Tag Archives: Cyber Attack

U.S. blames North Korea for ‘WannaCry’ cyber attack

U.S. blames North Korea for 'WannaCry' cyber attack

(In 13th paragraph of Dec. 18 item, corrects to indicate that a separate attack was launched in June that affected FedEx computers)

By Dustin Volz

WASHINGTON (Reuters) – The Trump administration has publicly blamed North Korea for unleashing the so-called WannaCry cyber attack that crippled hospitals, banks and other companies across the globe earlier this year.

“The attack was widespread and cost billions, and North Korea is directly responsible,” Tom Bossert, homeland security adviser to President Donald Trump, wrote in a piece published on Monday night in the Wall Street Journal.

“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” Bossert wrote. “WannaCry was indiscriminately reckless.”

The White House was expected to follow up on Tuesday with a more formal statement blaming Pyongyang, according to a senior administration official.

The U.S. government has assessed with a “very high level of confidence” that a hacking entity known as Lazarus Group, which works on behalf of the North Korean government, carried out the WannaCry attack, said the official, who spoke on condition of anonymity to discuss details of the government’s investigation.

Lazarus Group is widely believed by security researchers and U.S. officials to have been responsible for the 2014 hack of Sony Pictures Entertainment that destroyed files, leaked corporate communications online and led to the departure of several top studio executives.

North Korean government representatives could not be immediately reached for comment. The country has repeatedly denied responsibility for WannaCry and called other allegations about cyber attacks a smear campaign.

Washington’s public condemnation does not include any indictments or name specific individuals, the administration official said, adding the shaming was designed to hold Pyongyang accountable for its actions and “erode and undercut their ability to launch attacks.”

The accusation comes as worries mount about North Korea’s hacking capabilities and its nuclear weapons program.

‘PATTERN OF MISBEHAVING’

Many security researchers, including the cyber firm Symantec , as well as the British government, have already concluded that North Korea was likely behind the WannaCry attack, which quickly unfurled across the globe in May to infect more than 300,000 computers in 150 countries.

Considered unprecedented in scale at the time, WannaCry knocked British hospitals offline, forcing thousands of patients to reschedule appointments and disrupted infrastructure and businesses around the world.

The attack originally looked like a ransomware campaign, where hackers encrypt a targeted computer and demand payment to recover files. Some experts later concluded the ransom threat may have been a distraction intended to disguise a more destructive intent.

A separate but similar attack in June, known as NotPetya, hit Ukraine and other nations and caused an estimated $300 million in damages to international shipper FedEx.

Some researchers have said they believed WannaCry was deployed accidentally by North Korea as hackers were developing the code. The senior administration official declined to comment about whether U.S. intelligence was able to discern if the attack was deliberate.

“What we see is a continued pattern of North Korea misbehaving, whether destructive cyber attacks, hacking for financial gain, or targeting infrastructure around the globe,” the official said.

WannaCry was made possible by a flaw in Microsoft’s Windows software, which was discovered by the U.S. National Security Agency and then used by the NSA to build a hacking tool for its own use.

In a devastating NSA security breach, that hacking tool and others were published online by the Shadow Brokers, a mysterious group that regularly posts cryptic taunts toward the U.S. government.

The fact that WannaCry was made possible by the NSA led to sharp criticism from Microsoft President Brad Smith and others who believe the NSA should disclose vulnerabilities it finds so that they can be fixed, rather then hoarding that knowledge to carry out attacks.

Smith said WannaCry provided “yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”

U.S. officials have pushed back on those assertions, saying the administration discloses most computer flaws that government agencies detect.

Last month, the White House published its rules for deciding whether to disclose cyber security flaws or keep them secret as part of an effort to be more transparent about the inter-agency process involved in weighing disclosure.

(Reporting by Dustin Volz; Editing by Jonathan Weber and Peter Cooney)

Hackers halt plant operations in watershed cyber attack

Hackers halt plant operations in watershed cyber attack

By Jim Finkle

(Reuters) – Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.

FireEye Inc <FEYE.O> disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE <SCHN.PA>.

Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.

FireEye and Schneider declined to identify the victim, industry or location of the attack. Cyber-security company Dragos said the hackers targeted an organization in the Middle East, while a second firm, CyberX, said it believe the victim was in Saudi Arabia.

It marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on breaking into utilities, factories and other types of critical infrastructure, cyber experts said.

Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.

Safety systems “could be fooled to indicate that everything is okay,” even as hackers damage a plant, said Galina Antova, co-founder of cyber-security firm Claroty.

“This is a watershed,” said Sergio Caltagirone, head of threat intelligence with Dragos. “Others will eventually catch up and try to copy this kind of attack.”

In the incident, hackers used sophisticated malware to take remote control of a workstation running a Schneider Electric Triconex safety shutdown system, then sought to reprogram controllers used to identify safety issues. Some controllers entered a fail safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said.

FireEye believes the attacker’s actions inadvertently caused the shutdown while probing the system to learn how it worked, said Dan Scali, who led FireEye’s investigation.

The attackers were likely conducting reconnaissance to learn how they could modify safety systems so they would not operate in the event that the hackers intended to launch an attack that disrupted or damaged the plant, he said.

PUBLIC WARNINGS

The U.S. government and private cyber-security firms have issued public warnings over the past few years about attempts by hackers from nations including Iran, North Korea and Russia and others to attack companies that run critical infrastructure plants in what they say are primarily reconnaissance operations.

CyberX Vice President Phil Neray said his firm found evidence that the malware was deployed in Saudi Arabia, which could suggest that Iran may be behind the attack.

Security researchers widely believe that Iran was responsible for a series of attacks on Saudi Arabian networks in 2012 and 2017 using a virus known as Shamoon.

Schneider provided Reuters with a customer security alert, dated Wednesday, which said it was working with the U.S. Department of Homeland Security to investigate the attack.

“While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” the alert said.

Department of Homeland Security spokesman Scott McConnell said the agency was looking into the matter “to assess the potential impact on critical infrastructure.”

The malware, which FireEye has dubbed Triton, is only the third type of computer virus discovered to date that is capable of disrupting industrial processes.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

The second, known as Crash Override or Industroyer, was discovered last year by researchers who said it was likely used in a December 2016 attack that cut power in Ukraine.

(Reporting by Jim Finkle in Toronto; Editing by Susan Thomas)

UK shipping firm Clarkson reports cyber attack

UK shipping firm Clarkson reports cyber attack

(Reuters) – British shipping services provider Clarkson Plc <CKN.L> on Wednesday said it was the victim of a cyber security hack and warned that the person or persons behind the attack may release some data shortly.

The company’s disclosure, while a relatively rare event in Britain, follows a series of high-profile hacks in corporate America.

Clarkson is one of the world’s main shipbrokers, sourcing vessels for the world’s largest producers and traders of natural resources. It also has a research operation which collects and analyses data on merchant shipping and offshore markets.

The London-headquartered company said it had been working with the police on the incident but did not provide any details about the scale or type of data stolen.

“As soon as it was discovered, Clarksons took immediate steps to respond to and manage the incident,” the company said.

“Our initial investigations have shown the unauthorized access was gained via a single and isolated user account which has now been disabled.”

The company said it is in the process of contacting potentially affected clients and individuals directly, and that it has been working with data security specialists to probe further.

(Reporting by Rahul B in Bengaluru; Editing by Maju Samuel and Patrick Graham)

Millions of insecure gadgets exposed in European cities: report

Millions of insecure gadgets exposed in European cities: report

LONDON (Reuters) – A year after a wave of denial-of-service attacks knocked out major websites around the world, millions of unsecured printers, network gear and webcams remain undefended against attack across major European cities, a report published on Tuesday said.

Computer security company Trend Micro <4704.T> said that Berlin has more than 2.8 million insecure devices, followed closely by London with more than 2.5 million exposed gadgets. Among the top 10 capitals, Rome was lowest with nearly 300,000 visible unsecured devices, the researchers said.

The study was based on calculating the number of exposed devices in major European cities using Shodan, a search engine that helps to identify internet-linked equipment.

Trend Micro said that electronics users must take responsibility for managing their own internet-connected devices because of the failure by many gadget manufacturers to build in up-front security by default in their products.

The warning comes one year after a wave of attacks using so-called botnets of infected devices caused outages on popular websites and knocked 900,000 Deutsche Telekom <DTEGn.DE> users off the internet. (http://reut.rs/2BjdRII)

Computer experts say the failure to patch millions of insecure devices after last year’s Mirai denial-of-service attacks means it is only a question of time before further broad-based outages occur.

Research company Gartner recently forecast that there would be 8.4 billion connected products or devices in 2017, up 31 percent from 2016, and expects the number to triple by 2020. (https://goo.gl/thR54Q)

(Reporting by Jamillah Knowles; Editing by Eric Auchard and David Goodman)

NotPetya hackers likely behind BadRabbit attack: researchers

NotPetya hackers likely behind BadRabbit attack: researchers

By Jack Stubbs

MOSCOW (Reuters) – Technical indicators suggest a cyber attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analyzed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbit virus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the U.S. National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favor of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

(Additional reporting by Eric Auchard; Editing by Jim Finkle/Mark Heinrich)

U.S. warns public about attacks on energy, industrial firms

U.S. warns public about attacks on energy, industrial firms

By Jim Finkle

(Reuters) – The U.S government issued a rare public warning about hacking campaigns targeting energy and industrial firms, the latest evidence that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed via email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Homeland Security and FBI representatives could not be reached for comment on Saturday morning.

Robert Lee, an expert in securing industrial networks, said the report describes activities from two or three groups that have stolen user credentials and spied on organizations in the United States and other nations, but not launched destructive attacks.

“This is very aggressive activity,” said Lee, chief executive of cyber-security firm Dragos.

He said the report appears to describe groups working in the interests of the Russian government, though he declined to elaborate.  Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

Government agencies and energy firms previously declined to identify any of the victims in the attacks described in June’s confidential report.

(Reporting by Jim Finkle in Toronto; Editing by Nick Zieminski)

Ukraine says cyber attack may strike in next few days

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

KIEV (Reuters) – The government of Ukraine, which was victim of a major cyber attack earlier this year, told businesses on Friday to make sure their networks were protected because of intelligence suggesting that another attack may be in the works.

Ukraine’s state security service SBU and the state-run Computer Emergency Response Team (CERT) said the attack could take place Oct. 13-17 when Ukraine celebrates Defender of Ukraine Day.

Ukraine, which believes Russia is behind regular attacks on its computer systems, is trying to roll out a national strategy to keep state institutions and major companies safe. Moscow denies that it is behind cyber attacks on its neighbor.

The security agencies said that a new attack may be similar to the NotPetya computer virus which struck on June 27 taking down computers in Ukrainian government agencies and businesses before spreading rapidly through corporate networks of multinationals with operations or suppliers in eastern Europe.

 

(Reporting by Pavel Polityuk; editing by Peter Graff)

 

SWIFT says hackers still targeting bank messaging system

FILE PHOTO : The Swift bank logo is pictured in this photo illustration taken April 26, 2016. REUTERS/Carlo Allegri/File Photo

By Jim Finkle

TORONTO (Reuters) – Hackers continue to target the SWIFT bank messaging system, though security controls instituted after last year’s $81 million heist at Bangladesh’s central bank have helped thwart many of those attempts, a senior SWIFT official told Reuters.

“Attempts continue,” said Stephen Gilderdale, head of SWIFT’s Customer Security Programme, in a phone interview. “That is what we expected. We didn’t expect the adversaries to suddenly disappear.”

The disclosure underscores that banks remain at risk of cyber attacks targeting computers used to access SWIFT almost two years after the February 2016 theft from a Bangladesh Bank account at the Federal Reserve Bank of New York.

Gilderdale declined to say how many hacks had been attempted this year, what percentage were successful, how much money had been stolen or whether they were growing or slowing down.

On Monday, two people were arrested in Sri Lanka for suspected money laundering from a Taiwanese bank whose computer system was hacked to enable illicit transactions abroad. Police acted after the state-owned Bank of Ceylon reported a suspicious transfer.

SWIFT, a Belgium-based co-operative owned by its user banks, has declined comment on the case, saying it does not discuss individual entities.

Gilderdale said that some security measures instituted in the wake of the Bangladesh Bank heist had thwarted attempts.

As an example, he said that SWIFT had stopped some heists thanks to an update to its software that automatically sends alerts when hackers tamper with data on bank computers used to access the messaging network.

SWIFT shares technical information about cyber attacks and other details on how hackers target banks on a private portal open to its members.

Gilderdale was speaking ahead of the organization’s annual Sibos global user conference, which starts on Monday in Toronto.

At the conference, SWIFT will release details of a plan to start offering security data in “machine digestible” formats that banks can use to automate efforts to discover and remediate cyber attacks, he said.

SWIFT will also unveil plans to start sharing that data with outside security vendors so they can incorporate the information into their products, he said.

(Reporting by Jim Finkle, Editing by Rosalba O’Brien)

Equifax takes down web page after reports of new hack

The logo and trading information for Credit reporting company Equifax Inc. are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., September 26, 2017. REUTERS/Lucas Jackson

By John McCrank

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help web pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of 145.5 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

Equifax disclosed on Sept. 7 that its systems had been breached between mid-May and late July. In the fallout, the company has parted ways with its chief executive, chief information officer and chief security officer.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

(Reporting by John McCrank; Editing by Bill Rigby)

Joint Strike Fighter plans stolen in Australia cyber attack

Two Lockheed Martin Corp F-35 stealth fighter jets fly to the Avalon Airshow in Victoria, Australia, March 3, 2017. Australian Defence Force/Handout via REUTERS

By Tom Westbrook

SYDNEY (Reuters) – A hacker stole non-classified information about Australia’s Joint Strike Fighter program and other military hardware last year after breaching the network of a defense contractor, the defense industry minister said on Thursday.

About 30 gigabytes of data was stolen in the cyber attack, including details of the Joint Strike Fighter warplane and P-8 Poseidon surveillance plane, according to a presentation on the hack by a government official.

“Fortunately the data that has been taken is commercial data, not military data … it’s not classified information,” Defence Industry Minister Christopher Pyne told Australian Broadcasting Corporation (ABC) Radio.

“I don’t know who did it.”

In a presentation to a conference in Sydney, an official from the Australian Signals Directorate (ASD) intelligence agency said technical information on smart bombs, the Joint Strike Fighter, the Poseidon maritime patrol aircraft and several naval vessels was stolen.

“The compromise was extensive and extreme,” said the official, Mitchell Clarke, in an audio recording made by a ZDNet journalist and broadcast by the ABC.

Clarke said the attacker accessed the small contractor’s systems for five months in 2016, and the “methodical, slow and deliberate,” choice of target suggested a nation-state actor could be behind the raid.

Australia has agreed to buy 72 Lockheed Martin Corp Joint Strike Fighter planes.

A spokesman for the Australian Cyber Security Centre (ACSC), a government agency, said the government would not release further details about the cyber attack.

The ACSC said in a report on Monday that it responded to 734 cyber attacks on “systems of national interest” for the year ended June 30, and the defense industry was a major target.

The attack on the defense contractor was carried out by a “malicious cyber adversary”, it said.

In 2016 the agency said it responded to 1,095 cyber attacks over an 18-month period, including an intrusion from a foreign intelligence service on the weather bureau.

(Reporting by Tom Westbrook; Editing by Stephen Coates)