Exclusive: Top U.S. spy agency has not embraced CIA assessment on Russia hacking – sources

Padlock with the word hack, a representation of cyber attacks

By Mark Hosenball and Jonathan Landay

WASHINGTON (Reuters) – The overseers of the U.S. intelligence community have not embraced a CIA assessment that Russian cyber attacks were aimed at helping Republican President-elect Donald Trump win the 2016 election, three American officials said on Monday.

While the Office of the Director of National Intelligence (ODNI) does not dispute the CIA’s analysis of Russian hacking operations, it has not endorsed their assessment because of a lack of conclusive evidence that Moscow intended to boost Trump over Democratic opponent Hillary Clinton, said the officials, who declined to be named.

The position of the ODNI, which oversees the 17 agency-strong U.S. intelligence community, could give Trump fresh ammunition to dispute the CIA assessment, which he rejected as “ridiculous” in weekend remarks, and press his assertion that no evidence implicates Russia in the cyber attacks.

Trump’s rejection of the CIA’s judgment marks the latest in a string of disputes over Russia’s international conduct that have erupted between the president-elect and the intelligence community he will soon command.

An ODNI spokesman declined to comment on the issue.

“ODNI is not arguing that the agency (CIA) is wrong, only that they can’t prove intent,” said one of the three U.S. officials. “Of course they can’t, absent agents in on the decision-making in Moscow.”

The Federal Bureau of Investigation, whose evidentiary standards require it to make cases that can stand up in court, declined to accept the CIA’s analysis – a deductive assessment of the available intelligence – for the same reason, the three officials said.

The ODNI, headed by James Clapper, was established after the Sept. 11, 2001, attacks on the recommendation of the commission that investigated the attacks. The commission, which identified major intelligence failures, recommended the office’s creation to improve coordination among U.S. intelligence agencies.

In October, the U.S. government formally accused Russia of a campaign of cyber attacks against American political organizations ahead of the Nov. 8 presidential election. Democratic President Barack Obama has said he warned Russian President Vladimir Putin about consequences for the attacks.

Reports of the assessment by the CIA, which has not publicly disclosed its findings, have prompted congressional leaders to call for an investigation.

Obama last week ordered intelligence agencies to review the cyber attacks and foreign intervention in the presidential election and to deliver a report before he turns power over to Trump on Jan. 20.

The CIA assessed after the election that the attacks on political organizations were aimed at swaying the vote for Trump because the targeting of Republican organizations diminished toward the end of the summer and focused on Democratic groups, a senior U.S. official told Reuters on Friday.

Moreover, only materials filched from Democratic groups – such as emails stolen from John Podesta, the Clinton campaign chairman – were made public via WikiLeaks, the anti-secrecy organization, and other outlets, U.S. officials said.

“THIN REED”

The CIA conclusion was a “judgment based on the fact that Russian entities hacked both Democrats and Republicans and only the Democratic information was leaked,” one of the three officials said on Monday.

“(It was) a thin reed upon which to base an analytical judgment,” the official added.

Republican Senator John McCain said on Monday there was “no information” that Russian hacking of American political organizations was aimed at swaying the outcome of the election.

“It’s obvious that the Russians hacked into our campaigns,” McCain said. “But there is no information that they were intending to affect the outcome of our election and that’s why we need a congressional investigation,” he told Reuters.

McCain questioned an assertion made on Sunday by Republican National Committee Chairman Reince Priebus, tapped by Trump to be his White House chief of staff, that there were no hacks of computers belonging to Republican organizations.

“Actually, because Mr. Priebus said that doesn’t mean it’s true,” said McCain. “We need a thorough investigation of it, whether both (Democratic and Republican organizations) were hacked into, what the Russian intentions were. We cannot draw a conclusion yet. That’s why we need a thorough investigation.”

In an angry letter sent to ODNI chief Clapper on Monday, House Intelligence Committee Chairman Devin Nunes said he was “dismayed” that the top U.S. intelligence official had not informed the panel of the CIA’s analysis and the difference between its judgment and the FBI’s assessment.

Noting that Clapper in November testified that intelligence agencies lacked strong evidence linking Russian cyber attacks to the WikiLeaks disclosures, Nunes asked that Clapper, together with CIA and FBI counterparts, brief the panel by Friday on the latest intelligence assessment of Russian hacking during the election campaign.

(Editing by Yara Bayoumy and Jonathan Oatis)

Germany sees increase in Russian propaganda, cyber attacks

hand in front of computer

BERLIN (Reuters) – Germany’s domestic intelligence agency on Thursday said it had seen a striking increase in Russian propaganda and disinformation campaigns aimed at destabilizing German society, and targeted cyber attacks against political parties.

“We see aggressive and increased cyber spying and cyber operations that could potentially endanger German government officials, members of parliament and employees of democratic parties,” Hans-Georg Maassen, head of the domestic BfV intelligence agency, said in statement.

Maassen, who raised similar concerns about Russian efforts to interfere in German elections in an interview with Reuters last month, cited what he called increasing evidence about such efforts and said further cyber attacks were expected.

The agency said it had seen a wide variety of Russian propaganda tools and “enormous use of financial resources” to carry out “disinformation” campaigns aimed at the Russian-speaking community in Germany, political movements, parties and other decision makers.

The goal of the effort was to spread uncertainty in society,”to weaken or destabilize the Federal Republic of Germany,” and to strengthen extremist groups and parties, complicate the work of the federal government and influence political dialogue.

The agency said it had seen a “striking increase” in spea-phishing attacks attributed to a Russian hacking group APT 28, also known as “Fancy Bear” or Strontrium, the same group blamed for the hack of the U.S. Democratic National Committee this year and a cyber attack on the German parliament in 2015.

The attacks were directed against German parties and members of parliament, the agency said, adding they were carried out by government bodies posing as “hacktivists”.

“Propaganda and disinformation, cyber attacks, cyber espionage and cyber sabotage are part of the hybrid threat facing western democracies,” Maassen said.

German officials have accused Moscow of trying to manipulate German media to fan popular angst over issues like the migrant crisis, weaken voter trust and breed dissent within the European Union so that it drops sanctions against Moscow.

But intelligence officials have stepped up their warnings in recent weeks, alarmed about the number of attacks.

Last month, German Chancellor Angela Merkel said she could not rule out Russia interfering in Germany’s 2017 election through Internet attacks and misinformation campaigns.

Russian officials have denied all accusations of manipulation and interference intended to weaken the European Union or to affect the U.S. presidential election.

U.S. intelligence officials had warned in the run-up to the Nov. 8 presidential election of efforts to undermine the credibility of the vote that they believed were backed by the Russian government.

(Reporting by Andrea Shalal and Sabine Siebold; Editing by Janet Lawrence)

Hired experts support claims St. Jude heart devices can be hacked

St. Jude Logo

By Jim Finkle

(Reuters) – Short-selling firm Muddy Waters said in a legal brief filed on Monday that outside cyber security experts it hired have validated its claim that St. Jude Medical Inc cardiac implants are vulnerable to potentially life-threatening cyber attacks.

Boutique cyber security firm Bishop Fox disclosed its findings in a 53-page report that was attached to a legal brief filed on Monday in U.S. district court in Minnesota on behalf of the short-sellers, who hired the firm to perform the work as they defend themselves in a lawsuit filed by St. Jude.

A representative for St. Jude was not immediately available for comment.

St. Jude filed the suit on Sept. 7 against Muddy Waters, cyber research firm MedSec Holdings and individuals affiliated with those companies. The suit accused the group of intentionally disseminating false information about St. Jude heart devices to manipulate its stock price, which fell 5 percent on the day they revealed their claims.

The defendants said in a filing released on Monday that the lawsuit is without merit, reiterating their claim that St. Jude Medical’s heart devices have “significant security vulnerabilities.”

The report from Bishop Fox said the firm was able to validate those claims.

“I found that Muddy Waters’ and MedSec’s statements regarding security issues in the St. Jude Medical implant ecosystem were, by and large, accurate,” Bishop Fox Partner Carl Livit said in an introduction to the report.

The report said that the wireless communications protocol used in St. Jude cardiac devices is vulnerable to hacking, making it possible for hackers to convert the company’s Merlin@home patient monitoring devices into “weapons” that can cause cardiac implants to stop providing care and deliver shocks to patients.

Bishop Fox tested the attacks from 10 feet (3 meters) away, but said that might be extended to 45 feet (13.7 meters) with an antenna, or 100 feet (30.5 meters) with a transmitting device known as a software defined radio.

(Reporting by Jim Finkle; Editing by Will Dunham)

U.S. to sanction cyber attackers, cites Russia, China

US sanctioning cyber attackers

WASHINGTON (Reuters) – The United States will use sanctions against those behind cyber attacks that target transportation systems or the power grid, the White House said on Tuesday, citing Russia and China as increasingly assertive and sophisticated cyber operators.

The sanctions will be used “when the conditions are right and when actions will further U.S. policy,” White House counter terrorism adviser Lisa Monaco said in prepared remarks to a cyber security conference.

Monaco cited an “increasingly diverse and dangerous” global landscape in which Iran has launched denial-of-service attacks on U.S. banks and North Korea has shown it would conduct destructive attacks.

“To put it bluntly, we are in the midst of a revolution of the cyber threat – one that is growing more persistent, more diverse, more frequent and more dangerous every day,” she said.

The United States is working with other countries to adopt voluntary norms of responsible cyber behavior and work to reduce malicious activity, she said. At the same time, it will use an executive order authorizing sanctions against those who attack U.S. critical infrastructure.

Monaco introduced a new directive from President Barack Obama that establishes a “clear framework” to coordinate the government’s response to cyber incidents.

“It will help answer a question heard too often from corporations and citizens alike – ‘In the wake of an attack, who do I call for help?'” she said.

(Reporting by Doina Chiacu; Editing by Jonathan Oatis)

Fed records show dozens of cybersecurity breaches

The Federal Reserve building in Washington

By Jason Lange and Dustin Volz

WASHINGTON (Reuters) – The U.S. Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage,” according to Fed records.

The central bank’s staff suspected hackers or spies in many of the incidents, the records show. The Fed’s computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets.

The cybersecurity reports, obtained by Reuters through a Freedom of Information Act request, were heavily redacted by Fed officials to keep secret the central bank’s security procedures.

The Fed declined to comment, and the redacted records do not say who hacked the bank’s systems or whether they accessed sensitive information or stole money.

“Hacking is a major threat to the stability of the financial system. This data shows why,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. Lewis reviewed the files at the request of Reuters.

For a graphic on the Fed security breaches, see: http://tmsnrt.rs/1TxSu8R

The records represent only a slice of all cyber attacks on the Fed because they include only cases involving the Washington-based Board of Governors, a federal agency that is subject to public records laws. Reuters did not have access to reports by local cybersecurity teams at the central bank’s 12 privately owned regional branches.

The disclosure of breaches at the Fed comes at a time when cybersecurity at central banks worldwide is under scrutiny after hackers stole $81 million from a Bank Bangladesh account at the New York Fed.

Cyber thieves have targeted large financial institutions around the world, including America’s largest bank JPMorgan, as well as smaller players like Ecuador’s Banco del Austro and Vietnam’s Tien Phong Bank.

Hacking attempts were cited in 140 of the 310 reports provided by the Fed’s board. In some reports, the incidents were not classified in any way.

In eight information breaches between 2011 and 2013 – a time when the Fed’s trading desk was buying massive amounts of bonds – Fed staff wrote that the cases involved “malicious code,” referring to software used by hackers.

Four hacking incidents in 2012 were considered acts of “espionage,” according to the records. Information was disclosed in at least two of those incidents, according to the records. In the other two incidents, the records did not indicate whether there was a breach.

In all, the Fed’s national team of cybersecurity experts, which operates mostly out of New Jersey, identified 51 cases of “information disclosure” involving the Fed’s board. Separate reports showed a local team at the board registered four such incidents.

The cases of information disclosure can refer to a range of ways unauthorized people see Fed information, from hacking attacks to Fed emails sent to the wrong recipients, according to two former Fed cybersecurity staffers who spoke on condition of anonymity.

The former employees said that cyber attacks on the Fed are about as common as at other large financial institutions.

It was unclear if the espionage incidents involved foreign governments, as has been suspected in some hacks of federal agencies. Beginning in 2014, for instance, hackers stole more than 21 million background check records from the federal Office of Personnel Management, and U.S. officials attributed the breach to the Chinese government, an accusation denied by Beijing.

TARGET FOR SPYING

Security analysts said foreign governments could stand to gain from inside Fed information. China and Russia, for instance, are major players in the $13.8 trillion federal debt market where Fed policy plays a big role in setting interest rates.

“Obviously that makes it a very clear (hacking) target for other nation states,” said Ari Schwartz, a former top cybersecurity adviser at the White House who is now with the law firm Venable.

U.S. prosecutors in March accused hackers associated with Iran’s government of attacking dozens of U.S. banks.

In the records obtained by Reuters, espionage might also refer to spying by private companies, or even individuals such British activist Lauri Love, who is accused of infiltrating a server at a regional Fed branch in October 2012. Love stole names, e-mail addresses, and phone numbers of Fed computer system users, according to a federal indictment.

The redacted reports obtained by Reuters do not mention Love or any other hacker by name.

The records point to breaches during a sensitive period for the Fed, which was ramping up aid for the struggling U.S. economy by buying massive quantities of U.S. government debt and mortgage-backed securities.

In 2010 and 2011, the Fed went on a $600 billion bond-buying spree that lowered interest rates and made bonds more expensive. It restarted purchases in September 2012 and expanded them up in December of that year.

The Fed cybersecurity records did not indicate whether hackers accessed sensitive information on the timing or amounts of bond purchases or used it for financial gain.

UP ALL NIGHT

The Fed’s national cybersecurity team – the National Incident Response Team, or NIRT – created 263 of the incident reports obtained by Reuters.

NIRT operates in a fortress-like building in East Rutherford, New Jersey that also processes millions of dollars in cash everyday as part of the central bank’s duty to keep the financial system running, according to the New York Fed’s website. The unit provides support to the local cybersecurity teams at the Fed’s Board and regional banks, which process more than $3 trillion in payments every day.

The NIRT handles “higher impact” cases, according to a 2013 report by the Board of Governor’s Office of Inspector General.

One of the two former NIRT employees interviewed by Reuters described being on a team that once worked around the clock for five-straight days to patch software hackers had used to gain access to Fed systems in an attempt to obtain passwords. The former employee worked through several of those nights, taking naps at a desk in the office.

In that case, Fed security staff found no signs that sensitive information had been disclosed, the former employee said. Information about future interest rate policy discussions is isolated from other Fed networks and is more difficult for hackers to access, the former NIRT worker said.

But the Fed was under constant assault, much like any large company, the former employee said, and was “compromised frequently.”

An internal watchdog has criticized the central bank for cybersecurity shortcomings. A 2015 audit by the Fed board’s Office of Inspector General found the board was not adequately scanning databases for vulnerabilities or putting enough restrictions on system access.

“There is heightened risk of unauthorized disclosure and inappropriate use of sensitive board information,” according to the audit released in November.

(Reporting by Jason Lange and Dustin Volz; Editing by David Chance and Brian Thevenot)

Ransomware: Extortionist hackers borrow customer-service tactics

Hollywood Presbyterian Medical Center

By Jim Finkle

TEWKSBURY, Mass (Reuters) – When hackers set out to extort the town of Tewksbury, Massachusetts with “ransomware,” they followed up with an FAQ explaining the attack and easy instructions for online payment.

After balking for several days, Tewksbury officials decided that paying the modest ransom of about $600 was better than struggling to unlock its own systems, said police chief Timothy Sheehan.

That case and others show how cyber-criminals have professionalized ransomware schemes, borrowing tactics from customer service or marketing, law enforcement officials and security firms say. Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.

The advancements, along with modest ransom demands, make it easier to pay than fight.

“It’s a perfect business model, as long as you overlook the fact that they are doing something awful,” said James Trombly, president of Delphi Technology Solutions, a Lawrence, Massachusetts, computer services firm that helped three clients over the past year pay ransoms in bitcoin, the virtual currency. He declined to identify the clients.

In the December 2014 attack on Tewksbury, the pressure to pay took on a special urgency because hackers disabled emergency systems. That same is true of additional attacks on police departments and hospitals since then. But all sectors of government and business are targeted, along with individuals, security firms said.

The total cost of ransomware attacks is hard to quantify. But the Cyber Threat Alliance, a group of leading cyber security firms, last year estimated that global damages from CryptoWall 3 – among the most popular of dozens of ransomware variants – totaled $325 million in the first nine months of 2015.

Some operations hire underground call centers or email-response groups to walk victims through paying and restoring their data, said Lance James, chief scientist with the cyber-intelligence firm Flashpoint.

Graphic artists and translators craft clear ransom demands and instructions in multiple languages. They use geolocation to make sure that victims in Italy get the Italian version, said Alex Holden, chief information security officer with Hold Security.

While ransomware attacks have been around longer than a decade, security experts say they’ve become far more threatening and prevalent in recent years because of state-of-the-art encryption, modules that infect backup systems, and the ability to infect large numbers of computers over a single network.

Law enforcement officials have long advised victims against paying ransoms. Paying ransoms is “supporting the business model,” encouraging more criminals to become extortionists, said Will Bales, a supervisory special agent for the Federal Bureau of Investigation.

But Bales, who helps run ransomware investigations nationwide from the Washington, DC office, acknowledged that the payoffs make economic sense for many victims.

“It is a business decision for the victim to make,” he said.

Run-of-the-mill ransomware attacks typically seek 1 bitcoin, now worth about $420, which is about the same as the hourly rate that some security consultants charge to respond to such incidents, according to security firms who investigate ransomware cases.

Some attacks seek more, as when hackers forced Hollywood Presbyterian Hospital in Los Angeles to pay $17,000 to end an outage in February.

Such publicized incidents will breed more attacks, said California State Senator Robert Hertzberg, who in February introduced legislation to make a ransomware schemes punishable by up to four years in prison. The Senate’s public safety committee was scheduled to review that bill on Tuesday.

Some victims choose not to pay. The Pearland Independent School District near Houston refused to fork over about $1,600 in ransom demanded in two attacks this year, losing about three days of work from teachers and students. Instead, the district invested tens of thousands of dollars on security software, said Jonathan Block, the district’s desktop support services manager.

“This threat is real and something that needs to be dealt with,” Block said.

The town of Tewksbury has also upgraded its security technology, but Sheehan says he fears more attacks.

“We are so petrified we could be put into this position again,” he said. “Everybody is vulnerable.”

(Reporting by Jim Finkle. Additional reporting by Dustin Volz. Editing by Jonathan Weber and Brian Thevenot.)

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)

U.S. waging cyber war on Islamic State, commandos active

WASHINGTON (Reuters) – The United States is waging cyber attacks against Islamic State in Syria and Iraq, and its newly deployed commandos are also carrying out secret missions on the ground, Pentagon leaders said on Monday, in the latest signs of quietly expanding U.S. activity.

U.S. Defense Secretary Ash Carter said the cyber attacks, particularly in Syria, were designed to prevent Islamic State from commanding its forces, and Washington was looking to accelerate the cyber war against the Sunni militant group.

“The methods we’re using are new. Some of them will be surprising,” Carter told a Pentagon news conference.

General Joseph Dunford, chairman of the U.S. military’s Joint Chiefs of Staff, said the cyber attacks were helping lay the groundwork for an eventual offensive operation to recapture the city of Mosul in Iraq from Islamic State.

Carter and Dunford, the Pentagon’s top civilian and uniformed officials, both suggested the attacks were aimed at overloading the militants’ networks. They declined to delve into specifics.

“We don’t want the enemy to know when, where and how we’re conducting cyber operations. We don’t want them to have information that will allow them to adapt over time,” Dunford said.

Dunford suggested Islamic State might not know why its computer networks were proving unreliable.

“They’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age. And frankly, we don’t want them to know the difference.”

U.S. COMMANDOS

The United States disclosed in January that a new, roughly 200-strong U.S. continent of special operations forces was “in place” in Iraq, poised to carry out raids against Islamic State and other secret missions, both in Iraq and in Syria.

Carter disclosed on Monday that the so-called “expeditionary targeting force,” or ETF, was already operating on the ground.

“The ETF is in position, it is having an effect and operating, and I expect it to be a very effective part of our acceleration campaign,” he said, without elaborating.

Its deployment represents increased U.S. military activity on the ground against Islamic State, exposing American forces to greater risk – something President Barack Obama has done only sparingly.

The force follows another deployment last year of up to 50 U.S. special operations troops in Syria to coordinate on the ground with U.S.-backed forces battling Islamic State.

The U.S. military disclosed last week that those U.S. forces helped opposition forces recapture the strategic Syrian town of al-Shadadi from Islamic State.

The Pentagon said recapturing the town helped sever links between Mosul in Iraq and Raqqa in Syria, the two major power centers in Islamic State’s self-declared caliphate.

More knowledge about the group’s operations is expected to be discovered, Carter said.

“As our partners take control of Shadadi, I believe we will learn a great deal more about ISIL’s criminal networks, its criminal enterprise and what it does to sustain them,” Carter said, using an acronym for the group.

(Reporting by Phil Stewart and David Alexander; Editing by Susan Heavey and Richard Chang)

Hackers may have wider access to Ukrainian industrial facilities

KIEV (Reuters) – Hackers were able to attack four sections of Ukraine’s power grid with malware late last year because of basic security lapses and they could take down other industrial facilities at any time, a consultant to government investigators said.

Three power cuts reported in separate areas of western and central Ukraine in late December were the first known electrical outages caused by cyber attacks, causing consternation among businesses and officials around the world.

The consultant, Oleh Sych, told Reuters a fourth Ukrainian energy company had been affected by a lesser attack in October, but declined to name it.

He also said a similar type of malware had been identified by the Ukrainian anti-virus software company Zillya! where he works as far back as July, making it impossible to know how many other systems were at risk.

“This is the scariest thing – we’re living on a powder keg. We don’t know where else has been compromised. We can protect everything, we can teach administrators never to open emails, but the system is already infected,” he said.

Sych, whose firm is advising the State Security Service SBU and a commission set up by the energy ministry, said power distributors had ignored their own security rules by allowing critical computers to be hooked up to the Internet when they should have been kept within an internal network.

This so-called “air gap” separates computer systems from any outside Internet connections accessible to hackers.

“A possible objective was to bring down some branches (of the Ukrainian energy system) and create a ‘domino effect’ to collapse the entire system of Ukraine or a significant part,” Sych said.

Ukraine has also been targeted in other cyber attacks, which included hacking into the system of Ukraine’s biggest airport and TV news channels.

Security services and the military blamed the attacks on Russia, an allegation dismissed by the Kremlin as evidence of Ukraine’s tendency to accuse Russia of “all mortal sins”.

Russia annexed Crimea from Ukraine in 2014 and has supported separatist rebels in east of the former Soviet republic, arguing that Kiev’s Western-backed government, elected after the Moscow-backed president fled widespread protests, was illegitimate.

Sych, who said he could not reveal all the details of the probe, said there was no conclusive evidence that the attacks originated in Russia. One of the emails was sent from the server of a German university, another from the United States, he said.

INSIDER

International cyber-security researchers who have studied the attacks believe the attackers broke into networks by sending targeted emails designed to trick utility insiders to click on Excel documents that were poisoned with malware used to gain control inside the networks.

Sych agreed, saying:

“We understand that this couldn’t have happened without an insider. To carry out this kind of attack you need to know what kind of operating system and SCADA (supervisory control and data acquisition) are used and what software controls the industrial facility,” he said.

SCADA software is widely used to control industrial systems worldwide.

“The attackers must have known what software was installed … to test (the malware) on it. Clearly preliminary investigations were carried out and this was easy to do with this kind of insider information.”

He said the hackers had sent the e-mails in question to workers at the affected power distribution companies with infected Word or Excel files that were meant to look like official correspondence from the energy ministry.

They contained topics that would have been recognizable to the workers and were not sent out en masse but targeted certain individuals instead. One of the emails was about regional electricity production levels, he said.

“It was all very simple and stupid,” Sych said, adding that the hackers totally wiped the data of some of the computers in one of the firms.

Details of the impact of the attacks have been sketchy, but one is reported to have affected 80,000 customers for two hours. The three named companies declined to comment on Sych’s remarks.

“All experts agree this sort of attack on electric utilities or other critical infrastructure was bound to happen because engineering-wise, physics-wise it is technically possible to do,” said Kenneth Geers, a Kiev-based national security analyst who worked for U.S. intelligence agencies for 20 years until 2013.

All it takes is political will or opportunism to try something like this, he said.

Ukrainian Deputy Energy Minister Oleksander Svetelyk has also accused the companies of lapses, saying on Tuesday there had been a “a lot of errors”. He added that U.S. cyber experts would come to Kiev later this week to help with the investigation.

(Additional reporting by Maria Tsvetkova in Moscow and Eric Auchard in Brussels; Writing by Matthias Williams; Editing by Philippa Fletcher)

South Korea suspects North Korea may have attempted cyber attacks

SEOUL (Reuters) – South Korea said on Wednesday it suspected North Korea of attempting cyber attacks against targets in the South, following a nuclear test by the North this month that defied United Nations sanctions.

South Korea has been on heightened military and cyber alert since the Jan. 6 test, which Pyongyang called a successful hydrogen bomb test, although U.S. officials and experts doubt that it managed such a technological advance.

“At this point, we suspect it is an act by North Korea,” Jeong Joon-hee, a spokesman of the South’s Unification Ministry, told a news briefing, when asked about reports that the North might have attempted cyber attacks.

Authorities were investigating, Jeong said, but did not provide further details.

Last week, South Korean President Park Geun-hye said the scope of threats from North Korea was expanding to include cyber warfare and the use of drones to infiltrate the South.

North Korea has been using balloons to drop propaganda leaflets in the South, amid heightened tension on the Korean peninsula since the nuclear test.

Since the test, there have been unconfirmed news reports that the computer systems of some South Korean government agencies and companies had been infected with malicious codes that might have been sent by the North.

Defectors from the North have previously said the country’s spy agency, run by the military, operates a sophisticated cyber-warfare unit that attempts to hack, and sabotage, enemy targets.

South Korea and the United States blamed North Korea for a 2014 cyber attack on Sony Pictures that crippled its systems and led to the leaks of unreleased films and employee data.

At the time, the company was set to release the film, “The Interview”, featuring a fictional plot to assassinate North Korean leader Kim Jong Un.

North Korea has denied the allegation.

In 2013, cybersecurity researchers said they believed North Korea was behind a series of attacks against computers at South Korean banks and broadcasting companies.

(Reporting by Ju-min Park and Jack Kim; Editing by Tony Munroe)