossert, to convene an “emergency meeting” to assess the threat posed by the global attack, a senior administration official told Reuters.

Senior U.S. security officials held another meeting in the White House Situation Room on Saturday, and the FBI and the NSA were working to help mitigate damage and identify the perpetrators of the massive cyber attack, said the official, who spoke on condition of anonymity to discuss internal deliberations.

The investigations into the attack were in the early stages, however, and attribution for cyber attacks is notoriously difficult.

The original attack lost momentum late on Friday after a security researcher took control of a server connected to the outbreak, which crippled a feature that caused the malware to rapidly spread across infected networks.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.

Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.

Code for exploiting that bug, which is known as “Eternal Blue,” was released on the internet last month by a hacking group known as the Shadow Brokers.

The head of the European Union police agency said on Sunday the cyber assault hit 200,000 victims in at least 150 countries and that number would grow when people return to work on Monday.

MONDAY MORNING RUSH?

Monday was expected to be a busy day, especially in Asia, which may not have seen the worst of the impact yet, as companies and organizations turned on their computers.

“Expect to hear a lot more about this tomorrow morning when users are back in their offices and might fall for phishing emails” or other as yet unconfirmed ways the worm may propagate, said Christian Karam, a Singapore-based security researcher.

The attack hit organizations of all sizes.

Renault said it halted manufacturing at plants in France and Romania to prevent the spread of ransomware.

Other victims include is a Nissan manufacturing plant in Sunderland, northeast England, hundreds of hospitals and clinics in the British National Health Service, German rail operator Deutsche Bahn and international shipper FedEx Corp

A Jakarta hospital said on Sunday that the cyber attack had infected 400 computers, disrupting the registration of patients and finding records.

Account addresses hard-coded into the malicious WannaCry virus appear to show the attackers had received just under $32,500 in anonymous bitcoin currency as of (1100 GMT) 7 a.m. EDT on Sunday, but that amount could rise as more victims rush to pay ransoms of $300 or more.

The threat receded over the weekend after a British-based researcher, who declined to give his name but tweets under the profile @MalwareTechBlog, said he stumbled on a way to at least temporarily limit the worm’s spread by registering a web address to which he noticed the malware was trying to connect.

Security experts said his move bought precious time for organizations seeking to block the attacks.

(Additional reporting by Jim Finkle, Neil Jerome Morales, Masayuki Kitano, Kiyoshi Takenaka, Jose Rodriguez, Elizabeth Piper, Emmanuel Jarry, Orathai Sriring, Jemima Kelly, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold, Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen and Nick Zieminski; Editing by Mark Heinrich and Peter Cooney)

China hit by cyber virus, Europe warns of more attacks

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017.

By Cate Cadell and Guy Faulconbridge

BEIJING/LONDON (Reuters) – The WannaCry “ransomware” cyber attack hobbled Chinese traffic police and schools on Monday as it rolled into Asia for the new work week, while authorities in Europe said they were trying to prevent hackers from spreading new versions of the virus.

In Britain, where the virus first raised global alarm when it caused hospitals to divert ambulances on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service vulnerable.

Shares in firms that provide cyber security services rose with the prospect that companies and governments would have to spend more money on defenses.

Some victims were ignoring official advice and paying the $300 ransom demanded by the cyber criminals to unlock their computers, which was due to double to $600 on Monday for computers hit by Friday’s first wave.

Brian Lord, managing director of cyber and technology at cybersecurity firm PGI, said victims had told him “the customer service provided by the criminals is second to none”, with helpful advice on how to pay: “One customer said they actually forgot they were being robbed.”

Although the virus’s spread was curbed over the weekend in most of the world, France, where carmaker Renault was among the world’s highest profile victims, said more attacks were likely.

“We should expect similar attacks regularly in the coming days and weeks,” said Giullaume Poupard, head of French government cyber security agency ANSSI. “Attackers update their software … other attackers will learn from the method and will carry out attacks.”

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a “kill switch” – an internet address which halted the virus when activated.

SPREAD SLOWING

China appeared over the weekend to have been particularly vulnerable, raising worries about how well the world’s second largest economy would cope when it opened for business on Monday. However, officials and security firms said the spread was starting to slow.

“The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days,” said Chinese Internet security company Qihoo 360. “Previous concerns of a wide-scale infection of domestic institutions did not eventuate.”

Qihoo had previously said the attack had infected close to 30,000 organizations by Saturday evening, more than 4,000 of which were educational institutions.

The virus hit computers running older versions of Microsoft software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks.

In a blog post on Sunday, Microsoft & President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: the attack made use of a hacking tool built by the U.S. National Security Agency that had leaked online in April.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading. Some have also been machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.

“The government’s response has been chaotic, to be frank,” the British Labour Party’s health spokesman Jon Ashworth said. “They’ve complacently dismissed warnings which experts, we now understand, have made in recent weeks.”

“The truth is, if you’re going to cut infrastructure budgets and if you’re not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack.”

Britain’s National Health Service (NHS) is the world’s fifth largest employer after the U.S. and Chinese militaries, Walmart and McDonald’s. The government says that under a previous Labour administration the trusts that run local hospitals were given responsibility to manage their own computer systems.

WARNINGS GIVEN

Asked if the government had ignored warnings over the NHS being at risk from cyber attack, Prime Minister Theresa May told Sky News: “No. It was clear [that] warnings were given to hospital trusts.”

An official from Cybersecurity Administration China (CAC) told local media on Monday that while the ransomware was still spreading and had affected industry and government computer systems, the spread was slowing.

Chinese government bodies from transport, social security, industry watchdogs and immigration said they had suspended services ranging from processing applications to traffic crime enforcement.

It was not immediately clear whether those services were suspended due to attacks, or for emergency patching to prevent infection.

“If a system supports some kind of critical processes those systems typically are very hard to patch … We don’t have a precedent for something of this scale (in China),” said Marin Ivezic, a cybersecurity expert at PwC in Hong Kong.

Affected bodies included a social security department in the city of Changsha, the exit-entry bureau in Dalian, a housing fund in Zhuhai and an industry watchdog in Xuzhou.

Energy giant PetroChina  said payment systems at some of its petrol stations were hit, although it had been able to restore most of the systems.

Elsewhere in Asia, the impact seems to have been more limited. Japan’s National Police Agency reported two breaches of computers in the country on Sunday – one at a hospital and the other case involving a private person – but no loss of funds.

Industrial conglomerate Hitachi Ltd. said the attack had affected its systems at some point over the weekend, leaving them unable to receive and send e-mails or open attachments in some cases.

In India, the government said it had only received a few reports of attacks on systems and urged those hit not to pay attackers any ransom. No major Indian corporations reported disruptions to operations.

At Indonesia’s biggest cancer hospital, Dharmais Hospital in Jakarta, around 100-200 people packed waiting rooms after the institution was hit by cyber attacks affecting scores of computers. By late morning, some people were still filling out forms manually, but the hospital said 70 percent of systems were back online.

South Korea’s presidential Blue House office said nine cases of ransomware were found in the country, but did not provide details on where the cyber attacks were discovered. A coal port in New Zealand shut temporarily to upgrade its systems.

(Writing by Peter Graff, editing by Peter Millership)

Global cyber attack slows but experts see risk of fresh strikes

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Eric Auchard

SINGAPORE/FRANKFURT (Reuters) – A global cyber attack described as unprecedented in scale forced a major European automaker to halt some production lines while hitting schools in China and hospitals in Indonesia on Saturday, though it appeared to die down a day after its launch.

Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, the cyber assault has infected tens of thousands of computers in nearly 100 countries, with Britain’s health system suffering the worst disruptions.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.

Once inside the targeted network, so-called ransomware made use of recently revealed spy tools to silently infect other out-of-date machines without any human intervention. This, security experts said, marked an unprecedented escalation in the risk of fresh attacks spreading in the coming days and weeks.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Researchers observed some victims paying via the digital currency bitcoin, though no one knows how much may have been transferred to extortionists because of the largely anonymous nature of such transactions.

Researchers with security software maker Avast said they had observed 126,534 ransomware infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

The hackers, who have not come forward to claim responsibility or otherwise been identified, took advantage of a worm, or self-spreading malware, by exploiting a piece of NSA spy code known as “Eternal Blue” that was released last month by a hackers group known as the Shadow Brokers, according to researchers with several private cyber security firms.

Renault said it had halted auto production at several sites including Sandouville in northwestern France and Renault-owned Dacia plants in Romania on Saturday to prevent the spread of ransomware in its systems.

Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business”, a spokesman for the Japanese carmaker said.German rail operator Deutsche Bahn [DBN.UL] said some electronic signs at stations announcing arrivals and departures were infected, with travelers posting pictures showing some bearing a message demanding a cash payment to restore access.

“UNPRECEDENTED” ATTACK EASES

Europol’s European Cybercrime Center said it was working closely with country investigators and private security firms to combat the threat and help victims. “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, and so limited the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The researcher in Britain widely credited with foiling the ransomware’s proliferation told Reuters he had not seen any such tweaks yet, “but they will (happen).”

Researchers said the worm deployed in the latest attack, or similar tools released by Shadow Brokers, are likely to be used for fresh assaults not just with ransomware but other malware to break into firms, seize control of networks and steal data.

Finance chiefs from the Group of Seven rich countries were to commit on Saturday to joining forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, though the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government. “Things could likely emerge on Monday” as staff return to work.

China’s information security watchdog said “a portion” of Windows systems users in the country were infected, according to a notice posted on the official Weibo page of the Beijing branch of the Public Security Bureau on Saturday. Xinhua state news agency said some secondary schools and universities were hit.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been hit.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also breached. “We are implementing remediation steps as quickly as possible,” a FedEx statement said.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by focusing on targets in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, he added.

MICROSOFT BOLSTERS WINDOWS DEFENCES

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

The attack targeted Windows computers that had not installed patches released by Microsoft in March, or older machines running software that Microsoft no longer supports and for which patches did not exist, including the 16-year-old Windows XP system, researchers said.

Microsoft said it pushed out automatic Windows updates to defend existing clients from WannaCry. It had issued a patch on March 14 to protect them from Eternal Blue. Late on Friday, Microsoft also released patches for a range of long discontinued software, including Windows XP and Windows Server 2003.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

POLITICALLY SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus. The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French run-off vote on May 7.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted by ransomware. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small- to mid-sized organizations. “Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; editing by Mark Heinrich)

UK government in dark over who behind cyber attack

FILE PHOTO: A National Health Service (NHS) sign is seen in the grounds of St Thomas' Hospital, in front of the Houses of Parliament in London June 7, 2011. REUTERS/Toby Melville/File Photo

LONDON (Reuters) – The British government does not yet know who was behind Friday’s global cyber attack that disrupted the country’s health system, interior minister Amber Rudd said on Saturday.

“We’re not able to tell you who’s behind the attack. That work is still ongoing,” she told BBC radio.

She said Britain’s National Cyber Security Center was working with the country’s health service to ensure the attack was contained, while the National Crime Agency was working with them to find out where it came from.

Rudd said the government did not know if the attack was directed by a foreign government.

On Friday, cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files. Nearly 100 countries were impacted.

Rudd said the attack was not specifically targeted at Britain’s health service.

“(The virus) feels random in terms of where it’s gone to and where it’s been opened,” she said.

Though 45 health service organizations in England and Scotland were affected by malicious software, no patient data has been accessed or transferred, said Rudd.

The minister said lessons had to be learned from the attack.

“There will be lessons to learn … Why is it certain regions are affected more than others? Is it to do with the software? Is it to do with better IT?”

Separately on Saturday, finance chiefs from the Group of Seven rich countries will commit to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Bari, Italy.

(Reporting by James Davey; Editing by Mark Potter)

Global cyber attack fuels concern about U.S. vulnerability disclosures

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Dustin Volz

WASHINGTON (Reuters) – A global cyber attack on Friday renewed concerns about whether the U.S. National Security Agency and other countries’ intelligence services too often hoard software vulnerabilities for offensive purposes, rather than quickly alerting technology companies to such flaws.

Hacking tools believed to belong to the NSA that were leaked online last month appear to be the root cause of a major cyber attack unfurling throughout Europe and beyond, security researchers said, stoking fears that the spy agency’s powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.

Some cyber security experts and privacy advocates said the massive attack reflected a flawed approach by the United States to dedicate more cyber resources to offense rather than defense, a practice they argued makes the internet less secure.

Across the U.S. federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters in March. (http://reut.rs/2o7qHqN)

“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.

The NSA did not respond to a request for comment.

Hospitals and doctors’ surgeries in parts of England on Friday were forced to turn away patients and cancel appointments after they were infected with the “ransomware”, which scrambled data on computers and demanded payments of $300 to $600 to restore access.

Security software maker Avast said it had observed more than 57,000 infections in 99 countries. Russia, Ukraine and Taiwan were the top targets, it said.

Private security firms identified the virus as a new variant of ‘WannaCry’ ransomware with the ability to automatically spread across large networks by exploiting a bug in Microsoft Corp’s Windows operating system.

Security experts said the ransomware used in the attacks leveraged a hacking tool found in a leak of documents in April by a group known as Shadow Brokers.

At the time, Microsoft acknowledged the vulnerabilities and said they had been patched in a series of earlier updates pushed to customers, the most recent of which had been rolled out only a month earlier in March. But the episode prompted concerns about whether the tools could be leveraged by hackers to attack unpatched systems.

In a statement, a Microsoft spokesman said on Friday its engineers had provided additional detection and protection services against the WannaCry malware and that it was working with customers to provide additional assistance. The spokesman reiterated that customers who have Windows Updates enabled and use the company’s free antivirus software are protected.

Shadow Brokers first emerged last year and began dumping tranches of documents that it said belonged to the NSA, though the files appeared at least a few years old.

Over time, western researchers have grown more confident that Russia may be behind Shadow Brokers and possibly other recent disclosures of sensitive information about cyber capabilities that have been pilfered from U.S. intelligence agencies.

Some researchers cast blame not on the NSA but on the hospitals and other customers that appeared to leave themselves open to attack.

“The main problem here is organizations taking more than eight weeks to patch once Microsoft released the update,” said Chris Wysopal, chief technology officer at the cyber firm Veracode. “Eight weeks is plenty of time for a criminal organization to develop a sophisticated attack on software and launch it on a wide scale.”

Former intelligence contractor Edward Snowden, who in 2013 leaked documents to journalists revealing the existence of broad U.S. surveillance programs, said on Twitter the NSA had built attack tools targeting U.S. software that “now threatens the lives of hospital patients.”

“Despite warnings, (NSA) built dangerous attack tools that could target Western software,” Snowden said. “Today we see the cost.”

(This version of the story has been refiled to correct spelling of hoard in first paragraph)

(Reporting by Dustin Volz; Editing by Lisa Shumaker)

Global cyber attack hits hospitals and companies, threat seen fading for now

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Costas Pitas

SINGAPORE/LONDON (Reuters) – A global cyber attack leveraging hacking tools believed to have been developed by the U.S. National Security Agency has infected tens of thousands of computers in nearly 100 countries, disrupting Britain’s health system and global shipper FedEx.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, limiting the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The British-based researcher who may have foiled the ransomware’s spread told Reuters he had not seen any such tweaks yet, “but they will.”

Finance chiefs from the Group of Seven rich countries will commit on Saturday to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, although the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government.

“Things could likely emerge on Monday.”

China’s official Xinhua news agency said some secondary schools and universities had been affected, without specifying how many or identifying them.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been affected.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur added.

MICROSOFT UPS DEFENSES

The U.S. Department of Homeland Security said it was sharing information with domestic and foreign partners and was ready to lend technical support.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm”, or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began the previous week when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus.The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

The British government did not know who was behind the attack but its National Crime Agency was working to find out, interior minister Amber Rudd said.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French one.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations.

“Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; Editing by Rob Birsel and Mike Collett-White)

Hackers exploit stolen U.S. spy agency tool to launch global cyberattack

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency hit international shipper FedEx, disrupted Britain’s health system and infected computers in nearly 100 countries on Friday.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Still, only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur said.

The U.S. Department of Homeland Security said late on Friday that it was aware of reports of the ransomware, was sharing information with domestic and foreign partners and was ready to lend technical support.

Telecommunications company Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“Once it gets in and starts moving across the infrastructure, there is no way to stop it,” said Adam Meyers, a researcher with cyber security firm CrowdStrike.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm,” or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft on Friday said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement. It said the company was working with its customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that kicked off a week earlier when hackers posted a huge trove of campaign documents tied to French candidate Emmanuel Macron just 1-1/2 days before a run-off vote in which he was elected as the new president of France.

On Wednesday, hackers disputed the websites of several French media companies and aerospace giant Airbus.Also, the hack happened four weeks before a British parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed an entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as the country’s biggest bank, Sberbank, said they were targeted. The interior ministry said on its website that around 1,000 computers had been infected but it had localized the virus.

The emergencies ministry told Russian news agencies it had repelled the cyberattacks while Sberbank said its cyber security systems had prevented viruses from entering its systems.

NEW BREED OF RANSOMWARE

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh; Writing by Mark Trevelyan and Jim Finkle; Editing by Ralph Boulton and Grant McCool)

British hospitals, Spanish firms among targets of huge cyberattack

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A huge cyberattack brought disruption to Britain’s health system on Friday and infected many Spanish companies with malicious software, and security researchers said a dozen other countries may be affected.

Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments. People in affected areas were being advised to seek medical care only in emergencies.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” said the Barts Health group, which manages major London hospitals. Routine appointments had been canceled and ambulances were being diverted to neighboring hospitals.

Telecommunications giant Telefonica was among the targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

Authorities in both countries said the attack was conducted using ‘ransomware’ – malicious software that infects machines, locks them up by encrypting data and demands a ransom to restore access. They identified the type of malware as ‘Wanna Cry’, also known as ‘Wanna Decryptor’.

A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement. Still, the news prompted security teams at large financial services firms and businesses around the world to review their plans for defending against ransomware attacks, according to executives with private cyber security firms.

A spokeswoman for Portugal Telecom said: “We were the target of an attack, like what is happening in all of Europe, a large scale-attack, but none of our services were affected.”

British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with preliminary evidence of infections from 14 countries so far, also including Russia, Indonesia and Ukraine.

PM BRIEFED

A spokesman for British Prime Minister Theresa May said she was being kept informed of the incident, which came less than four weeks before a parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

The full extent of Friday’s disruption in Britain remained unclear.

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital, the computer arm of the health service, said in a statement.

Britain’s National Cyber Security Centre, part of the GCHQ spy agency, said it was aware of a cyber incident and was working with NHS Digital and the police to investigate.

A reporter from the Health Service Journal said the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

It was not immediately clear how many Spanish organizations had been compromised by the attacks, if any critical services had been interrupted or whether victims had paid cyber criminals to regain access to their networks.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Kate Holton, Andy Bruce, Michael Holden and David Milliken; Editing by Mark Trevelyan and Ralph Boulton)