Tag Archives: Cyber Attack

Chinese hackers behind U.S. ransomware attacks, security firms say

(Reuters) – Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said.

Ransomware, which involves encrypting a target’s computer files and then demanding payment to unlock them, has generally been considered the domain of run-of-the-mill cyber criminals.

But executives of the security firms have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.

“It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,” said Phil Burdette, who heads an incident response team at Dell SecureWorks.

Burdette said his team was called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.

The victims included a transportation company and a technology firm that had 30 percent of its machines captured.

Security firms Attack Research, InGuardians and G-C Partners, said they had separately investigated three other similar ransomware attacks since December.

Although they cannot be positive, the companies concluded that all were the work of a known advanced threat group from China, Attack Research Chief Executive Val Smith told Reuters.

The ransomware attacks have not previously been reported. None of the companies that were victims of the hackers agreed to be identified publicly.

Asked about the allegations, China’s Foreign Ministry said on Tuesday that if they were made with a “serious attitude” and reliable proof, China would treat the matter seriously.

But ministry spokesman Lu Kang said China did not have time to respond to what he called “rumors and speculation” about the country’s online activities.

The security companies investigating the advanced ransomware intrusions have various theories about what is behind them, but they do not have proof and they have not come to any firm conclusions.

Most of the theories flow from the possibility that the Chinese government has reduced its support for economic espionage, which it pledged to oppose in an agreement with the United States late last year. Some U.S. companies have reported a decline in Chinese hacking since the agreement.

Smith said some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.

It is also possible, Burdette said, that companies which had been penetrated for trade secrets or other reasons in the past were now being abandoned as China backs away, and that spies or their associates were taking as much as they could on the way out. In one of Dell’s cases, the means of access by the team spreading ransomware was established in 2013.

The cyber security experts could not completely rule out more prosaic explanations, such as the possibility that ordinary criminals had improved their skills and bought tools previously used only by governments.

Dell said that some of the malicious software had been associated by other security firms with a group dubbed Codoso, which has a record of years of attacks of interest to the Chinese government, including those on U.S. defense companies and sites that draw Chinese minorities.

PAYMENT IN BITCOIN

Ransomware has been around for years, spread by some of the same people that previously installed fake antivirus programs on home computers and badgered the victims into paying to remove imaginary threats.

In the past two years, better encryption techniques have often made it impossible for victims to regain access to their files without cooperation from the hackers. Many ransomware payments are made in the virtual currency Bitcoin and remain secret, but institutions including a Los Angeles hospital have gone public about ransomware attacks.

Ransomware operators generally set modest prices that many victims are willing to pay, and they usually do decrypt the files, which ensures that victims will post positively online about the transaction, making the next victims who research their predicament more willing to pay.

Security software companies have warned that because the aggregate payoffs for ransomware gangs are increasing, more criminals will shift to it from credit card theft and other complicated scams.

The involvement of more sophisticated hackers also promises to intensify the threat.

InGuardians CEO Jimmy Alderson said one of the cases his company investigated appeared to have been launched with online credentials stolen six months earlier in a suspected espionage hack of the sort typically called an Advanced Persistent Threat, or APT.

“The tactics of getting access to these networks are APT tactics, but instead of going further in to sit and listen stealthily, they are used for smash-and-grab,” Alderson said.

(Reporting by Joseph Menn in San Francisco; Additional reporting by Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Clarence Fernandez)

North Korea tried to hack South’s railway system, spy agency claims

SEOUL (Reuters) – North Korea has tried to hack into email accounts of South Korean railway workers in an attempt to attack the transport system’s control system, South Korea’s spy agency said on Tuesday.

South Korea has been on heightened alert against the threat of cyberattacks by North Korea after it conducted a nuclear test in January and a long-range rocket launch last month, triggering new U.N. sanctions.

South Korea had previously blamed the North for cyberattacks against its nuclear power operator. North Korea denied that.

South Korea’s National Intelligence Service (NIS) said in a statement it had interrupted the hacking attempt against the railway workers and closed off their email accounts.

The agency issued the statement after an emergency meeting with other government agencies on the threat of cyberattacks by the North.

The agency detected hacking attempts by the North against workers for two regional railway networks this year, the spy agency said.

“The move was a step to prepare for cyber terror against the railway transport control system,” the agency said.

It did not elaborate on what it thought North Korea’s specific objective was in hacking into the system. An agency official reached by telephone declined to comment.

North Korea has been working for years to develop the ability to disrupt or destroy computer systems that control public services such as telecommunications and other utilities, according to a defector from the North.

The United States accused North Korea of a cyberattack against Sony Pictures in 2014 that led to the studio cancelling the release of a comedy based on the fictional assassination of the country’s leader, Kim Jong Un.

North Korea denied the accusation.

In 2013, South Korea blamed the North for crippling cyber-attacks that froze the computer systems of its banks and broadcasters for days.

New fears of attacks on South Korea’s computer systems came as South Korean and U.S. troops conducted large-scale military exercises which North Korea denounced as “nuclear war moves” and threatened to respond with an all-out military offensive.

(Reporting by Jack Kim and Ju-min Park; Editing by Robert Birsel)

Mac ransomware caught before large number of computers infected

(Reuters) – The first known ransomware attack on Apple Inc’s Mac computers, which was discovered over the weekend, was downloaded more than 6,000 times before the threat was contained, according to a developer whose product was tainted with the malicious software.

Hackers infected Macs with the “KeRanger” ransomware through a tainted copy of Transmission, a popular program for transferring data through the BitTorrent peer-to-peer file sharing network.

So-called ransomware is a type of malicious software that restricts access to a computer system in some way and demands the user pay a ransom to the malware operators to remove the restriction.

KeRanger, which locks data on Macs so users cannot access it, was downloaded about 6,500 times before Apple and developers were able to thwart the threat, said John Clay, a representative for the open-source Transmission project.

That is small compared to the number of ransomware attacks on computers running Microsoft Corp’s Windows operating system. Cyber security firm Symantec Corp observed some 8.8 million attacks in 2014 alone.

Still, cyber security experts said they expect to see more attacks on Macs as the KeRanger hackers and other groups look for new ways to infect Mac computers.

“It’s a small number but these things always start small and ramp up huge,” said Fidelis Cybersecurity threat systems manager John Bambenek. “There’s a lot of Mac users out there and a lot of money to be made.”

Symantec, which sells anti-virus software for Macs, warned on its blog that “Mac users should not be complacent.” The post offered tips on protecting against ransomware.

The Transmission project provided few details about how the attack was launched.

“The normal disk image (was) replaced by the compromised one” after the project’s main server was hacked, said Clay.

He added that “security on the server has since been increased” and that the group was in “frequent contact” with Apple as well as Palo Alto Networks, which discovered the ransomware on Friday and immediately notified Apple and Transmission.

An Apple representative said the company quickly took steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.

Transmission responded by removing the malicious 2.90 version of its software from its website. On Sunday, it released version 2.92, which its website says automatically removes the ransomware from infected Macs.

Forbes earlier reported on the number of KeRanger downloads, citing Clay.

(Reporting by Jim Finkle; Editing by Cynthia Osterman and Bill Rigby)

National Guard may join cyber offense against Islamic State, Carter says

JOINT BASE LEWIS-MCCHORD, Washington (Reuters) – U.S. Defense Secretary Ash Carter said the National Guard’s cyber squadrons will play an increasingly important role in assessing the vulnerabilities of U.S. industrial infrastructure and could be asked to join the fight against Islamic State.

The National Guard – a reserve military force that resides in the states but can be mobilized for national needs – is a key part of the military’s larger effort to set up over 120 cyber squadrons to respond to cyber attacks and prevent them.

One such unit, the 262nd squadron, is a 101-person team that includes employees of Microsoft Corp and Alphabet Inc’s Google. The unit is “famous throughout the country” for several high profile vulnerability assessments, Carter said at the Joint Base Lewis-McChord in Tacoma, Washington late on Friday.

He told reporters the squadron was not currently engaging in offensive cyber missions but could be in the future.

“Units like this can also participate in offensive cyber operations of the kind that I have stressed we are conducting, and actually accelerating, in Iraq and Syria, to secure the prompt defeat of ISIL, which we need to do and will do,” Carter said. “We’re looking for ways to accelerate that, and cyber’s one of them.”

The 262nd squadron’s work includes a study last year on the control system used by Snohomish County Public Utility District in Washington state, which helped the utility strengthen its security, and a 2010 case in which the U.S. Air Force briefly lost contact with 50 Minuteman III intercontinental ballistic missiles.

The 2010 assessment cost about $20,000, much less than the $150,000 that a private sector company would likely charge, said Lieutenant Colonel Kenneth Borchers, deputy commander of the 252nd Cyber Operations Group, which oversees the 262nd squadron.

Borchers said the squadron is the only National Guard group that currently assesses industrial control systems, but it is now looking to train others. It is also studying the security of big weapons programs, such as the B-52 bomber.

Using National Guard units for such work made sense because it allowed the military to benefit from private sector cyber experts, Carter said.

“It brings in the high-tech sector in a very direct way to the mission of protecting the country,” he told reporters. “And we’re absolutely going to do more of it.”

(Reporting by Andrea Shalal, editing by Tiffany Wu)

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)

IRS notifying more taxpayers about potential data breach

Hackers may have accessed the tax transcripts of approximately 724,000 United States taxpayers by using stolen personal information, the Internal Revenue Service announced Friday.

The agency also said hackers targeted another 576,000 accounts, but could not access them.

The announcement followed a nine-month investigation into its “Get Transcript” application.

The tool was launched in January 2014 and gave taxpayers a way to download or order several years of their transcripts through the IRS website.

However, the agency announced last May that “criminals” had been able to access other tax histories that were not their own by using personal information that had been stolen elsewhere.

The IRS originally announced that about 114,000 transcripts may have been improperly accessed, while hackers targeted another 111,000 but were unsuccessful in their attempts.

The tool has been offline ever since while officials searched for other suspicious activity.

The Treasury Inspector General for Tax Administration (TIGTA) has handled the investigations.

In August, the IRS announced TIGTA found about another 220,000 cases of potential breaches since “Get Transcript” debuted, and about 170,000 more unsuccessful suspicious attempts.

On Friday, the IRS announced TIGTA’s latest review found about 390,000 potential additional cases of improper access, and some 295,000 cases where tax data was targeted but not obtained.

The IRS noted that some of the attempts might not have been malicious.

“It is possible that some of those identified may be family members, tax return preparers or financial institutions using a single email address to attempt to access more than one account,” it said in a statement, though added it is notifying all of the affected taxpayers as a precaution.

The latest wave of taxpayers will be notified through the mail beginning Feb. 29, the IRS said.

“The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort,” IRS Commissioner John Koskinen said in Friday’s announcement. “We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed.”

The agency is offering all affected taxpayers free identity theft protection services and the chance to obtain an identity protection PIN, which helps protect Social Security numbers on returns.

U.S. planned major cyber attack on Iran if diplomacy failed, NYT reports

WASHINGTON (Reuters) – The United States had a plan for an extensive cyber attack on Iran in case diplomatic attempts to curtail its nuclear program failed, The New York Times reported on Tuesday, citing a forthcoming documentary and military and intelligence officials.

Code-named Nitro Zeus, the plan was aimed at crippling Iran’s air defenses, communications systems and key parts of its electrical power grid, but was put on hold after a nuclear deal was reached last year, the Times said.

The plan developed by the Pentagon was intended to assure President Barack Obama that he had alternatives to war if Iran moved against the United States or its regional allies, and at one point involved thousands of U.S. military and intelligence personnel, the report said. It also called for spending tens of millions of dollars and putting electronic devices in Iran’s computer networks, the Times said.

U.S. intelligence agencies at the same time developed a separate plan for a covert cyberattack to disable Iran’s Fordo nuclear enrichment site inside a mountain near the city of Qom, the report said.

The existence of Nitro Zeus was revealed during reporting on a documentary film called “Zero Days” to be shown on Wednesday at the Berlin Film Festival, the Times said. The film describes rising tensions between Iran and the West in the years before the nuclear agreement, the discovery of the Stuxnet cyberattack on the Natanz uranium enrichment plant, and debates in the Pentagon over the use of such tactics, the paper reported.

The Times said it conducted separate interviews to confirm the outlines of the program, but that the White House, the Department of Defense and the Office of the Director of National Intelligence all declined to comment, saying that they do not discuss planning for military contingencies.

There was no immediate response to a request by Reuters for comment from the Pentagon.

(Reporting by Eric Walsh; Editing by Chris Reese)

Ex-government employee pleads guilty in nuclear secrets cyber attack scheme

A former government employee who was accused of trying to orchestrate a cyber attack against computers that contained information about nuclear weapons pleaded guilty to a federal computer crime, the Department of Justice announced in a news release on Tuesday afternoon.

Prosecutors said 62-year-old Charles Harvey Eccleston, a former employee of the Nuclear Regulatory Commission, admitted his guilt in the attempted “spear-phishing” attack that took place last January. Eccleston was arrested after an undercover operation in which prosecutors said the accused dealt with FBI employees who had been posing as foreign government officials.

Spear-phishing is a type of cyber attack in which people send authentic-looking emails to their targets, encouraging the recipients to open them. However, the emails contain malicious code.

According to the Department of Justice, Eccleston sent an email that he believed contained a virus to about 80 Department of Energy employees, thinking the code would allow a foreign country to infiltrate or harm their computers. Prosecutors said Eccleston targeted employees “whom he claimed had access to information related to nuclear weapons or nuclear materials.”

The code was harmless and was actually crafted by the FBI, according to the release.

Eccleston, who thought he would be paid roughly $80,000 for sending the spear-phishing email, was arrested last March during a meeting with an undercover FBI employee, prosecutors said.

“Eccleston admitted that he attempted to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent of allowing foreign nations to gain access to that information or to damage essential systems,” Assistant Attorney General John P. Carlin said in a statement announcing the guilty plea.

Prosecutors said Eccleston was fired from his job with the Nuclear Regulatory Commission in 2010. He moved to the Philippines the following year and had been living there until his arrest.

The alleged cyber attack wasn’t the first time that law enforcement heard Eccleston’s name.

Prosecutors said the FBI first learned about Eccleston in 2013 after he walked into an embassy in the Philippines and offered to sell a list of 5,000 U.S. government email accounts for $18,800. If the nation wasn’t interested, Eccleston said he would offer the list to China, Iran or Venezuela.

That November, the FBI sent undercover employees to meet with Eccleston and had them pose as foreign government officials. One FBI employee bought a list of 1,200 email addresses for $5,000, prosecutors said, though an investigation found the accounts were publicly available.

Prosecutors said Eccleston communicated with the employees for “several months,” and offered to help design the spear-phishing emails during a meeting with an undercover FBI employee in June 2014. He made the bogus emails look like advertisements for a nuclear energy conference.

Eccleston pleaded guilty to attempted unauthorized access and intentional damage to a protected computer and faces 24 to 30 months in prison and a $95,000 fine when he is sentenced in April, prosecutors announced.

U.S. utilities worry about cyber cover after Ukraine grid attack

(Reuters) – U.S. utilities are looking hard at their cyber vulnerabilities and whether they can get insurance to cover what could be a multi-billion dollar loss after hackers cut electric power to more than 80,000 Ukrainians last month.

The Dec. 23 incident in Ukraine was the first cyber attack to cause a power outage, and is one of just a handful of incidents in which computer hacking has caused physical effects on infrastructure rather than the loss or theft of electronic data.

A similar attack in the United States could cripple utilities and leave millions of people in the dark, costing the economy more than $200 billion, an insurance study estimated last year.

Security experts, insurance brokers, insurers and attorneys representing utilities told Reuters that the Ukraine attack has exposed long-standing ambiguity over which costs would be covered by insurance in various cyber attack scenarios.

“People in the insurance industry never did a great job clarifying the scope of coverage,” said Paul Ferrillo, an attorney with Weil, Gotshal & Manges who advises utilities.

Cyber insurance typically covers the cost of attacks involving stolen personal data. Some general property and liability policies may cover physical damage from cyber attacks, but insurers do not always provide clear answers about coverage for industrial firms, said Ben Beeson, a partner with broker Lockton Companies.

That has led to some unease among U.S. utilities.

“When you get these kind of headline-grabbing cyber incidents, there is obviously a flurry of interest,” said Dawn Simmons, an executive with Associated Energy and Gas Insurance Services, or AEGIS, a U.S. mutual insurer that provides coverage to its 300 or so members.

Getting a policy that includes cyber property damage is not cheap.

Sciemus Cyber Ltd, a specialty insurer at the Lloyd’s of London insurance market, charges energy utilities roughly $100,000 for $10 million in data breach insurance. The price balloons to as much as seven times that rate to add coverage for attacks that cause physical damage, said Sciemus Chief Executive Rick Welsh.

INDUSTRY WARNINGS

Security experts have warned for several years that a cyber attack could cause power outages due to the growing reliance on computer technology in plants that is accessible from the Internet.

In the Ukraine attack, hackers likely gained control of systems remotely, then switched breakers to cut power, according to an analysis by the Washington-based SANS Institute. Ukraine’s state security service blamed Russia for the attack, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as Sandworm Team.

Utilities are now trying to determine if they have insurance to cover these kinds of attacks, and if not, whether they need it, said Patrick Miller, founder of the Energy Sector Security Consortium, an industry group that shares information on cyber threats.

American Electric Power Company Inc, Duke Energy Corp, Nextera Energy Inc and PG&E Corp are among publicly-traded utility companies that have warned of their exposure to cyber risks in their most recent annual reports to securities regulators, and that their insurance coverage might not cover all expenses related to an attack.

Representatives with AEP, Duke and PG&E declined to disclose the limits of their insurance. Officials with Nextera could not be reached for comment.

The potential costs of an attack in the United States are huge. Last year Lloyd’s and the University of Cambridge released a 65-page study estimating that simultaneous malware attacks on 50 generators in the Northeastern United States could cut power to as many as 93 million people, resulting in at least $243 billion in economic damage and $21 billion to $71 billion in insurance claims.

The study called such a scenario improbable but “technologically possible.”

There are precedents, including the 2010 ‘Stuxnet’ attack that damaged centrifuges at an Iranian uranium enrichment facility and the 2012 ‘Shamoon’ campaign that crippled business operations at Saudi Aramco and RasGas by wiping drives on tens of thousands of PCs.

In late 2014, the German government reported that hackers had damaged an unnamed steel mill, the first attack that damaged industrial equipment. Details remain a mystery.

AMBIGUITY OVER COVERAGE

“It’s getting a little competitive just to get a carrier quoting your policy,” said Lynda Bennett, an attorney with Lowenstein Sandler, who helps businesses negotiate insurance. Some insurers have cut back on cyber coverage in response to the increase in the number and types of breaches, she added.

American International Group Inc, for example, will only write cyber policies over $5 million for a power utility after an in-depth review of its technology, including the supervisory control and data acquisition (SCADA) systems that remotely control grid operations.

“There are companies that we have walked away from providing coverage to because we had concerns about their controls,” said AIG executive Tracie Grella.

AIG and AEGIS declined to discuss pricing of policies. It seems likely they will find coverage more in demand after the Ukraine attack.

“A lot more companies will be asked by their stakeholders internally: Do we have coverage for this type of thing?” said Robert Wice, an executive with Beazley Plc, which offers cyber insurance. “Whether they actually start to buy more or not will depend on pricing.”

(Reporting by Jim Finkle; Additional reporting by Rory Carroll; Editing by Bill Rigby)

Ukraine to review cyber defenses after airport targeted from Russia

KIEV (Reuters) – Ukrainian authorities will review the defenses of government computer systems, including at airports and railway stations, after a cyber attack on Kiev’s main airport was launched from a server in Russia, officials told Reuters on Monday.

Malware similar to that which attacked three Ukrainian power firms in late December was detected last week in a computer in the IT network of Kiev’s main airport, Boryspil. The network includes the airport’s air traffic control.

Although there is no suggestion at this stage that Russia’s government was involved, the cyber attacks have come at a time of badly strained relations between Ukraine and Russia over a nearly two-year-long separatist conflict in eastern Ukraine.

“In connection with the case in Boryspil, the ministry intends to initiate a review of anti-virus databases in the companies which are under the responsibility of the ministry,” said Irina Kustovska, a spokeswoman for Ukraine’s infrastructure ministry, which oversees airports, railways and ports.

Ukraine’s state-run Computer Emergency Response Team (CERT-UA) issued a warning on Monday of the threat of more attacks.

“The control center of the server, where the attacks originate, is in Russia,” military spokesman Andriy Lysenko said by telephone, adding that the malware had been detected early in the airport’s system and no damage had been done.

A spokeswoman for the airport said Ukrainian authorities were investigating whether the malware was connected to a malicious software platform known as “BlackEnergy”, which has been linked to other recent cyber attacks on Ukraine. There are some signs that the attacks are linked, she said.

“Attention to all system administrators … We recommend a check of log-files and information traffic,” CERT-UA said in a statement.

In December three Ukrainian regional power firms experienced short-term blackouts as a result of malicious software in their networks. Experts have described the incident as the first known power outage caused by a cyber attack.

A U.S. cyber intelligence firm in January traced the attack back to a Moscow-backed group known as Sandworm.

The Dec. 23 outage at Western Ukraine’s Prykarpattyaoblenergo cut power to 80,000 customers for about six hours, according to a report from a U.S. energy industry security group.

Ukraine’s SBU state security service has blamed Russia, but the energy ministry said it would hold off on attribution until after it completes a formal probe.

(Editing by Matthias Williams and Gareth Jones)