Tag Archives: Cyber Attack

Likely hack of U.S. banking regulator by China covered up: probe

Mouse with Chinese flag projection

By Jason Lange and Dustin Volz

WASHINGTON (Reuters) – The Chinese government likely hacked computers at the Federal Deposit Insurance Corporation in 2010, 2011 and 2013 and employees at the U.S. banking regulator covered up the intrusions, according to a congressional report on Wednesday.

The report cited an internal FDIC investigation as identifying Beijing as the likely perpetrator of the attacks, which the probe said were covered up to protect the job of FDIC Chairman Martin Gruenberg, who was nominated for his post in 2011.

“The committee’s interim report sheds light on the FDIC’s lax cyber security efforts,” said Lamar Smith, a Republican representative from Texas who chairs the House of Representatives Committee on Science, Space and Technology.

“The FDIC’s intent to evade congressional oversight is a serious offense.”

The report was released amid growing concern about the vulnerability of the international banking system to hackers and the latest example of how deeply Washington believes Beijing has penetrated U.S. government computers.

The report did not provide specific evidence that China was behind the hack.

Shane Shook, a cyber security expert who has helped investigate some of the breaches uncovered to date, said he did not see convincing evidence in the report that the Chinese government was behind the FDIC hack.

“As with all government agencies, there are management issues stemming from leadership ignorance of technology oversight,” Shook said.

Speaking in Beijing, Chinese Foreign Ministry spokesman Lu Kang repeated that China opposed hacking and acted against it.

People should provide evidence for their accusations and not wave around speculative words like “maybe” and “perhaps”, he told reporters.

“This is extremely irresponsible.”

The FDIC, a major U.S. banking regulator which keeps confidential data on America’s biggest banks, declined to comment. Gruenberg is scheduled to testify on Thursday before the committee on the regulator’s cyber security practices.

Washington has accused China of hacking computers at a range of federal agencies in recent years, including the theft of more than 21 million background check records from the federal Office of Personnel Management beginning in 2014.

WATCHDOG MEMO

The compromise of the FDIC computers by a foreign government had been previously reported in May and some lawmakers had mentioned China as a possible suspect, but the report on Wednesday for the first time cited a 2013 memo by the FDIC’s inspector general, an internal watchdog, as pointing toward China.

“Even the former Chairwoman’s computer had been hacked by a foreign government, likely the Chinese,” the congressional report said, referring to Gruenberg’s predecessor, Sheila Bair, who headed the FDIC from 2006 until 2011 when Gruenberg took over as acting chairman.

Bair could not be immediately reached for comment.

A redacted copy of the 2013 FDIC inspector general’s memo seen by Reuters said investigators were unable to determine exactly which files had been extracted from agency computers.

But a source familiar with the FDIC’s internal investigation said the areas of the regulator’s network that were hacked suggested the intruders were seeking “economic intelligence.”

In all, hackers compromised 12 FDIC workstations, including those of other executives such as the regulator’s former chief of staff and former general counsel, and 10 servers, the congressional report said.

It accused the FDIC of trying to cover up the hacks so as not to endanger the congressional approval of Gruenberg, who was nominated by President Barack Obama and confirmed by the U.S. Senate in November 2012.

A witness interviewed by congressional staff said the FDIC’s current head of its technology division, Russ Pittman, instructed employees not to disclose information about the foreign government’s hack, the report said.

The witness said the hush order was to “avoid effecting the outcome of Chairman Gruenberg’s confirmation,” according to the report. Pittman could not immediately be contacted for comment.

The report also provided details of data breaches in which FDIC employees leaving the regulator took sensitive documents with them. It said current FDIC officials have purposely concealed information about breaches that had been requested by Congress.

U.S. intelligence officials believe Beijing has decreased its hacking activity since signing a pledge with Washington last September to refrain from breaking into computer systems for the purposes of commercial espionage.

At the same time, Obama has acknowledged difficulties in keeping government information secure. In addition, Republican opponents have said that Democratic presidential candidate Hillary Clinton’s use of a private email server when she was secretary of state could have exposed classified information to foreign governments.

(Reporting by Jason Lange and Dustin Volz; Additional reporting by Jim Finkle in Boston, and Ben Blanchard in BEIJING; Editing by Grant McCool)

Chinese economic cyber-espionage plummets in U.S.: experts

Hand in front of computer screen

By Joseph Menn and Jim Finkle

SAN FRANCISCO (Reuters) – The Chinese government appears to be abiding by its September pledge to stop supporting the hacking of American trade secrets to help companies there compete, private U.S. security executives and government advisors said on Monday.

FireEye Inc, the U.S. network security company best known for fighting sophisticated Chinese hacking, said in a report released late Monday that breaches attributed to China-based groups had plunged by 90 percent in the past two years. The most dramatic drop came during last summer’s run-up to the bilateral agreement, it added.

FireEye’s Mandiant unit in 2013 famously blamed a specific unit of China’s Peoples Liberation Army for a major campaign of economic espionage.

Kevin Mandia, the Mandiant founder who took over last week as FireEye chief executive, said in an interview that several factors seemed to be behind the shift. He cited embarrassment from Mandiant’s 2013 report and the following year’s indictment of five PLA officers from the same unit Mandiant uncovered.

Prosecutors said the victims included U.S. Steel, Alcoa Inc and Westinghouse Electric. Mandia also cited the threat just before the agreement that the United States could impose sanctions on Chinese officials and companies.

“They all contributed to a positive result,” Mandia said.

A senior Obama administration official said the government was not yet ready to proclaim that China was fully complying with the agreement but said the new report would factor into its monitoring. “We are still doing an assessment,” said the official, speaking on condition he not be named.

The official added that a just-concluded second round of talks with China on the finer points of the agreement had gone well. He noted that China had sent senior leaders even after the U.S. Secretary of Homeland Security pulled out because of the Orlando shootings.

China’s Foreign Ministry, the only government department to regularly answer questions from foreign reporters on the hacking issue, said China aimed to maintain dialogue on preventing and combating cyber-spying.

“We’ve expressed our principled position on many occasions,” ministry spokeswoman Hua Chunying told a daily news briefing on Tuesday. “We oppose and crack down on commercial cyber-espionage activities in all forms.”

FireEye said that Chinese intrusions into some U.S. firms have continued, with at least two hacked in 2016. But while the hackers installed “back doors” to enable future spying, FireEye said it had seen no evidence that data was stolen.

Both hacked companies had government contracts, said FireEye analyst Laura Galante, noting that it was plausible that the intrusions were stepping stones toward gathering information on government or military people or projects, which remain fair game under the September accord.

FireEye and other security companies said that as the Chinese government-backed hackers dropped wholesale theft of U.S. intellectual property, they increased spying on political and military targets in other countries and regions, including Russia, the Middle East, Japan and South Korea.

Another security firm, CrowdStrike, has observed more Chinese state-supported hackers spying outside of the United States over the past year, company Vice President Adam Meyers said in an interview.

Targets include Russian and Ukrainian military targets, Indian political groups and the Mongolian mining industry, Meyers said.

FireEye and CrowdStrike said they were confident that the attacks are being carried out either directly by the Chinese government or on its behalf by hired contractors.

Since late last year there has been a flurry of new espionage activity against Russian government agencies and technology firms, as well as other targets in India, Japan and South Korea, said Kurt Baumgartner, a researcher with Russian security software maker Kaspersky Lab.

He said those groups use tools and infrastructure that depend on Chinese-language characters.

One of those groups, known as Mirage or APT 15, appears to have ended a spree of attacks on the U.S. energy sector and is now focusing on government and diplomatic targets in Russia and former Soviet republics, Baumgartner said.

(Reporting by Joseph Menn in San Francisco and Jim Finkle in Boston; Additional reporting by; Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Richard Chang)

Keyboard warriors: South Korea trains new frontline in decades-old war with North

Student training to be hacker

By Ju-min Park

SEOUL (Reuters) – In one college major at Seoul’s elite Korea University, the courses are known only by number, and students keep their identities a secret from outsiders.

The Cyber Defense curriculum, funded by the defense ministry, trains young keyboard warriors who get a free education in exchange for a seven-year commitment as officers in the army’s cyber warfare unit – and its ongoing conflict with North Korea.

North and South Korea remain in a technical state of war since the 1950-53 Korean War ended in an armed truce. Besides Pyongyang’s nuclear and rocket program, South Korea says the North has a strong cyber army which it has blamed for a series of attacks in the past three years.

The cyber defense program at the university in Seoul was founded in 2011, with the first students enrolled the following year.

One 21-year-old student, who allowed himself to be identified only by his surname Noh, said he had long been interested in computing and cyber security and was urged by his father to join the program. All South Korean males are required to serve in the military, usually for up to two years.

“It’s not a time burden but part of a process to build my career,” Noh said.

“Becoming a cyber warrior means devoting myself to serve my country,” he said in a war room packed with computers and wall-mounted flat screens at the school’s science library.

South Korea, a key U.S. ally, is one of the world’s most technologically advanced countries.

That makes its networks that control everything from electrical power grids to the banking system vulnerable against an enemy that has relatively primitive infrastructure and thus few targets against which the South can retaliate.

“In relative terms, it looks unfavorable because our country has more places to defend, while North Korea barely uses or provides internet,” said Noh.

Last year, South Korea estimated that the North’s “cyber army” had doubled in size over two years to 6,000 troops, and the South has been scrambling to ramp up its capability to meet what it considers to be a rising threat.

The United States and South Korea announced efforts to strengthen cooperation on cyber security, including “deepening military-to-military cyber cooperation,” the White House said during President Park Geun-hye’s visit to Washington in October.

In addition to the course at Korea University, the national police has been expanding its cyber defense capabilities, while the Ministry of Science, ICT and Future Planning started a one-year program in 2012 to train so-called “white hat” – or ethical – computer hackers.

NORTH’S CYBER OFFENSIVES

Still, the North appears to have notched up successes in the cyber war against both the South and the United States.

Last week, South Korean police said the North hacked into more than 140,000 computers at 160 South Korean companies and government agencies, planting malicious code under a long-term plan laying groundwork for a massive cyber attack against its rival.

In 2013, Seoul blamed the North for a cyber attack on banks and broadcasters that froze computer systems for over a week.

North Korea denied responsibility.

The U.S. Federal Bureau of Investigation has blamed Pyongyang for a 2014 cyber attack on Sony Pictures’ network as the company prepared to release “The Interview,” a comedy about a fictional plot to assassinate North Korean leader Kim Jong Un. The attack was followed by online leaks of unreleased movies and emails that caused embarrassment to executives and Hollywood personalities.

North Korea described the accusation as “groundless slander.”

South Korea’s university cyber defense program selects a maximum of 30 students each year, almost all of them men. On top of free tuition, the school provides 500,000 won ($427) per month support for each student for living expenses, according to Korea University Professor Jeong Ik-rae.

The course trains pupils in disciplines including hacking, mathematics, law and cryptography, with students staging mock hacking attacks or playing defense, using simulation programs donated by security firms, he said.

The admission to the selective program entails three days of interviews including physical examinations, attended by military officials along with the school’s professors, he said.

While North Korea’s cyber army outnumbers the South’s roughly 500-strong force, Jeong said a small group of talented and well-trained cadets can be groomed to beat the enemy.

Jeong, an information security expert who has taught in the cyber defense curriculum since 2012, said the school benchmarks itself on Israel’s elite Talpiot program, which trains gifted students in areas like technology and applied sciences as well as combat. After graduating, they focus on areas like cybersecurity and missile defense.

“It’s very important to have skills to respond when attacks happen – not only to defend,” Jeong said.

(Editing by Tony Munroe and Raju Gopalakrishnan)

Massive cyber attack could trigger NATO response: Stoltenberg

NATO Secretary-General Jens Stoltenberg

BERLIN (Reuters) – A major cyber attack could trigger a collective response by NATO, NATO Secretary General Jens Stoltenberg said in an interview published by Germany’s Bild newspaper on Thursday.

“A severe cyber attack may be classified as a case for the alliance. Then NATO can and must react,” the newspaper quoted Stoltenberg as saying. “How, that will depend on the severity of the attack.”

He spoke after a decision this week by NATO ministers to designate cyber as an official operational domain of warfare, along with air, sea, and land.

In 2014 the U.S.-led alliance assessed that cyber attacks could potentially trigger NATO’S mutual defense guarantee, or Article 5. That means NATO could potentially respond to a cyber attack with conventional weapons, although the response would be decided by consensus.

The NATO chief told Bild that the alliance needed to adjust to the increasingly complex series of threats it faces, which is why NATO members have agreed to defend against attacks in cyberspace just as they do against attacks launched against targets on land, in the air and at sea.

The United States and other NATO states have become increasingly vocal about cyber attacks launched from Russia, China and Iran, but officials say it remains hard to determine if such attacks stem from government bodies or private groups.

Recognizing cyber as an official domain of warfare will allow NATO to improve planning and better manage resources, training and personnel needs for cyber defense operations, said a NATO official, speaking on condition of anonymity.

The official stressed that NATO’s cyber activities would remain purely defensive. “We have no offensive cyber doctrine or offensive cyber capability. And there are no plans for NATO as a body to use such capabilities. NATO’s core cyber defense task is to defend NATO’s own networks,” said the official.

Individual members have already declared cyber an operational warfare domain, including the United States, which said in 2011 that it would respond to hostile attacks in cyberspace as it would to any other threat.

(Reporting by Andrea Shalal; Editing by Dan Grebler and Mark Heinrich)

NATO likely to designate cyber as operational domain of war

A NATO flag flies at the Alliance headquarters in Brussels during a NATO ambassadors meeting on the situation in Ukraine and the Crimea region

BERLIN (Reuters) – NATO members will likely agree during a summit meeting in Warsaw next month to designate cyber as an official operational domain of warfare, along with air, sea, land and space, a senior German defense ministry official said Wednesday.

Major General Ludwig Leinhos, who heads the German military’s effort to build up a separate cyber command, told a conference at the Berlin air show that he expected all 28 NATO members to agree to the change during the coming Warsaw summit.

Leinhos, who previously held a senior job at NATO headquarters, said he also expected NATO members to agree to intensify their efforts in the cyber security arena.

The United States announced in 2011 that it viewed cyberspace as an operational domain of war, and said it would respond to hostile attacks in cyberspace as it would to any other threat.

Evert Dudok, a senior official with Europe’s largest aerospace company Airbus Group SE, called for adoption of Europe-wide or global standards in the cyber arena.

(Reporting by Andrea Shalal)

Trail in cyber heist suggests hackers were Chinese: senator

Bangladesh central bank

By Karen Lema

MANILA (Reuters) – A Philippine senator said on Wednesday that Chinese hackers were likely to have pulled off one of the world’s biggest cyber heists at the Bangladesh central bank, citing the network of Chinese people involved in the routing of the stolen funds through Manila.

Unidentified hackers infiltrated the computers at Bangladesh Bank in early February and tried to transfer a total of $951 million from its account at the Federal Reserve Bank of New York.

All but one of the 35 attempted transfers were to the Rizal Commercial Banking Corp (RCBC), confirming the Philippines’ centrality to the heist.

Most transfers were blocked, but a total of $81 million went to four accounts at a single RCBC branch in Manila. The stolen money was swiftly transferred to a foreign exchange broker and distributed to casinos and gambling agents in Manila.

“The hacking was done, chances are, by Chinese hackers,” Senator Ralph Recto told Reuters in a telephone interview. “Then they saw that, in the Philippines, RCBC particularly was vulnerable and sent the money over here.”

Beijing was quick to denounce the comments by Recto, vice chairman of the Senate Committee on Finance and a former head of the Philippines’ economic planning agency.

The suggestion that Chinese hackers were possibly involved was “complete nonsense” and “really irresponsible,” Chinese foreign ministry spokesman Lu Kang told reporters.

Recto said he couldn’t prove the hackers were Chinese, but was merely “connecting the dots” after a series of Senate hearings into the scandal.

At one hearing, a Chinese casino boss and junket operator called Kim Wong named two high-rolling gamblers from Beijing and Macau who he said had brought the stolen money into the Philippines. He displayed purported copies of their passports, showing they were mainland Chinese and Macau administrative region nationals respectively.

“BEST LEAD”

Wong, a native of Hong Kong who holds a Chinese passport, received almost $35 million of the stolen funds through his company and a foreign exchange broker.

The two Chinese named by Wong “are the best lead to determine who are the hackers,” said Recto. “Chances are… they must be Chinese.”

The whereabouts of the two high-rollers were unknown, Recto added, saying the Senate inquiry “may” seek help from the Chinese government to find them.

Recto also questioned the role of casino junket operators in the Philippines, saying many of them have links in Macau, the southern Chinese territory that is the world’s biggest casino hub. “There are junket operators who are from Macau, so it (the money) may find its way back to Macau,” he said.

A senior executive at a top junket operator in Macau told Reuters there was “no reason” to bring funds from the Philippines to Macau.

“This seems more like a political story in the Philippines,” he said, speaking anonymously because he was not authorized to talk to the media.

The U.S. State Department said in a report last month that the gaming industry was “a weak link” in the Philippines’ anti-money laundering regime.

Philrem, the foreign exchange agent, said it distributed the stolen $81 million to Bloomberry Resorts Corp, which owns and operates the upmarket Solaire casino in Manila; to Eastern Hawaii Leisure Company, which is owned by Wong; and to an ethnic Chinese man believed to be a junket operator in Manila.

Wong has returned $5.5 million to the Philippines’ anti-money laundering agency and has promised to hand over another $9.7 million. A portion of the money he received, he said, has already been spent on gambling chips for clients.

Solaire has told the Senate hearing that the $29 million that ended up with them was credited to an account of the Macau-based high-roller but it has managed to seize and confiscate $2.33 million in chips and cash.

(Writing by Andrew R.C. Marshall; Additional reporting by Farah Master in Hong Kong; Editing by Raju Gopalakrishnan)

U.S. hospitals face growing ransomware threat

The Hollywood Presbyterian Medical Center is pictured in Los Angeles

By Jim Finkle

(Reuters) – U.S. hospitals should brace for a surge in “ransomware” attacks by cyber criminals who infect and shut down computer networks, then demand payment in return for unlocking them, a non-profit healthcare group warned on Friday.

The Health Information Trust Alliance conducted a study of some 30 mid-sized U.S. hospitals late last year and found that 52 percent of them were infected with malicious software, HITRUST Chief Executive Daniel Nutkis told Reuters.

The most common type of malware was ransomware, Nutkis said, which was present in 35 percent of the hospitals included in the study of network traffic conducted by security software maker Trend Micro Inc.

Ransomware is malicious software that locks up data in computers and leaves messages demanding payment to recover the data. Last month, Hollywood Presbyterian Hospital in Los Angeles paid a ransom of $17,000 to regain access to its systems.

This week, an attack on MedStar Health forced the largest healthcare provider in Washington, D.C., to shut down much of its computer network. The Baltimore Sun reported a ransom of $18,500 was sought. MedStar declined to comment.

HITRUST said it expects such attacks to become more frequent because ransomware has turned into a profitable business for cyber criminals.

The results of the study, which HITRUST has yet to share with the public, demonstrate that hackers have moved away from focusing on stealing patient data, Nutkis said.

“If stuff isn’t working, they move on. If stuff is working, they keep doing it,” said Nutkis. “Organizations that are paying have considered their options, and unfortunately they don’t have a lot of options.”

Extortion has become more popular with cyber criminals because it is seen as a way to generate fast money, said Larry Whiteside, a healthcare expert with cyber security firm Optiv.

Stealing healthcare data is far more labor intensive, requiring attackers to keep their presence in a victim’s network undetected for months as they steal data, then they need to find buyers, he added.

“With ransomware I’m going to get paid immediately,” Whiteside said.

Frisco, Texas-based HITRUST’s board includes executives from Anthem, Health Care Services, Humana, UnitedHealth and Walgreens.

(Reporting by Jim Finkle; By Tiffany Wu)

Washington’s MedStar computers down for second day after virus

By Jim Finkle

(Reuters) – MedStar Health’s computer systems remained offline on Tuesday for the second straight day after the non-profit, one of the biggest medical service providers in the U.S. capital region, shut down parts of its network to stem the spread of a virus.

MedStar spokeswoman Ann Nickels said she did not know when the systems would be restored or what type of virus had infected the network.

“Medical services continue,” she said in an interview. When asked if elective procedures would be performed, she said that would determined “case by case.”

The non-profit, which runs 10 hospitals and some 250 outpatient facilities in Washington and Maryland, said Monday on its Facebook page that its computer network was infected by a virus that prevented some users from logging into the system early that day. MedStar quickly decided to take down “all system interfaces to prevent the virus from spreading” and moved to backup systems for paper record-keeping, the post said.

Nickels said she had no further information about the attack: “We are actively investigating.”

The FBI said on Monday that it was looking into the incident at MedStar, which is one of the largest medical providers to have operations interrupted by malicious software.

The discovery came after several recent attacks on U.S. hospitals by cyber extortionists using software known as ransomware, which encrypts data and demands that users pay to get it unlocked.

Last month, Hollywood Presbyterian Hospital in Los Angeles paid $17,000 to regain access to its systems after such an attack.

Security blogger Brian Krebs last week reported that Henderson, Kentucky-based Methodist Hospital declared a state of emergency after falling victim to a ransomware attack.

(Reporting by Jim Finkle; Additional reporting by Dustin Volz; Editing by Lisa Von Ahn)

FBI issues ransomware alert, requests help from U.S. businesses

ransomware

(Reuters) – The FBI is asking businesses and software security experts for emergency assistance in its investigation into a pernicious new type of “ransomware” virus used by hackers for extortion.

“We need your help!” the Federal Bureau of Investigation said in a confidential “Flash” advisory that was dated March 25 and obtained by Reuters over the weekend.

Ransomware is malicious software that encrypts a victim’s data so they cannot gain access to it on their computers, then offers to unlock the system in exchange for payment.

Friday’s FBI alert was focused on ransomware known as MSIL/Samas.A that the agency said seeks to encrypt data on entire networks, an alarming change because typically, ransomware has sought to encrypt data one computer at a time.

The plea asked recipients to immediately contact the FBI’s CYWATCH cyber center if they find evidence that they have been attacked or have other information that might help in its investigation.

It is the latest in a series of FBI advisories and warnings from security researchers about new ransomware tools and techniques.

“This is basically becoming a national cyber emergency,” said Ben Johnson, co-founder of Carbon Black, a cyber security firm that on Friday uncovered another type of ransomware that seeks to attack PCs through infected Microsoft Word documents.

The FBI first reported on MSIL/Samas.A in a Feb. 18 alert that lacked the urgency of Friday’s warning. The February message contained some technicals details but did not call for help. It said that MSIL/Samas.A targets servers running out-of-date versions of a type of business software known as JBOSS.

In its latest report, the FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.

The FBI provided a list of technical indicators to help companies determine if they were victims of such an attack.

“The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future,” the advisory said.

FBI representatives did not respond to requests for comment on the confidential warning.

The sectors hardest hit by ransomware include industries that rely on computer access for performing critical functions, such as healthcare and law enforcement. Publicly reported attacks in which hospitals and police have paid ransoms, then recovered data, has encouraged attackers to further target those groups, cyber security experts said.

(Reporting by Jim Finkle; editing by Grant McCool)

U.S. charges three Syrian hackers, Justice Department says

WASHINGTON (Reuters) – U.S. authorities have charged three Syrian nationals who are current or former members of the Syrian Electronic Army with multiple conspiracies related to computer hacking, the U.S. Justice Department said on Tuesday.

Ahmad Umar Agha, 22, and Firas Dardar, 27, were charged with a criminal conspiracy that included “a hoax regarding a terrorist attack” and “attempting to cause mutiny of the U.S. armed forces,” the department said in a statement. Dardar and Peter Romar, 36, were separately charged with other conspiracies, it said.

The FBI announced on Tuesday it was adding Agha and Dardar to its Cyber Most Wanted list and offering a reward of $100,000 for information leading to their arrest, the statement said.

Agha and Dardar, who are believed to reside in Syria, began their criminal activities in or around 2011 under the name of the Syrian Electronic Army in support of the Syrian government, the statement said.

In June 2015, the U.S. Army said it temporarily took down its website after the Syrian Electronic Army hacked into the site and posted messages.

(Reporting by Washington Newsroom)