Cyber firms, Ukraine warn of planned Russian attack

Power lines are seen near the Trypillian thermal power plant in Kiev region, Ukraine November 23, 2017. REUTERS/Valentyn Ogirenko

By Jim Finkle and Pavel Polityuk

TORONTO/KIEV (Reuters) – Cisco Systems Inc warned on Wednesday that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malicious software – activity Ukraine said was preparation for a future Russian cyber attack.

Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack against Ukraine ahead of the Champions League soccer final, due to be held in Kiev on Saturday.

“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilizing the situation during the Champions League final,” it said in a statement after Cisco’s findings were released.

Russia has previously denied assertions by Ukraine, the United States, other nations and Western cyber-security firms that it is behind a massive global hacking program, which has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.

The Kremlin did not immediately respond to a request for comment submitted by Reuters on Wednesday.

Cisco said the new malware, dubbed VPNFilter, could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

“With a network like this you could do anything,” Williams told Reuters.

CONSTITUTION DAY ATTACK

The warning about the malware – which includes a module that targets industrial networks like ones that operate the electric grid – will be amplified by alerts from members of the Cyber Threat Alliance (CTA), a nonprofit group that promotes the fast exchange of data on new threats between rivals in the cyber security industry.

Members include Cisco, Check Point Software Technologies Ltd, Fortinet Inc, Palo Alto Networks Inc, Sophos Group Plc  and Symantec Corp.

“We should be taking this pretty seriously,” CTA Chief Executive Officer Michael Daniel said in an interview.

The devices infected with VPNFilter are scattered across at least 54 countries, but Cisco determined the hackers are targeting Ukraine following a surge in infections in that country on May 8, Williams told Reuters.

Researchers decided to go public with what they know about the campaign because they feared the surge in Ukraine, which has the largest number of infections, meant Moscow is poised to launch an attack there next month, possibly around the time the country celebrates Constitution Day on June 28, Williams said.

Some of the biggest cyber attacks on Ukraine have been launched on holidays or the days leading up to them.

They include the June 2017 “NotPetya” attack that disabled computer systems in Ukraine before spreading around the globe, as well as hacks on the nation’s power grid in 2015 and 2016 that hit shortly before Christmas.

VPNFilter gives hackers remote access to infected machines, which they can use for spying, launching attacks on other computers or downloading additional types of malware, Williams said.

The researchers discovered one malware module that targets industrial computers, such as ones used in electric grids, other infrastructure and in factories. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.

The malware also includes an auto-destruct feature that hackers can use to delete the malware and other software on infected devices, making them inoperable, he said.

(Writing by Jim Finkle and Jack Stubbs; Editing by Mark Heinrich)

Russia: our response to U.S. sanctions will be precise and painful

FILE PHOTO: A view shows a tower of the Kremlin (R) and the Foreign Ministry headquarters (back) in Moscow, Russia March 16, 2018. REUTERS/Maxim Shemetov/File Photo

MOSCOW (Reuters) – Valentina Matvienko, the speaker of the Russian upper house of parliament, said on Wednesday that Moscow’s response to U.S. sanctions will be targeted and painful, Russian news agencies reported.

The United States this month added several Russian firms and officials to a sanctions blacklist in response to what it said were the Kremlin’s “malign activities”. Moscow says those sanctions are unlawful and has warned that it will retaliate.

“No one should be under any illusions,” Matvienko, who is closely aligned with the Kremlin, was quoted as saying by the Interfax news agency.

“Russia’s response to the sanctions, our so-called counter-sanctions, will be precise, painful, and without question sensitive for exactly those countries that imposed them (the sanctions) on Russia,” she was quoted as saying.

“Sanctions are a double-edged sword and those who impose them should understand that sanctions against countries, especially those like Russia, will carry with them risks of serious consequences for those who impose them.”

Lawmakers in the lower house of the Russian parliament have drawn up legislation that would give the government powers to ban or restrict imports of U.S. goods and services ranging from medicines to software and rocket engines. However, the Kremlin has not yet said if it backs such measures.

A senior U.S. administration official said on Monday President Donald Trump has delayed imposing additional sanctions on Russia and is unlikely to approve them unless Moscow carries out a new cyber attack or some other provocation.

(Reporting by Maria Kiselyova; Writing by Christian Lowe; Editing by Catherine Evans)

Iran hit by global cyber attack that left U.S. flag on screens

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

DUBAI (Reuters) – Hackers have attacked networks in a number of countries including data centers in Iran where they left the image of a U.S. flag on screens along with a warning: “Don’t mess with our elections”, the Iranian IT ministry said on Saturday.

“The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country,” the Communication and Information Technology Ministry said in a statement carried by Iran’s official news agency IRNA.

The statement said the attack, which hit internet service providers and cut off web access for subscribers, was made possible by a vulnerability in routers from Cisco which had earlier issued a warning and provided a patch that some firms had failed to install over the Iranian new year holiday.

A blog published on Thursday by Nick Biasini, a threat researcher at Cisco’s Talos Security Intelligence and Research Group, said: “Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol…

“As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths.”

On Saturday evening, Cisco said those postings were a tool to help clients identify weaknesses and repel a cyber attack.

Iran’s IT Minister Mohammad Javad Azari-Jahromi posted a picture of a computer screen on Twitter with the image of the U.S. flag and the hackers’ message. He said it was not yet clear who had carried out the attack.

Azari-Jahromi said the attack mainly affected Europe, India and the United States, state television reported.

“Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent,” Azari-Jahromi was quoted as saying.

In a tweet, Azari-Jahromi said the state computer emergency response body MAHER had shown “weaknesses in providing information to (affected) companies” after the attack which was detected late on Friday in Iran.

Hadi Sajadi, deputy head of the state-run Information Technology Organisation of Iran, said the attack was neutralized within hours and no data was lost.

(Reporting by Dubai newsroom, additional reporting by Dustin Volz in Washington; editing by Ros Russell and G Crosse)

Saks, Lord & Taylor hit by payment card data breach

The Lord & Taylor flagship store building is seen along Fifth Avenue in the Manhattan borough of New York City, U.S., October 24, 2017. REUTERS/Shannon Stapleton

By Jim Finkle and David Henry

TORONTO/NEW YORK (Reuters) – Retailer Hudson’s Bay Co on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.

One cyber security firm said that it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but added that it was too soon to confirm whether that was the case.

Toronto-based Hudson’s Bay said in a statement that it had “taken steps to contain” the breach but did not say it had succeeded in confirming that its network was secure. It also did not say when the breach had begun or how many payment card numbers were taken.

“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.

A company spokeswoman declined to elaborate.

The breach comes as Hudson’s Bay struggles to improve its financial performance as a tough retail environment has weighed on sales and margins. Last June, it launched a transformation plan to cut costs and is working to monetize the value of its substantial real estate holdings.

Hudson’s Bay disclosed the incident after New York-based cyber security firm Gemini Advisory reported on its blog that Saks and Lord & Taylor had been hacked by a well-known criminal group known as JokerStash.

JokerStash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, according to Gemini Chief Technology Officer Dmitry Chorine.

The hacking group has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson’s Bay units, Chorine told Reuters by telephone.

The bulk of the 5 million card numbers that JokerStash said it plans to release are likely from Saks and Lord & Taylor, but it is too early to say for sure, Chorine said.

“It’s hard to assess at the moment, primarily because hackers have not released the entire cards in one batch,” he told Reuters.

Alex Holden, chief information security officer with cyber security firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson’s Bay.

If in fact millions of records were stolen, the breach would be one of the largest involving payment cards in the past year, but it would still be far smaller than any of the biggest thefts on record, which occurred a decade ago.

Hackers stole more than 130 million credit cards from credit-card processor Heartland Payment Systems, convenience store operator 7-Eleven Inc and grocer Hannaford Brothers Co, from 2006 to 2008, according to U.S. federal investigators.

Cyber criminals stole some 40 million payment cards in a 2013 hack on Target Corp and 56 million from Home Depot Inc in 2014.

Hudson’s Bay said there is no indication its recent breach involved online sales at Saks and Lord &Taylor outlets or its Hudson’s Bay, Home Outfitters and HBC Europe units.

The company said that customers will not be liable for fraudulent charges resulting from the breach.

(Reporting by Jim Finkle in Toronto and David Henry in New York; Editing by Bill Rigby and Steve Orlofsky)

With paper and phones, Atlanta struggles to recover from cyber attack

By Laila Kearney

ATLANTA (Reuters) – Atlanta’s top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyber attack that plunged the Southeastern U.S. metropolis into technological chaos and forced some city workers to revert to paper.

On an Easter and Passover holiday weekend, city officials labored in preparation for the workweek to come.

Police and other public servants have spent the past week trying to piece together their digital work lives, recreating audit spreadsheets and conducting business on mobile phones in response to one of the most devastating “ransomware” virus attacks to hit an American city.

Three city council staffers have been sharing a single clunky personal laptop brought in after cyber extortionists attacked Atlanta’s computer network with a virus that scrambled data and still prevents access to critical systems.

“It’s extraordinarily frustrating,” said Councilman Howard Shook, whose office lost 16 years of digital records.

One compromised city computer seen by Reuters showed multiple corrupted documents with “weapologize” and “imsorry” added to file names.

Ransomware attacks have surged in recent years as cyber extortionists moved from attacking individual computers to large organizations, including businesses, healthcare organizations and government agencies. Previous high-profile attacks have shut down factories, prompted hospitals to turn away patients and forced local emergency dispatch systems to move to manual operations.

Ransomware typically corrupts data and does not steal it. The city of Atlanta has said it does not believe private residents’ information is in the hands of hackers, but they do not know for sure.

City officials have declined to discuss the extent of damage beyond disclosed outages that have shut down some services at municipal offices, including courts and the water department.

Nearly 6 million people live in the Atlanta metropolitan area. The Georgia city itself is home to more than 450,000 people, according to the latest data from the U.S. Census Bureau.

City officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded $51,000 worth of bitcoin to provide digital keys to unlock scrambled files.

“Everything on my hard drive is gone,” City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.

City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.

Noble discovered the disarray on March 22 when she turned on her computer to discover that files could not be opened after being encrypted by a powerful computer virus known as SamSam that renamed them with gibberish.

“I said, ‘This is wrong,'” she recalled.

City officials then quickly entered her office and told her to shut down the computer before warning the rest of the building.

Noble is working on a personal laptop and using her smartphone to search for details of current projects mentioned in emails stored on that device.

Not all computers were compromised. Ten of 18 machines in the auditing office were not affected, Noble said.

OLD-SCHOOL ANALOG

Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters. He declined to discuss the contents of the affected files.

“Our data management teams are working diligently to restore normal operations and functionalities to these systems and hope to be back online in the very near future,” he said. By the weekend, he added, officers were returning to digital police reports.

Meanwhile, some city employees complained they have been left in the dark, unsure when it is safe to turn on their computers.

“We don’t know anything,” said one frustrated employee as she left for a lunch break on Friday.

FEEBLE

Like City Hall, whose 1930 neo-Gothic structure is attached to a massive modern wing, the city’s computer system is a combination of old and new.

“One of the reasons why municipalities are vulnerable is we just have so many different systems,” Noble said.

The city published results from a recent cyber-security audit in January, and had started implementing its recommendations before the ransomware virus hit. The audit called for better record-keeping and hiring more technology workers.

Councilman Shook said he is worried about how much the recovery will cost the city, but that he supports funding a cyber-security overhaul to counter future attacks.

For now his staff are temporarily sharing one aging laptop.

“Things are very slow,” he said. “It was a very surreal experience to be shut down like that.”

Mayor Keisha Lance Bottoms, who took office in January, has declined to say if the city paid the ransom ahead of a March 28 deadline mentioned in an extortion note whose image was released by a local television station.

Shook, who chairs the city council’s finance subcommittee, said he did not know whether the city is negotiating with the hackers, but that it appears no ransom has been paid to date.

The Federal Bureau of Investigation, which is helping Atlanta respond, typically discourages ransomware victims from paying up.

FBI officials could not immediately be reached for comment. A Department of Homeland Security spokesman confirmed the agency is helping Atlanta respond to the attack, but declined to comment further.

Hackers typically walk away when ransoms are not paid, said Mark Weatherford, a former senior DHS cyber official.

Weatherford, who previously served as California’s chief information security officer, said the situation might have been resolved with little pain if the city had quickly made that payment.

“The longer it goes, the worse it gets,” he said. “This could turn out to be really bad if they never get their data back.”

(Reporting by Laila Kearney; additional reporting by Jim Finkle; editing by Daniel Bases and Jonathan Oatis)

U.S. blames Russia for crippling 2017 ‘NotPetya’ cyber attack

A man poses inside a server room at an IT company in this June 19, 2017 illustration photo. REUTERS/Athit Perawongmetha/Illustration

By Dustin Volz

WASHINGTON (Reuters) – The United States on Thursday publicly blamed Russia for carrying out the so-called NotPetya cyber attack last year that crippled government and business computers in Ukraine before spreading around the world.

The statement by the White House came hours after the British government attributed the attack to Russia, a conclusion already reached and made public by many private sector cyber security experts.

The attack in June of 2017 “spread worldwide, causing billions of dollars in damage across Europe, Asia and the Americas,” White House Press Secretary Sarah Sanders said in a statement.

“It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict,” Sanders added. “This was also a reckless and indiscriminate cyber attack that will be met with international consequences.”

Earlier on Thursday Russia denied an accusation by the British government that it was behind the attack, saying it was part of a “Russophobic” campaign that it said was being waged by some Western countries.

(Reporting by Dustin Volz; Editing by Susan Heavey and Bill Rigby)

Thousands of FedEx customer records exposed by unsecured server

FILE PHOTO: A FedEx Office logo is pictured in Times Square in the Manhattan borough of New York, NY, U.S., April 2, 2017. REUTERS/Carlo Allegri/File Photo

By Eric M. Johnson

(Reuters) – Global package delivery company FedEx Corp <FDX.N> said on Thursday it has secured some of the customer identification records that were visible earlier this month on an unsecured server, and so far has found no evidence that private data was “misappropriated.”

The server stored more than 119,000 scanned documents from U.S. and international citizens, such as passports, driving licenses, and security identification, according to a report from security research firm Kromtech.

Kromtech said its researchers found the unsecured server on Feb. 5 and it was closed to public access on Wednesday.

The data was stored on a Amazon S3 storage server and collected by a company FedEx acquired in 2014, Bongo International, which calculated international shipping prices and provided other services. FedEx later discontinued the service.

“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” FedEx spokesman Jim McCluskey said in a statement.

“We have found no indication that any information has been misappropriated and will continue our investigation,” McCluskey said.

McCluskey declined to elaborate on what portion of the records were secure, or whether FedEx had notified authorities. The incident affected a tiny portion of FedEx customers globally.

The exposure appears far less disruptive than a cyber attack last year on Fedex’s Dutch TNT Express unit, which slashed $300 million from its quarterly profit.

The Memphis, Tennessee-based company joined a string of companies that reported big drops in earnings because of the NotPetya virus, which hit on June 29, crippling Ukraine businesses before spreading worldwide to shut down shipping ports, factories and corporate offices.

(Reporting by Eric M. Johnson in SeattleEditing by Jonathan Oatis)

U.S. Energy Department forming cyber protection unit for power grids

Former Texas Governor Rick Perry, U.S. President-elect Donald Trump's pick to lead the Department of Energy, meets with Senate Majority Leader Mitch McConnell (R-KY) on Capitol Hill in Washington, U.S. January 4, 2017. REUTERS/Jonathan Ernst

WASHINGTON (Reuters) – The U.S. Department of Energy (DOE) said on Wednesday it is establishing an office to protect the nation’s power grid and other infrastructure against cyber attacks and natural disasters.

President Donald Trump’s budget proposal unveiled this week included $96 million in funding for the Office of Cybersecurity, Energy Security, and Emergency Response.

Energy Secretary Rick Perry said the DOE “plays a vital role in protecting our nation’s energy infrastructure from cyber threats, physical attack and natural disaster, and as secretary, I have no higher priority.”

Last July, the DOE helped U.S. firms defend against a hacking campaign that targeted power companies including at least one nuclear plant. The agency said that the attacks did not have an impact on electricity generation or the grid, and that any impact appeared to be limited to administrative and business networks.

The previous month, the U.S. Department of Homeland Security and the Federal Bureau of Investigation had issued an alert to industrial companies, warning that for months hackers had targeted nuclear reactors and other power industry infrastructure, using tainted emails to harvest credentials and gain access to networks.

In some cases hackers succeeded in compromising the networks of their targets, but the report did not identify specific victims.

Nuclear power experts, such as Dave Lochbaum at the Union of Concerned Scientists nonprofit group, have said reactors have a certain amount of immunity from cyber attacks because their operation systems are separate from digital business networks. But over time it would not be impossible for hackers to potentially do harm, he said.

(Reporting by Timothy Gardner; Editing by Jeffrey Benkoe)

More Russian cyber attacks on elections ‘likely’: U.S. intelligence chief

Federal Bureau of Investigation (FBI) Director Christopher Wray; Central Intelligence Agency (CIA) Director Mike Pompeo; and Director of National Intelligence (DNI) Dan Coats testify before a Senate Intelligence Committee hearing on "World Wide Threats" on Capitol Hill in Washington, U.S., February 13, 2018. REUTERS/Leah Millis

WASHINGTON (Reuters) – U.S. Director of National Intelligence Dan Coats said on Tuesday that Russia, as well as other foreign entities, were “likely” to pursue more cyber attacks on U.S. and European elections.

“Persistent and disruptive cyber operations will continue against the United States and our European allies using elections as opportunities to undermine democracy,” Coats said at an annual Senate Intelligence Committee hearing on worldwide threats.

(Reporting by Patricia Zengerle and Doina Chiacu; Editing by Bernadette Baum)

‘Olympic Destroyer’ malware targeted Pyeongchang Games: firms

Performers appear during the opening ceremonies at the 2018 Winter Olympics at the Pyeongchang Olympic Stadium in Pyeongchang, South Korea February 9, 2018. REUTERS/Christof Stache/File Photo

By Jim Finkle

(Reuters) – Several U.S. cyber security firms said on Monday that they had uncovered a computer virus dubbed “Olympic Destroyer” that was likely used in an attack on Friday’s opening ceremony of the Pyeongchang Winter Games.

Games Organizers confirmed the attack on Sunday, saying that it affected internet and television services but did not compromise critical operations. Organizers did not say who was behind the attack or provide detailed discussion of the malware, though a spokesman said that all issues had been resolved as of Saturday.

Researchers with cyber security firms Cisco Systems Inc, CrowdStrike and FireEye Inc said in blog posts and statements to Reuters on Monday that they had analyzed computer code they believed was used in Friday’s attack.

All three security companies said the Olympic Destroyer malware was designed to knock computers offline by deleting critical system files, which would render the machines useless.

The three firms said they did not know who was behind the attack.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” Cisco said in its blog.

The attack took the Olympics website offline, which meant that some people could not print out tickets and WiFi used by reporters covering the games did not work during the opening ceremony, according to Cisco.

The attack did not affect the performance of drones, which were initially scheduled to be included in the opening ceremony, but later pulled from the program, organizers said in a statement.

The drone light show was canceled because there were too many spectators standing in the area where it was supposed to take place, the statement said.

(Reporting by Jim Finkle in Toronto; Editing by David Gregorio, Andrew Hay and Cynthia Osterman)