Tag Archives: Cyber Attack

Saudi Arabia warns on cyber defense as Shamoon resurfaces

man on keyboard graphic

KHOBAR, Saudi Arabia (Reuters) – Saudi Arabia on Monday warned organizations in the kingdom to be on the alert for the Shamoon virus, which cripples computers by wiping their disks, as the labor ministry said it had been attacked and a chemicals firm reported a network disruption.

An alert from the telecoms authority seen by Reuters advised all parties to be vigilant for attacks from the Shamoon 2 variant of the virus that in 2012 crippled tens thousands of computers at oil giant Saudi Aramco.

Shamoon disrupts computers by overwriting the master book record, making it impossible for them to start up. Former U.S. Defense Secretary Leon Panetta said the 2012 Shamoon attack on Saudi Aramco was probably the most destructive cyber attack on a private business.

In the 2012 hacks, images of a burning U.S. flag were used to overwrite the drives of victims including Saudi Aramco and RasGas Co Ltd. In the recent attacks, an image of the body of 3-year-old drowned Syrian refugee Alan Kurdi was used in recent attacks, according to U.S. security researchers.

The Shamoon hackers were likely working on behalf of the Iranian government in the 2012 campaign and the more-recent attacks, said Adam Meyers, vice president with cyber security firm CrowdStrike. “It’s likely they will continue,” he said.

State-controlled Al Ekhbariya TV said on Twitter, using the hash tag #Shamoon, that several Saudi organizations had been targeted in recent cyber attacks.

The state news agency, meanwhile, said the labor ministry had been hit by a cyber attack, but that it did not impact its data.

Jubail-based Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and U.S. company Dow Chemical, said it had experienced a network disruption on Monday morning and was working to resolve the issue.

The company made the disclosure on its official Twitter account after the warning by Al Ekhbariya TV, which cited the telecoms authority.

It did not say whether the disruption was due to a cyber attack but said as a precautionary measure it had stopped all services related to the network.

Other companies in Jubail, the hub of the Saudi petrochemicals industry, also experienced network disruptions, according to sources who were not authorized to publicly discuss the matter.

Those companies sought to protect themselves from the virus by shutting down their networks, said the sources, who declined to identify specific firms.

(Reporting by Reem Shamseddine. Additional reporting by Jim Finkle.; Writing By Maha El Dahan; Editing by Mark Potter and Andrew Hay)

Ukraine’s power outage was a cyber attack: Ukrenergo

Dispatchers at Ukraine's national power company

By Pavel Polityuk, Oleg Vukmanovic and Stephen Jewkes

KIEV/MILAN (Reuters) – A power blackout in Ukraine’s capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday.

When the lights went out in northern Kiev on Dec. 17-18, power supplier Ukrenergo suspected a cyber attack and hired investigators to help it determine the cause following a series of breaches across Ukraine.

Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station “North”, were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters.

“The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion,” Ukrenergo said.

Law enforcement officials and cyber experts are still working to compile a chronology of events, draw up a list of compromised accounts, and determine the penetration point, while tracing computers potentially infected with malware in sleep mode, it said.

The comments make no mention of which individual, group or country may have been behind the attack.

“It was an intentional cyber incident not meant to be on a large scale… they actually attacked more but couldn’t achieve all their goals,” said Marina Krotofil, lead cyber-security researcher at Honeywell, who assisted in the investigation.

In December 2015, a first-of-its-kind cyber attack cut the lights to 225,000 people in western Ukraine, with hackers also sabotaging power distribution equipment, complicating attempts to restore power.

Ukrainian security services blamed that attack on Russia.

In the latest attack, hackers are thought to have hidden in Ukrenergo’s IT network undetected for six months, acquiring privileges to access systems and figure out their workings, before taking methodical steps to take the power offline, Krotofil said.

“The team involved had quite a few people working in it, with very serious tools and an engineer who understands the power infrastructure,” she said.

The attacks against Ukraine’s power grid are widely seen by experts as the first examples of hackers shutting off critical energy systems supplying heat and light to millions of homes.

(Writing by Oleg Vukmanovic; reporting by Pavel Polityuk in Kiev, Oleg Vukmanovic and Stephen Jewkes in Milan; editing by Susan Fenton/Ruth Pitchford)

White House voices concerns about China cyber law

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris

WASHINGTON (Reuters) – The White House said on Thursday that it raised concerns about China’s new cyber security law during a meeting with a Chinese official after the latest round of talks between the two countries on cyber crime.

U.S. National Security Adviser Susan Rice met with Chinese State Councilor Guo Shengkun to discuss the importance “of fully adhering” to an anti-hacking accord signed last year between the China and the United States, National Security Council spokesman Ned Price said.

The deal, brokered during Chinese President Xi Jinping’s state visit to Washington in 2015, included a pledge that neither country would knowingly carry out hacking for commercial advantages.

Rice told Guo that the United States was concerned “about the potential impacts” of a law that China adopted in November aimed at combating hacking and terrorism.

Critics of the law say it threatens to shut foreign technology companies out of various sectors deemed “critical,” and includes contentious requirements for security reviews and for data to be stored on servers in China.

Rights advocates also say the law will enhance restrictions on China’s Internet, already subject to the world’s most sophisticated online censorship mechanism, known outside China as the Great Firewall.

Rice met with Guo after the third round of high level talks on cyber security between China and the United States was held on Wednesday.

(Reporting by Ayesha Rascoe; Editing by Alistair Bell)

Russia says foreign spies plan cyber attack on banking system

A hand is silhouetted in front of a computer screen in this picture illustration taken in Berlin

By Christian Lowe and Natalia Zinets

MOSCOW/KIEV (Reuters) – Russia said on Friday it had uncovered a plot by foreign spy agencies to sow chaos in Russia’s banking system via a coordinated wave of cyber attacks and fake social media reports about banks going bust.

Russia’s domestic intelligence agency, the Federal Security Service (FSB), said that the servers to be used in the alleged cyber attack were located in the Netherlands and registered to a Ukrainian web hosting company called BlazingFast.

The attack, which was to target major national and provincial banks in several Russian cities, was meant to start on Dec. 5, the FSB said in a statement.

“It was planned that the cyber attack would be accompanied by a mass send-out of SMS messages and publications in social media of a provocative nature regarding a crisis in the Russian banking system, bankruptcies and license withdrawals,” it said.

“The FSB is carrying out the necessary measures to neutralize threats to Russia’s economic and information security.”

The statement did not say which countries’ intelligence agencies were behind the alleged plot.

SITUATION ‘UNDER CONTROL’

Russia’s central bank said it was aware of the threat and was in constant contact with the security services. In a statement sent to Reuters, it said it had drawn up a plan to counteract any attack.

“The situation is under control. Banks have been given necessary guidance,” the central bank said.

Anton Onoprichuk, director of Kiev-based BlazingFast, said neither the FSB nor any other intelligence agency had been in touch with his company. He told Reuters he was waiting for more information so his firm could investigate.

Asked if his servers could be used to mount a cyber attack he said: “Technically it is possible. It is possible with any hosting company, where you rent a server. You can attack whatever (you want) from it and in 99 percent of cases it will become known only after the event.”

Russia has been on high alert for foreign-inspired cyber attacks since U.S. officials accused the Kremlin of being involved in hacks on Democratic Party emails during the U.S. presidential election.

U.S. Vice President Joe Biden said at the time that the United States would mount a “proportional” response to Russia.

Since then, there have been a number of cyber attacks affecting Russian institutions, though it is unclear if they were linked to the row between Moscow and Washington.

In October, a network of Ukrainian hackers released a cache of emails obtained from the account of an aide to Kremlin adviser Vladislav Surkov.

And on Nov. 11, Russian lenders Sberbank and Alfa Bank said they had been hit by cyber attacks

Sberbank on Friday declined to comment on the FSB’s statement. The press service of VTB, Russia’s second-largest state-run lender, said its security systems guaranteed clients’ transactions were completely protected.

(Additional reporting by Natalia Zinets in KIEV, Elena Fabrichnaya and Kira Zavyalova in MOSCOW; Writing by Christian Lowe; Editing by Andrew Osborn)

Hackers stole over 2 billion roubles from accounts in central bank Russia

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration

MOSCOW (Reuters) – Hackers have stolen more than 2 billion roubles ($31.3 million) from banks’ correspondent accounts in Russian central bank, the central bank official Artyom Sychyov told a briefing on Friday.

He added that hackers attempted to stole around 5 billion roubles.

Hackers broke into accounts at the Russian central bank earlier this year by faking a client’s credentials and attempted to steal $45 million, the bank said in a report released earlier on Friday.

(Reporting by Andrey Ostroukh and Elena Fabrichnaya; writing by Katya Golubkova; editing by Vladimir Soldatkin)

Cyber fraudsters take money out of 20,000 Tesco Bank accounts

A Tesco supermarket is seen, in west London

By Estelle Shirbon

LONDON (Reuters) – The banking arm of Britain’s biggest retailer Tesco was scrambling on Monday to deal with an online attack over the weekend on 40,000 customers’ accounts, 20,000 of which had money removed.

The hack is the first on a British bank known to have resulted in customers losing money, adding to growing concerns about the British financial sector’s vulnerabilities to cyber attacks, which have jumped in frequency over the past two years.

Tesco Bank, which manages 136,000 current accounts, stopped all online transactions while it worked to resume normal service, although customers could still use their bank cards in shops and to withdraw money from cash machines.

“Any financial loss that results from this fraudulent activity will be borne by the bank,” Tesco Bank Chief Executive Benny Higgins told BBC radio. “Customers are not at financial risk.”

“We think it would be relatively small amounts that have come out but we’re still working on that,” he said, adding that he expected the cost of refunding customers would be “a big number but not a huge number”.

Shares in supermarket chain Tesco, which wholly owns Tesco Bank, were down 1.2 percent at 200.20 pence by 1030 GMT.

The bank is a minnow in Britain’s retail banking market, with about 2 percent of current accounts, and represents only a small part of Tesco’s overall business.

It contributed 503 million pounds ($623.4 million) to the group’s revenue of 24.4 billion pounds in the first half of its 2016-17 financial year.

But while the financial hit to the group may be limited, Tesco Bank risks serious reputational damage from an attack that affected 29 percent of its customer current accounts.

Other British banks have been targeted by cyber attacks in recent years, but the Financial Conduct Authority (FCA) which regulates the sector said it was not aware of any previous incident in which customers had lost money.

Reported attacks on financial institutions in Britain have risen from just five in 2014 to over 75 so far this year, according to FCA data, but bank executives and providers of security systems say there are many more unreported attacks.

HSBC issued a series of apologies to customers earlier this year after its UK personal banking websites were shut down by a “denial of service” attack, but no customer funds were at threat during that breach.

Cliff Moyce, global head of financial services at DataArt, a network of technology consulting and software services firms, said reduced staffing levels over the weekend were likely to have been one of the reasons for the impact of the hack.

“The clever part was doing it over the weekend when banks are typically understaffed, and will respond more slowly,” he said in a comment emailed to media.

“Automated fraud detection systems appear to have worked well, but a lack of people at desks will not have helped.”

Other well-known British brands hit by significant cyber attacks over the past year include telecoms firms TalkTalk and Vodafone, business software provider Sage and electronic goods retailer Dixons Carphone.

(Additional reporting by Michael Holden, James Davey and Huw Jones; Editing by Greg Mahlich)

U.S. Boosting cyber defenses but not police presence for election

A man types on a computer keyboard in this illustration picture

By Julia Harte and Dustin Volz

WASHINGTON (Reuters) – Federal and state authorities are beefing up cyber defenses against potential electronic attacks on voting systems ahead of U.S. elections on Nov. 8, but taking few new steps to guard against possible civil unrest or violence.

The threat of computer hacking and the potential for violent clashes is darkening an already rancorous presidential race between Democrat Hillary Clinton and Republican Donald Trump, amid fears that Russia or other actors could spread political misinformation online or perhaps tamper with voting.

To counter the cyber threat, all but two U.S. states have accepted help from the U.S. Department of Homeland Security (DHS) to probe and scan voter registration and election systems for vulnerabilities, a department official told Reuters.

Ohio has asked a cyber protection unit of the National Guard, a reserve force within the U.S. military, for assistance to protect the state’s systems.

On Thursday, Arizona Secretary of State Michele Reagan and her cyber security team met with officials from the Federal Bureau of Investigation (FBI) and the DHS, in addition to state-level agencies, to discuss cyber threats, said Matt Roberts, a spokesman for Reagan.

Cyber security experts and U.S. officials say chances that a hack could alter election outcomes are remote, in part because voting machines are typically not connected to the internet.

But the FBI sent a flash alert in August to states after detecting breaches in voter registration databases in Arizona and Illinois.

ARMED GROUPS

Unidentified intelligence officials told NBC News on Thursday that there is no specific warning about an Election Day attack, but they remain concerned that hackers from Russia or elsewhere may try to disrupt the process, likely by spreading misinformation by manipulating social media sites such as Facebook and Twitter.

DHS cyber security experts plan to hold a media briefing on Friday to discuss the agency’s efforts with states to boost the security of their voting and election systems.

The potential for violence around the election has loomed in the background of the campaign for months. Armed groups around the country have pledged in unprecedented numbers to monitor voting sites for signs of election fraud.

Voter intimidation reported at polling sites so far prompted Democrats to accuse Trump of a “campaign of vigilante voter intimidation” in four states on Monday.

But local authorities surveyed by Reuters on Thursday in five states – Ohio, Pennsylvania, Arizona, Wisconsin and Florida – said they were not increasing election-related law enforcement personnel or resources above 2012 levels.

‘A LOT OF TALK, LITTLE ACTION’

The FBI, which designates one special agent from each of its 56 field offices for election crime matters, has not increased its numbers or given staff additional training this year, said an FBI spokeswoman.

There has been no “substantive change” in the number of personnel deployed by the rest of the Justice Department, which designates Assistant U.S. Attorneys and federal prosecutors within the agency’s Public Integrity Section to handle election crimes, according to a spokesman.

Jim Pasco, executive director of the Fraternal Order of Police, which represents hundreds of thousands of U.S. officers, said cops are taking the same security measures they would take for any large event. He said he expects the vows by militias to monitor the polls to be “a lot of talk, little action.”

Civil rights groups said deploying more police officers to the polls can actually intimidate voters.

“The presence of law enforcement can have a chilling effect on the electorate,” said Kristen Clarke, president of the Lawyers’ Committee for Civil Rights Under Law, a watchdog group. “That’s something we want to discourage.”

(Additional reporting by Andy Sullivan in Washington; Editing by Kevin Drawbaugh and Bill Rigby)

China to recall up to 10,000 webcams after U.S. Hack

A hand is silhouetted in front of a computer screen in this picture illustration.

By Sijia Jiang

HONG KONG (Reuters) – A recall of webcams linked to a major cyber attack in the United States last week will involve up to 10,000 of the compromised devices, Chinese manufacturer Hangzhou Xiongmai Technology Co told Reuters on Tuesday.

Xiongmai said it would recall some surveillance cameras sold in the U.S. on Monday after security researchers identified they had been targeted in the attack, which rendered Twitter, Spotify and dozens of other major websites unavailable.

Friday’s cyber attack alarmed security experts because it represented a new type of threat rooted in the proliferation of simple devices such as webcams which often lack proper security.

Hackers found a way to harness hundreds of thousands of them globally to flood a target with so much traffic that it couldn’t cope, cutting access to some of the world’s best known websites.

The disruptions come at a time of unprecedented fears about the cyber threat in the United States, where hackers have breached political organizations and election agencies.

Liu Yuexin, Xiongmai’s marketing director, told Reuters the company would recall the first few batches of surveillance cameras made in 2014 that monitor rooms or shops for personal, rather than industrial, use.

Xiongmai had now fixed loopholes in earlier products, prompting users to change default passwords and having telnet access blocked, Liu said. He declined to give an exact number of vulnerable devices, but estimated it at less than 10,000.

Devices using the firm’s components in China and elsewhere were unlikely to suffer from similar attacks because they were more frequently used for industrial purposes and within more secure intranet networks, he added.

“The reason why there has been such a massive attack in the U.S. and (one) is not likely going to be in China is that most of our products in China are industrial devices used within a closed intranet only,” Liu said.

“Those in the U.S. are consumer devices exposed in the public domain,” he added.

Liu said surveillance cameras with core modules made by Xiongmai were widely used for banks, shops and housing estate surveillance in China. The firm is a “top three supplier” in China, he said, but declined to name specific clients.

Beyond the recall, Liu added the firm may take measures to enhance the safety of its products by migrating to safer operating systems and adding further encryption.

“Internet of Things (IoT) devices have been subject to cyber attacks because they are mostly based on the Linux open source system,” he said. “Our department had been looking to develop products based on other systems since 2015 and plan to do more in the future.”

(Editing by Adam Jourdan and Alexander Smith)

Two Major Cyber Attacks disrupt service on major sites

An attendee looks at a monitor at the Parsons booth during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada, U.S

By Jim Finkle and Dustin Volz

(Reuters) – Cyber attacks targeting the internet infrastructure provider Dyn disrupted service on major sites such as Twitter and Spotify on Friday, mainly affecting users on the U.S. East Coast.

It was not immediately clear who was responsible and Gillian Christensen of the U.S. Department of Homeland Security said the agency was “investigating all potential causes.”

Dyn said it had resolved one attack, which disrupted operations for about two hours, but disclosed a second attack a few hours later that was causing further disruptions.

In addition to the social network Twitter and music-streamer Spotify, the discussion site Reddit, hospitality booking service Airbnb and The Verge news site were among the companies whose services were reported to be down.

Amazon.com Inc’s web services division, one of the world’s biggest cloud computing companies, also disclosed an outage that lasted several hours on Friday morning. Amazon could not immediately be reached for comment.

The attacks were the latest in an increasingly menacing string of distributed denial of service, or DDoS, attacks disrupting internet sites by overwhelming servers with web traffic.

The U.S. Department of Homeland Security warned on Oct. 14 that hackers were using a powerful new approach to launch these campaigns – infecting routers, printers, smart TVs and other connected devices with malware that turns them into “bot” armies that can launch DDoS attacks.

“We have begun monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure,” the company said on its website. “Our engineers are continuing to work on mitigating this issue.”

Doug Madory, director of internet analysis at Dyn, told Reuters he was not sure if the outages at Dyn and Amazon were connected.

“We provide service to Amazon but theirs is a complex network so it is hard to be definitive about causality at the moment,” he said.

Dyn is a Manchester, New Hampshire-based provider of services for managing domain name servers (DNS), which act as switchboards connecting internet traffic. Requests to access sites are transmitted through DNS servers that direct them to computers that host websites.

Dyn’s customers include some of the world’s biggest corporations and Internet firms, such as Pfizer, Visa, Netflix and Twitter, SoundCloud and BT.

(Reporting By Jim Finkle in Boston and Dustin Volz in Washington; Additional reporting by Eric Auchard in Frankurt and Malathi Nayak in New York, Jeff Mason in Washington; Editing by Bill Trott)

Attack on web provider disrupts some sites located on U.S. East Coast

A padlock is displayed at the Alert Logic booth during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada,

By Jim Finkle and Dustin Volz

(Reuters) – Service of some major internet sites was disrupted for several hours on Friday morning as internet infrastructure provider Dyn said it was hit by a cyber attack that disrupted traffic mainly on the U.S. East Coast.

Social network Twitter &, music-streamer Spotify, discussion site Reddit and The Verge news site were among the companies whose services were reported to be down on Friday morning.

Amazon.com Inc’s web services division, one of the world’s biggest cloud computing companies, also disclosed an outage that lasted several hours on Friday morning. Amazon could not immediately be reached for comment.

It was unclear who was responsible for the Dyn attack, which the company said disrupted operations for about two hours.

It is the latest in an increasingly menacing string of “denial of service” attacks disrupting internet sites by overwhelming servers with web traffic. The U.S. Department of Homeland Security warned on Oct. 14 that hackers were infecting routers, printers, smart TVs and other connected devices to build powerful armies of “bots” that can shut down websites.

Doug Madory, director of internet analysis at Dyn, told Reuters he was not sure if the outages at Dyn and Amazon were connected.

“We provide service to Amazon but theirs is a complex network so it is hard to be definitive about causality at the moment,” he said.

Salesforce.com Inc’s  Heroku cloud-computing service platform, which runs on Amazon Web Services, disclosed a service outage that it said was related to a denial of service attack “against one of our DNS providers.”

Dyn said it was still trying to determine how the attack led to the outage.

“Our first priority over the last couple of hours has been our customers and restoring their performance,” Dyn Executive Vice President Scott Hilton said in a statement.

He said the problem was resolved at about 9:20 a.m. EDT (1320 GMT). It earlier reported its engineers were working to respond to an “attack” that mainly affected users on the East Coast.

An FBI representative said she had no immediate comment.

Dyn is a Manchester, New Hampshire-based provider of services for managing domain name servers (DNS), which act as switchboards connecting internet traffic. Requests to access sites are transmitted through DNS servers that direct them to computers that host websites.

Dyn’s customers include some of the world’s biggest corporations and Internet firms, such as Pfizer, Visa, Netflix and Twitter, SoundCloud and BT.

Attacking a large DNS provider can create massive disruptions because such firms are responsible for forwarding large volumes of internet traffic.

(Reporting By Jim Finkle in Boston and Dustin Volz in Washington; Additional reporting by Eric Auchard in Frankurt and Malathi Nayak in New York; Editing by Bill Trott)