China to implement cyber security law from Thursday

FILE PHOTO: A woman uses a computer in an internet cafe at the centre of Shanghai, China January 13, 2010. REUTERS/Nir Elias/File Photo

SHANGHAI (Reuters) – China, battling increased threats from cyber-terrorism and hacking, will adopt from Thursday a controversial law that mandates strict data surveillance and storage for firms working in the country, the official Xinhua news agency said.

The law, passed in November by the country’s largely rubber-stamp parliament, bans online service providers from collecting and selling users’ personal information, and gives users the right to have their information deleted, in cases of abuse.

“Those who violate the provisions and infringe on personal information will face hefty fines,” the news agency said on Monday, without elaborating.

Reuters reported this month that overseas business groups were pushing Chinese regulators to delay implementation of the law, saying the rules would severely hurt activities.

Until now, China’s data industry has had no overarching data protection framework, being governed instead by loosely defined laws.

However, overseas critics say the new law threatens to shut foreign technology companies out of sectors the country deems “critical”, and includes contentious requirements for security reviews and data stored on servers in China.

(Reporting by Brenda Goh; Editing by Clarence Fernandez)

Chipotle says hackers hit most restaurants in data breach

Signage for a Chipotle Mexican Grill is seen in Los Angeles, California, United States, April 25, 2016. REUTERS/Lucy Nicholson/File Photo

By Lisa Baertlein

(Reuters) – Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc’s <CMG.N> restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain whose sales had just started recovering from a string of food safety lapses in 2015.

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.

A handful of Canadian restaurants were also hit in the breach, which the company first disclosed on April 25.

Stolen data included account numbers and internal verification codes. The malware has since been removed.

The information could be used to drain debit card-linked bank accounts, make “clone” credit cards, or to buy items on certain less-secure online sites, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.

The breach could once again threatens sales at its restaurants, which only recently recovered after falling sharply in late 2015 after Chipotle was linked to outbreaks of E. coli, salmonella and norovirus that sickened hundreds of people.

An investigation into the breach found the malware searched for data from the magnetic stripe of payment cards.

Arnold said Chipotle could not alert customers directly as it did not collect their names and mailing addresses at the time of purchase.

The company posted notifications on the Chipotle and Pizzeria Locale websites and issued a news release to make customers aware of the incident.

Linn Freedman, an attorney at Robinson & Cole LLP specializing in data breach response, said Chipotle was putting the burden on the consumer to discover possible fraudulent transactions by notifying them through the websites.

“I don’t think you will get to all of the customers who might have been affected,” she said.

Security analysts said Chipotle would likely face a fine based on the size of the breach and the number of records compromised.

“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, Julie Conroy, research director at Aite Group, a research and advisory firm.

“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” said Avivah Litan, a vice president at Gartner Inc <IT.N> specializing in security and privacy.

Chipotle did not immediately comment on the prospect of a fine.

Retailer Target Corp <TGT.N> in 2017 agreed to pay $18.5 million to settle claims stemming from a massive data breach in late 2013.

Hotels and restaurants have also been hit. They include Trump Hotels, InterContinental Hotels Group <IHG.L> as well as Wendy’s <WEN.O>, Arby’s and Landry’s restaurants.

Shares in Chipotle Mexican Grill ended marginally lower at $480.15 on Friday following the announcement.

(Additional reporting by Natalie Grover and Siddharth Cavale in Bengaluru and Tom Polansek and Nandita Bose in Chicago; Editing by Grant McCool and Lisa Shumaker)

Symantec says ‘highly likely’ North Korea group behind ransomware attacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Joseph Menn

SAN FRANCISCO (Reuters) – Cyber security firm Symantec Corp <SYMC.O> said on Monday it was “highly likely” a hacking group affiliated with North Korea was behind the WannaCry cyber attack this month that infected more than 300,000 computers worldwide and disrupted hospitals, banks and schools across the globe.

Symantec researchers said they had found multiple instances of code that had been used both in the North Korea-linked group’s previous activity and in early versions of WannaCry.

In addition, the same Internet connection was used to install an early version of WannaCry on two computers and to communicate with a tool that destroyed files at Sony Pictures Entertainment. The U.S. government and private companies have accused North Korea in the 2014 Sony attack.

North Korea has routinely denied any such role. On Monday, it called earlier reports that it might have been behind the WannaCry attack “a dirty and despicable smear campaign.”

Lazarus is the name many security companies have given to the hacking group behind the Sony attack and others. By custom, Symantec does not attribute cyber campaigns directly to governments, but its researchers did not dispute the common belief that Lazarus works for North Korea.

In a blog post, Symantec listed numerous links between Lazarus and software the group had left behind after launching an earlier, less virulent, version of the malware in February. One was a variant of software used to wipe disks during the Sony Pictures attack, while another tool used the same internet addresses as two other pieces of malware linked to Lazarus.

At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives in this case, said Vikram Thakur, Symantec’s security response technical director.

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview.

But he added: “We don’t think that this is an operation run by a nation-state.”

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

The most effective version of WannaCry spread by using a flaw in Microsoft’s Windows and a program that took advantage of it that had been used by the U.S. National Security Agency, officials said privately.

That program was among a batch leaked or stolen and then dumped online by a group calling itself The Shadow Brokers, who some in U.S. intelligence believe to be affiliated with Russia.

Analysts have been weighing in with various theories on the identity of those behind WannaCry, and some early evidence had pointed to North Korea. The Shadow Brokers endorsed that theory, perhaps to take heat off their own government backers for the disaster.

Cybersecurity company Kaspersky has said it had found several similarities between the WannaCry malware from the earlier attack and those used by Lazarus. But in an interview last week, its Asia research director, Vitaly Kamluk, said it was not conclusive evidence. “It’s unusual,” he said.

Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, said that the Korean language used in some versions of the WannaCry ransom note was not that of a native speaker, making a Lazarus connection unlikely.

But Thakur said that some hackers deliberately obfuscate their language to make tracing them harder. It is also possible that the writer in question was a contractor in another country, he said.

Thakur said a less likely scenario is that Lazarus’ main aim was to create chaos by distributing WannaCry.

If the hackers’ main objective was to earn money on the side, that would suggest an undisciplined hacking operation run by North Korea, one that could be exploited and weakened by the country’s many foes.

“The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets, and that could help,” Thakur said.

Lazarus has also been linked to attacks on banks using their SWIFT messaging network. Last year, hackers stole $81 million from Bangladesh’s central bank. Symantec said malware used in that attack was linked to Lazarus.

(Reporting by Joseph Menn, Dustin Volz, Jeremy Wagstaff and Ju-Min Park; Editing by Chris Reese, Mary Milliken and Raju Gopalakrishnan)

Newly discovered vulnerability raises fears of another WannaCry

FILE PHOTO: A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

SINGAPORE (Reuters) – A newly found flaw in widely used networking software leaves tens of thousands of computers potentially vulnerable to an attack similar to that caused by WannaCry, which infected more than 300,000 computers worldwide, cybersecurity researchers said on Thursday.

The U.S. Department of Homeland Security on Wednesday announced the vulnerability, which could be exploited to take control of an affected computer, and urged users and administrators to apply a patch.

Rebekah Brown of Rapid7, a cybersecurity company, told Reuters that there were no signs yet of attackers exploiting the vulnerability in the 12 hours since its discovery was announced.

But she said it had taken researchers only 15 minutes to develop malware that made use of the hole. “This one seems to be very, very easy to exploit,” she said.

Rapid7 said it had found more than 100,000 computers running vulnerable versions of the software, Samba, free networking software developed for Linux and Unix computers. There are likely to be many more, it said in response to emailed questions.

Most of the computers found are running older versions of the software and cannot be patched, said Brown.

Some of the computers appear to belong to organizations and companies, she said, but most were home users.

The vulnerability could potentially be used to create a worm like the one which allowed WannaCry to spread so quickly, Brown said, but that would require an extra step for the attacker.

Cybersecurity researchers have said they believe North Korean hackers were behind the WannaCry malware, which encrypted data on victims’ computers and demanded bitcoin in return for a decryption key.

(Reporting and writing By Jeremy Wagstaff; Editing by Michael Perry)

Security experts find clues to ransomware worm’s lingering risks

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

(Corrects spelling of first name in paragraph 22 of this May 18 story to Salim from Samil)

By Eric Auchard

FRANKFURT (Reuters) – Two-thirds of those caught up in the past week’s global ransomware attack were running Microsoft’s Windows 7 operating system without the latest security updates, a survey for Reuters by security ratings firm BitSight found.

Researchers are struggling to try to find early traces of WannaCry, which remains an active threat in hardest-hit China and Russia, believing that identifying “patient zero” could help catch its criminal authors.

They are having more luck dissecting flaws that limited its spread.

Security experts warn that while computers at more than 300,000 internet addresses were hit by the ransomware strain, further attacks that fix weaknesses in WannaCry will follow that hit larger numbers of users, with more devastating consequences.

“Some organizations just aren’t aware of the risks; some don’t want to risk interrupting important business processes; sometimes they are short-staffed,” said Ziv Mador, vice president of security research at Trustwave’s Israeli SpiderLabs unit.

“There are plenty of reasons people wait to patch and none of them are good,” said Mador, a former long-time security researcher for Microsoft.

WannaCry’s worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at UK consulting firm MWR InfoSecurity.

Data from BitSight covering 160,000 internet-connected computers hit by WannaCry, shows that Windows 7 accounts for 67 percent of infections, although it represents less than half of the global distribution of Windows PC users.

Computers running older versions, such as Windows XP used in Britain’s NHS health system, while individually vulnerable to attack, appear incapable of spreading infections and played a far smaller role in the global attack than initially reported.

In laboratory testing, researchers at MWR and Kyptos say they have found Windows XP crashes before the virus can spread.

Windows 10, the latest version of Microsoft’s flagship operating system franchise, accounts for another 15 percent, while older versions of Windows including 8.1, 8, XP and Vista, account for the remainder, BitSight estimated.

COMPUTER BASICS

Any organization which heeded strongly worded warnings from Microsoft to urgently install a security patch it labeled “critical” when it was released on March 14 on all computers on their networks are immune, experts agree.

Those hit by WannaCry also failed to heed warnings last year from Microsoft to disable a file sharing feature in Windows known as SMB, which a covert hacker group calling itself Shadow Brokers had claimed was used by NSA intelligence operatives to sneak into Windows PCs.

“Clearly people who run supported versions of Windows and patched quickly were not affected”, Trustwave’s Mador said.

Microsoft has faced criticism since 2014 for withdrawing support for older versions of Windows software such as 16-year-old Windows XP and requiring users to pay hefty annual fees instead. The British government canceled a nationwide NHS support contract with Microsoft after a year, leaving upgrades to local trusts.

Seeking to head off further criticism in the wake of the WannaCry outbreak, the U.S. software giant last weekend released a free patch for Windows XP and other older Windows versions that it previously only offered to paying customers.(http://reut.rs/2qvSPUR)

Microsoft declined to comment for this story.

On Sunday, the U.S. software giant called on intelligence services to strike a better balance between their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – and sharing those flaws with technology companies to better secure the internet (http://reut.rs/2qAOdLm).

Half of all internet addresses corrupted globally by WannaCry are located in China and Russia, with 30 and 20 percent respectively. Infection levels spiked again in both countries this week and remained high through Thursday, according to data supplied to Reuters by threat intelligence firm Kryptos Logic.

By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.(http://tmsnrt.rs/2qIUckv)

DUMB AND SOPHISTICATED

The ransomware mixes copycat software loaded with amateur coding mistakes and recently leaked spy tools widely believed to have been stolen from the U.S. National Security Agency, creating a vastly potent class of crimeware.

“What really makes the magnitude of this attack so much greater than any other is that the intent has changed from information stealing to business disruption”, said Samil Neino, 32, chief executive of Los Angeles-based Kryptos Logic.

Last Friday, the company’s British-based 22-year-old data breach research chief, Marcus Hutchins, created a “kill-switch”, which security experts have widely hailed as the decisive step in halting the ransomware’s rapid spread around the globe.

WannaCry appears to target mainly enterprises rather than consumers: Once it infects one machine, it silently proliferates across internal networks which can connect hundreds or thousands of machines in large firms, unlike individual consumers at home.

An unknown number of computers sit behind the 300,000 infected internet connections identified by Kryptos.

Because of the way WannaCry spreads sneakily inside organization networks, a far larger total of ransomed computers sitting behind company firewalls may be hit, possibly numbering upward of a million machines. The company is crunching data to arrive at a firmer estimate it aims to release later Thursday.

Liran Eshel, chief executive of cloud storage provider CTERA Networks, said: “The attack shows how sophisticated ransomware has become, forcing even unaffected organizations to rethink strategies.”

ESCAPE ROUTE

Researchers from a variety of security firms say they have so far failed to find a way to decrypt files locked up by WannaCry and say chances are low anyone will succeed.

However, a bug in WannaCry code means the attackers cannot use unique bitcoin addresses to track payments, security researchers at Symantec found this week. The result: “Users unlikely to get files restored”, the company’s Security Response team tweeted.

The rapid recovery by many organizations with unpatched computers caught out by the attack may largely be attributed to back-up and retrieval procedures they had in place, enabling technicians to re-image infected machines, experts said.

While encrypting individual computers it infects, WannaCry code does not attack network data-backup systems, as more sophisticated ransomware packages typically do, security experts who have studied WannaCry code agree.

These factors help explain the mystery of why such a tiny number of victims appear to have paid ransoms into the three bitcoin accounts to which WannaCry directs victims.

Less than 300 payments worth around $83,000 had been paid into WannaCry blackmail accounts by Thursday (1800 GMT), six days after the attack began and one day before the ransomware threatens to start locking up victim computers forever. (Reuters graphic: [http://tmsnrt.rs/2rqaLyz)

The Verizon 2017 Data Breach Investigations Report, the most comprehensive annual survey of security breakdowns, found that it takes three months before at least half of organizations install major new software security patches.

WannaCry landed nine weeks after Microsoft’s patch arrived.

“The same things are causing the same problems. That’s what the data shows,” MWR research head Pratley said.

“We haven’t seen many organizations fall over and that’s because they did some of the security basics,” he said.

For a graphic on WannaCry worm, click http://fingfx.thomsonreuters.com/gfx/rngs/CYBER-ATTACK/010041552FY/index.html

(Editing by Philippa Fletcher)

Symantec says ‘highly likely’ North Korea group behind ransomware attacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Joseph Menn

SAN FRANCISCO (Reuters) – Cyber security firm Symantec Corp <SYMC.O> said on Monday it was “highly likely” a hacking group affiliated with North Korea was behind the WannaCry cyber attack this month that infected more than 300,000 computers worldwide and disrupted hospitals, banks and schools across the globe.

Symantec researchers said they had found multiple instances of code that had been used both in the North Korea-linked group’s previous activity and in early versions of WannaCry.

In addition, the same Internet connection was used to install an early version of WannaCry on two computers and to communicate with a tool that destroyed files at Sony Pictures Entertainment. The U.S. government and private companies have accused North Korea in the 2014 Sony attack.

North Korea has routinely denied any such role. On Monday, it called earlier reports that it might have been behind the WannaCry attack “a dirty and despicable smear campaign.”

Lazarus is the name many security companies have given to the hacking group behind the Sony attack and others. By custom, Symantec does not attribute cyber campaigns directly to governments, but its researchers did not dispute the common belief that Lazarus works for North Korea.

In a blog post, Symantec listed numerous links between Lazarus and software the group had left behind after launching an earlier, less virulent, version of the malware in February. One was a variant of software used to wipe disks during the Sony Pictures attack, while another tool used the same internet addresses as two other pieces of malware linked to Lazarus.

At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives in this case, said Vikram Thakur, Symantec’s security response technical director.

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview.

But he added: “We don’t think that this is an operation run by a nation-state.”

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

The most effective version of WannaCry spread by using a flaw in Microsoft’s Windows and a program that took advantage of it that had been used by the U.S. National Security Agency, officials said privately.

That program was among a batch leaked or stolen and then dumped online by a group calling itself The Shadow Brokers, who some in U.S. intelligence believe to be affiliated with Russia.

Analysts have been weighing in with various theories on the identity of those behind WannaCry, and some early evidence had pointed to North Korea. The Shadow Brokers endorsed that theory, perhaps to take heat off their own government backers for the disaster.

Cybersecurity company Kaspersky has said it had found several similarities between the WannaCry malware from the earlier attack and those used by Lazarus. But in an interview last week, its Asia research director, Vitaly Kamluk, said it was not conclusive evidence. “It’s unusual,” he said.

Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, said that the Korean language used in some versions of the WannaCry ransom note was not that of a native speaker, making a Lazarus connection unlikely.

But Thakur said that some hackers deliberately obfuscate their language to make tracing them harder. It is also possible that the writer in question was a contractor in another country, he said.

Thakur said a less likely scenario is that Lazarus’ main aim was to create chaos by distributing WannaCry.

If the hackers’ main objective was to earn money on the side, that would suggest an undisciplined hacking operation run by North Korea, one that could be exploited and weakened by the country’s many foes.

“The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets, and that could help,” Thakur said.

Lazarus has also been linked to attacks on banks using their SWIFT messaging network. Last year, hackers stole $81 million from Bangladesh’s central bank. Symantec said malware used in that attack was linked to Lazarus.

(Reporting by Joseph Menn, Dustin Volz, Jeremy Wagstaff and Ju-Min Park; Editing by Chris Reese, Mary Milliken and Raju Gopalakrishnan)

Hackers hit Russian bank customers, planned international cyber raids

FILE PHOTO: The logo of Sberbank is seen on top of a building in central Moscow, Russia April 22, 2016. REUTERS/Maxim Zmeyev/File Photo

By Jack Stubbs

MOSCOW (Reuters) – Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters.

Their campaign raised a relatively small sum by cyber-crime standards – more than 50 million roubles ($892,000) – but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.

Russia’s relationship to cyber crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking Democratic Party servers.

The Kremlin has repeatedly denied the allegation.

The gang members tricked the Russian banks’ customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs, according to a report compiled by cyber security firm Group-IB which investigated the attack with the Russian Interior Ministry.

The criminals – 16 suspects were arrested by Russian law enforcement authorities in November last year – infected more than a million smartphones in Russia, on average compromising 3,500 devices a day, Group-IB said.

The hackers targeted customers of state lender Sberbank <SBER.MM>, and also stole money from accounts at Alfa Bank and online payments company Qiwi <QIWI.O>, exploiting weaknesses in the companies’ SMS text message transfer services, said two people with direct knowledge of the case.

Although operating only in Russia before their arrest, they had developed plans to target large European banks including French lenders Credit Agricole <CAGR.PA>, BNP Paribas <BNPP.PA> and Societe Generale <SOGN.PA>, Group-IB said.

A BNP Paribas spokeswoman said the bank could not confirm this information, but added that it “has a significant set of measures in place aimed at fighting cyber attacks on a daily basis”. Societe Generale and Credit Agricole declined comment.

The gang, which was called “Cron” after the malware it used, did not steal any funds from customers of the three French banks. However, it exploited the bank service in Russia that allows users to transfer small sums to other accounts by sending an SMS message.

Having infected the users’ phones, the gang sent SMS messages from those devices instructing the banks to transfer money to the hackers’ own accounts.

The findings illustrate the dangers of using SMS messages for mobile banking, a method favored in emerging countries with less advanced internet infrastructure, said Lukas Stefanko, a malware researcher at cyber security firm ESET in Slovakia.

“It’s becoming popular among developing nations or in the countryside where access to conventional banking is difficult for people,” he said. “For them it is quick, easy and they don’t need to visit a bank… But security always has to outweigh consumer convenience.”

CYBER CRIMINALS

The Russian Interior Ministry said a number of people had been arrested, including what it described as the gang leader. This was a 30-year-old man living in Ivanovo, an industrial city 300 km (185 miles) northeast of Moscow, from where he had commanded a team of 20 people across six different regions.

Four people remain in detention while the others are under house arrest, the ministry said in a statement.

“In the course of 20 searches across six regions, police seized computers, hundreds of bank cards and SIM cards registered under fake names,” it said.

Group-IB said the existence of the Cron malware was first detected in mid-2015, and by the time of the arrests the hackers had been using it for under a year.

The core members of the group were detained on Nov. 22 last year in Ivanovo. Photographs of the operation released by Group-IB showed one suspect face down in the snow as police in ski masks handcuffed him.

The “Cron” hackers were arrested before they could mount attacks outside Russia, but plans to do that were at an advanced stage, said the investigators.

Group-IB said that in June 2016 they had rented a piece of malware designed to attack mobile banking systems, called “Tiny.z” for $2,000 a month. The creators of the “Tiny.z” malware had adapted it to attack banks in Britain, Germany, France, the United States and Turkey, among other countries.

The “Cron” gang developed software designed to attack lenders including the three French groups, it said, adding it had notified these and other European banks at risk.

A spokeswoman for Sberbank said she had no information about the group involved. However, she said: “Several groups of cyber criminals are working against Sberbank. The number of groups and the methods they use to attack us change constantly.”

“It isn’t clear which specific group is being referred to here because the fraudulent scheme involving Android OS (operating system) viruses is widespread in Russia and Sberbank has effectively combated it for an extensive period of time.”

Alfa Bank did not provide a comment. Qiwi did not respond to multiple requests for comment.

Google <GOOGL.O>, the maker of Android, has taken steps in recent years to protect users from downloading malicious code and by blocking apps which are insecure, impersonate legitimate companies or engage in deceptive behaviors.

A Google spokesman said: “We’ve tracked this malware family for several years and will continue to take action on its variants to protect our users.”

FAKE MOBILE APPS

The Russian authorities, bombarded with allegations of state-sponsored hacking, are keen to show Russia too is a frequent victim of cyber crime and that they are working hard to combat it. The interior and emergencies ministries, as well as Sberbank, said they were targeted in a global cyberattack earlier this month.

Since the allegations about the U.S. election hacking, further evidence has emerged of what some Western officials say is a symbiotic relationship between cyber criminals and Russian authorities, with hackers allowed to attack foreign targets with impunity in return for cooperating with the security services while Moscow clamps down on those operating at home.

The success of the Cron gang was facilitated by the popularity of SMS-banking services in Russia, said Dmitry Volkov, head of investigations at Group-IB.

The gang got their malware on to victims’ devices by setting up applications designed to mimic banks’ genuine apps. When users searched online, the results would suggest the fake app, which they would then download. The hackers also inserted malware into fake mobile apps for well-known pornography sites.

After infecting a customer’s phone, the hackers were able to send a text message to the bank initiating a transfer of up to $120 to one of 6,000 bank accounts set up to receive the fraudulent payments.

The malware would then intercept a confirmation code sent by the bank and block the victim from receiving a message notifying them about the transaction.

“Cron’s success was due to two main factors,” Volkov said. “First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement.”

($1 = 56.0418 roubles)

(The story is refiled to fix typo in spelling of Societe Generale)

(Additional reporting by Maya Nikolaeva in Paris and Eric Auchard in Frankfurt; Editing by Christian Lowe and David Stamp)

U.N.’s North Korea sanctions monitors hit by ‘sustained’ cyber attack

A man types on a computer keyboard in front of the displayed cyber code in this illustration picture

By Michelle Nichols

UNITED NATIONS (Reuters) – United Nations experts investigating violations of sanctions on North Korea have suffered a “sustained” cyber attack by unknown hackers with “very detailed insight” into their work, according to an email warning seen by Reuters on Monday.

The hackers eventually breached the computer of one of the experts on May 8, the chair of the panel of experts wrote in an email to U.N. officials and the U.N. Security Council’s North Korea sanctions committee, known as the 1718 committee.

“The zip file was sent with a highly personalized message which shows the hackers have very detailed insight into the panel’s current investigations structure and working methods,” read the email, which was sent on May 8.

“As a number of 1718 committee members were targeted in a similar fashion in 2016, I am writing to you all to alert you to this heightened risk,” the chair of the panel of experts wrote, describing the attack as part of a “sustained cyber campaign.”

A spokesman for the Italian mission to the United Nations, which chairs the 1718 sanctions committee, said on Friday that a member of the panel of experts had been hacked.

No further details who might be responsible were immediately available.

North Korea’s deputy United Nations envoy said on Friday “it is ridiculous” to link Pyongyang with the hacking of the U.N. panel of experts or the WannaCry “ransomware” cyber attack that started to sweep around the globe more than a week ago.

Cyber security researchers have found technical evidence they said could link North Korea with the WannaCry attack.

Reuters reported on Sunday that North Korea’s main spy agency has a special cell called Unit 180 that is likely to have launched some of its most daring and successful cyber attacks, according to defectors, officials and internet security experts.

The U.N. Security Council first imposed sanctions on North Korea in 2006 and has strengthened the measures in response to the country’s five nuclear bomb tests and two long-range rocket launches. Pyongyang is threatening a sixth nuclear test.

A second email by the U.N. sanctions committee secretary to the 15 Security Council members on May 10 said the U.N. Office of Information and Communications Technology was “conducting an analysis of the affected hard drive.”

“Increased vigilance relating to 1718 Committee-related correspondence is therefore advised until data analysis and related investigations are completed,” the email read.

(Reporting by Michelle Nichols; Editing by Alistair Bell)

WannaCry attack is good business for cyber security firms

FILE PHOTO: A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Joseph Menn

SAN FRANCISCO (Reuters) – For Kris Hagerman, chief executive of UK-based cyber security firm Sophos Group Plc <SOPH.L>, the past week could have been bad. The WannaCry “ransomware” attack hobbled some of its hospital customers in Britain’s National Health Service, forcing them to turn away ambulances and cancel surgeries.

The company quickly removed a boast on its website that “The NHS is totally protected with Sophos.” In many industries, that sort of stumble would likely hit a company’s reputation hard.

Yet on Monday, three days after the global malware attack was first detected, Sophos stock jumped more than 7 percent to set a record high and climbed further on Wednesday after the company raised its financial forecasts.

As for most other cyber security firms, highly publicized cyber attacks are good for business, even though experts say such attacks underscore the industry’s failings.

“We are making good progress and are doing a good job,” Hagerman said in an interview this week. “People ask ‘How come you haven’t solved the cyber crime problem?’ and it’s a little like saying ‘You human beings have been around for hundreds of thousands of years, how come you haven’t solved the crime problem?'”

Hagerman pointed out that his company only claimed to protect 60 percent of NHS affiliates and that other factors contributed to the disaster at the hospitals.

“They have their own budgets. They have their own approach to IT generally and IT security,” Hagerman said of individual hospitals, which pick their own operating systems, patching cycles and network setups. Microsoft Corp <MSFT.O> had issued a patch in March for the flaw WannaCry exploited in Windows operating systems.

Yet Hagerman acknowledged that Sophos did not update its basic antivirus software to block WannaCry until hours after it hit customers.

HIGH STAKES

Security experts say hospitals, where the stakes are especially high, represent a case study in how legacy industries need to up their cyber security game.

“We’ve tolerated a pretty poor level of effectiveness, because so far the consequences of failure have been acceptable,” said Josh Corman, a cyber security industry veteran now working on related issues at the Atlantic Council and a member of a healthcare security task force established by the U.S. Congress.

“We are going to see failure measured in loss of life and a hit to GDP, and people will be very surprised.”

Some long-lived medical devices have more than a thousand vulnerabilities, Corman said, and perhaps 85 percent of U.S. medical institutions have no staff qualified for basic cyber security tasks such as patching software, monitoring threat advisories and separating networks from one another.

Increasingly serious cyber security problems are partly an inevitable consequence of the growing complexity of digital technology.

But there are other causes too, including a lack of accountability that stems from the wide range of technology handlers: computer software vendors, antivirus suppliers, in-house professionals, consultants and various regulators.

Ultimately, Corman said, hospitals need to hire solid cyber security people instead of another nurse or two.

GOOD FOR BUSINESS

“What’s needed is punishment of the negligent,” said Ross Anderson, a University of Cambridge pioneer in studying the economics of information security, referring to the hospitals that did not stop WannaCry.

“This is not about technology. This is about people fouling up in ways people would get a pink slip for” in less-insulated environments, he said, meaning they would lose their jobs.

For now, though, there are few signs of any revamp in large institutions’ approach to cyber security – and little incentive for contractors in the cyber security industry to change.

Sophos was not the only company whose stock rose on Monday, as the global scale of WannaCry became apparent. Shares of U.S.-based FireEye Inc <FEYE.O> and Qualys Inc <QLYS.O> both rose more than 5 percent.

But Sophos stood out, aided by higher expectations for a product the company introduced last year to fend off ransomware – so called because the authors of the malware demand a ‘ransom’ to restore a user’s infected computer – which worked at the hospitals that had installed it.

“It’s good news for our business,” one Sophos employee, who asked not to be named, told Reuters this week. “We were so inundated with people calling us.”

(Reporting by Joseph Menn; Editing by Jonathan Weber and Bill Rigby)

Companies use kidnap insurance to guard against ransomware attacks

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS/File Photo

By Suzanne Barlyn and Carolyn Cohn

NEW YORK/LONDON (Reuters) – Companies without cyber insurance are dusting off policies covering kidnap, ransom and extortion in the world’s political hotspots to recoup losses caused by ransomware viruses such as “WannaCry”, insurers say.

Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as $100,000 for $10 million in data breach insurance.

Some companies do not even consider it because they do not think they are targets.

The kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas where violence related to oil and mining operations is common, such as parts of Africa and Latin America. Companies could also tap them to cover losses following the WannaCry attack, which used malicious software, known as ransomware, to lock up more than 200,000 computers in more than 150 countries, and demand payments to free them up. Pay-outs on K&R for ransomware attacks may be lower and the policies less suitable than those offered by traditional cyber insurance, insurers say.

“There will be some creative forensic lawyers who will be looking at policies,” said Patrick Gage, chief underwriting officer at CNA Hardy, a specialist commercial insurer, in London.

He added, however, that given that K&R policies are geared towards a threat to lives, “our absolute preference is that people buy specific cover, rather than relying on insurance coverage that is not specific”.

American International Group Inc, Hiscox Ltd and the Travelers Companies Inc have been receiving ransomware claims from some customers with K&R policies as ransomware attacks become more common, the companies said.

The insurers declined to comment on total claims, citing confidentiality and client security concerns.

“We are seeing claims (over the past 18 months) but not a huge uptick,” a Hiscox spokeswoman said. “These are within expectations and entirely manageable.”

She declined to say whether the firm had seen any such claims from the WannaCry attacks though Tom Harvey, an expert in cyber risk management at catastrophe modeling firm RMS, said “insurers with kidnap and ransom books will want to look closely at their policy wordings to see whether they are exposed.”

A sharp rise in ransomware attacks in the past 18 months has driven companies to use K&R policies to cover some of their damages if they do not have direct cyber coverage or cannot meet initial cyber policy deductible costs, insurers said.

Symantec Corp,, a cyber security firm based in Mountain View in California, observed over 460,000 ransomware attempts in 2016, up 36 percent from 2015, the company said. The average payment demand ballooned from $294 to $1,077, a 266 percent increase. But as the threat mounts, K&R insurers are at risk from steeper claims than they had anticipated. They are responding by making changes to their policies, which were not designed around ransomware, insurance brokers said. MORE DAMAGING THEN KIDNAPPING Most of the computers affected by WannaCry were outside the United States, where companies have been slow to buy cyber insurance. Nearly 90 percent of the world’s annual cyber insurance premium of $2.5-3 billion comes from the U.S. market, according to insurance broker Aon Plc.

Global companies typically buy K&R policies without ransomware in mind. But instances of high-tech hacks and online ransom demands can hit a company’s business more than an executive being held hostage.

“If your CFO (chief financial officer) gets kidnapped, the company is going to continue to function,” said Bob Parisi, cyber product leader for insurance broker Marsh & McLennan Companies Inc.

“If you get a get a piece of malware in the system, you might have two factories that stop working. The actual damage is probably greater.”

The K&R policies, which typically do not have deductibles, cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities, said Kevin Kalinich, global head of Aon’s cyber risk practice.

Still, K&R policies may provide only a quick fix since they were not designed for ransomware. Companies can add coverage for business interruption, but the upper limits for pay-outs are usually lower than for a cyber policy, insurers say.

K&R insurers have been adapting to ransomware-related claims – some are modernizing coverage by setting up Bitcoin accounts for clients to speed up ransom payments, brokers said.

But insurers are mindful of their own risks.

Some have added deductibles, said Anthony Dagostino, head of global cyber risk at Willis Towers Watson PLC advisory and brokerage.

AIG has reduced business interruption coverage available for K&R policies to a $1 million maximum, from much higher and more flexible limits, said Tracie Grella, global head of cyber risk insurance at AIG.

“Insurers didn’t anticipate there would be this much ransomware activity,” Grella said.

(Reporting by Suzanne Barlyn and Carolyn Cohn; Editing by Carmel Crimmins adn Timothy Heritage)