Tag Archives: Cyber Security

Ukraine points finger at Russian security services in recent cyber attack

FILE PHOTO: A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko

By Pavel Polityuk

KIEV (Reuters) – Ukraine said on Saturday that Russian security services were involved in a recent cyber attack on the country, with the aim of destroying important data and spreading panic.

The SBU, Ukraine’s state security service, said the attack, which started in Ukraine and spread around the world on Tuesday, was by the same hackers who attacked the Ukrainian power grid in December 2016. Ukrainian politicians were quick to blame Russia for Tuesday’s attack, but a Kremlin spokesman dismissed “unfounded blanket accusations”.

Cyber security firms are trying to piece together who was behind the computer worm, dubbed NotPetya by some experts, which conked out computers, hit banks, disrupted shipping and shut down a chocolate factory in Australia.

The attack also hit major Russian firms, leading some cyber security researchers to suggest that Moscow was not behind it.

The malicious code in the virus encrypted data on computers, and demanded victims pay a $300 ransom, similar to the extortion tactic used in a global WannaCry ransomware attack in May. But Ukrainian officials and some security experts say the ransomware feature was likely a smokescreen.

Relations between Ukraine and Russia went into freefall after Moscow’s annexation of Crimea in 2014 and the subsequent outbreak of a Kremlin-backed separatist insurgency in eastern Ukraine that has killed more than 10,000 people.

Hacking Ukrainian state institutions is part of what Ukraine says is a “hybrid war” by Russia on Kiev. Russia denies sending troops or military equipment to eastern Ukraine.

“The available data, including those obtained in cooperation with international antivirus companies, give us reason to believe that the same hacking groups are involved in the attacks, which in December 2016 attacked the financial system, transport and energy facilities of Ukraine using TeleBots and BlackEnergy,” the SBU said.

“This testifies to the involvement of the special services of Russian Federation in this attack.”

The SBU in an earlier statement on Friday said it had seized equipment it said belonged to Russian agents in May and June to launch cyber attacks against Ukraine and other countries.

Referencing the $300 ransomware demand, the SBU said “the virus is cover for a large-scale attack on Ukraine. This is evidenced by a lack of a real mechanism for taking possession of the funds … enrichment was not the aim of the attack.”

“The main purpose of the virus was the destruction of important data, disrupting the work of public and private institutions in Ukraine and spreading panic among the people.”

A cyber attack in December on a Ukrainian state energy computer caused a power cut in the northern part of the capital Kiev.

The Russian foreign ministry and Federal Security Service did not immediately respond to requests for comment on the latest allegations.

Russian oil major Rosneft <ROSN.MM> was one of the first companies to reveal it had been compromised by the virus and sources told Reuters on Thursday computers at state gas giant Gazprom <GAZP.MM> had also been infected.

The SBU’s accusations chime with some of the findings of the cyber security firm ESET in Slovakia, which said in research published online on Friday that the Telebots group — which has links to BlackEnergy — was behind the attack.

“Collecting ransom money was never the top priority for the TeleBots group,” it said, suggesting Ukraine was the target but the virus spread globally as “affected companies in other countries had VPN connections to their branches, or to business partners, in Ukraine.”

“The TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine,” it said.

“Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities. That’s why the malware went out of control.”

(Additional reporting by Alexander Winning in Moscow and Jim Finkle in Toronto; writing by Matthias Williams; Editing by Jeremy Gaunt)

U.S. warns businesses of hacking campaign against nuclear, energy firms

Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC) located just outside Washington in Arlington, Virginia September 24, 2010. REUTERS/Hyungwon Kang/File Photo

By Jim Finkle

TORONTO (Reuters) – The U.S government warned industrial firms this week about a hacking campaign targeting the nuclear and energy sectors, the latest event to highlight the power industry’s vulnerability to cyber attacks.

Since at least May, hackers used tainted “phishing” emails to “harvest credentials” so they could gain access to networks of their targets, according to a joint report from the U.S. Department of Homeland Security and Federal Bureau of Investigation.

The report provided to the industrial firms was reviewed by Reuters on Friday. While disclosing attacks, and warning that in some cases hackers succeeded in compromising the networks of their targets, it did not identify any specific victims.

“Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,” the report said.

Homeland Security and FBI officials could not be reached for comment on the report, which was dated June 28.

The report was released during a week of heavy hacking activity.

A virus dubbed “NotPetya” attacked on Tuesday, spreading from initial infections in Ukraine to businesses around the globe. It encrypted data on infected machines, rendering them inoperable and disrupting activity at ports, law firms and factories.

On Tuesday the energy-industry news site E&E News reported that U.S. investigators were looking into cyber intrusions this year at multiple nuclear power generators.

Reuters has not confirmed details of the E&E News report, which said there was no evidence safety systems had been compromised at affected plants.

The activity described in the U.S. government report comes at a time when industrial firms are particularly anxious about threat that hackers pose to their operations.

Industrial firms, including power providers and other utilities, have been particularly worried about the potential for destructive cyber attacks since December 2016, when hackers cut electricity in Ukraine.

U.S. nuclear power generators PSEG <PEG.N>, SCANA Corp <SCG.N> and Entergy Corp <ETR.N> said they were not impacted by the recent cyber attacks. SCANA’s V.C. Summer nuclear plant in South Carolina shut down on Thursday due to a problem with a valve in the non-nuclear portion of the plant, a spokesman said.

Another nuclear power generator, Dominion Energy <D.N>, said it does not comment on cyber security.

Two cyber security firms said on June 12 that they had identified the malicious software used in the Ukraine attack, which they dubbed Industroyer, warning that it could be easily modified to attack utilities in the United States and Europe.

Industroyer is only the second piece of malware uncovered to date that is capable of disrupting industrial processes without the need for hackers to manually intervene.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

The U.S. government report said attackers conducted reconnaissance to gain information about the individuals whose computers they sought to infect so that they create “decoy documents” on topics of interest to their targets.

In an analysis, it described 11 files used in the attacks, including malware downloaders and tools that allow the hackers to take remote control of victim’s computers and travel across their networks.

Chevron Corp <CVX.N>, Exxon Mobil Corp <XOM.N> and ConocoPhillips <COP.N>, the three largest U.S. oil producers, declined to comment on their network security.

(Reporting by Jim Finkle; Additional reporting by Timothy Gardner in Washington and Ernest Scheyder in Houston; editing by Grant McCool and Tom Brown)

Global shipping feels fallout from Maersk cyber attack

The Maersk ship Adrian Maersk is seen as it departs from New York Harbor in New York City, U.S., June 27, 2017. REUTERS/Brendan McDermid

By Jonathan Saul

LONDON (Reuters) – Global shipping is still feeling the effects of a cyber attack that hit A.P. Moller-Maersk <MAERSKb.CO> two days ago, showing the scale of the damage a computer virus can unleash on the technology dependent and inter-connected industry.

About 90 percent of world trade is transported by sea, with ships and ports acting as the arteries of the global economy. Ports increasingly rely on communications systems to keep operations running smoothly, and any IT glitches can create major disruptions for complex logistic supply chains.

The cyber attack was among the biggest-ever disruptions to hit global shipping. Several port terminals run by a Maersk division, including in the United States, India, Spain, the Netherlands, were still struggling to revert to normal operations on Thursday after experiencing massive disruptions.

South Florida Container Terminal, for example, said dry cargo could not be delivered and no container would be received. Anil Diggikar, chairman of JNPT port, near the Indian commercial hub of Mumbai, told Reuters that he did not know “when exactly the terminal will be running smoothly”.

His uncertainty was echoed by Maersk itself, which told Reuters that a number of IT systems were still shut down and that it could not say when normal business operations would be resumed.

It said it was not able to comment on specific questions regarding the breach of its IT systems or the state of its cyber security as it had “all available hands focused on practical stuff and getting things back to normal”.

The impact of the attack on the company has reverberated across the industry given its position as the world’s biggest container shipping line and also operator of 76 ports via its APM Terminals division.

Container ships transport much of the world’s consumer goods and food, while dry bulk ships haul commodities including coal and grain and tankers carry vital oil and gas supplies.

“As Maersk is about 18 percent of all container trade, can you imagine the panic this must be causing in the logistic chain of all those cargo owners all over the world?” said Khalid Hashim, managing director of Precious Shipping <PSL.BK>, one of Thailand’s largest dry cargo ship owners.

“Right now none of them know where any of their cargoes (or)containers are. And this ‘black hole’ of lack of knowledge will continue till Maersk are able to bring back their systems on line.”

BACK TO BASICS

The computer virus, which researchers are calling GoldenEye or Petya, began its spread on Tuesday in Ukraine and affected companies in dozens of countries.

Maersk said the attack had caused outages at its computer systems across the world.

In an example of the turmoil that ensued, the unloading of vessels at the group’s Tacoma terminal was severely slowed on Tuesday and Wednesday, said Dean McGrath, president of the International Longshore and Warehouse Union Local 23 there.

The terminal is a key supply line for the delivery of domestic goods such as milk and groceries and construction materials to Anchorage, Alaska.

“They went back to basics and did everything on paper,” McGrath said.

Ong Choo Kiat, President of U-Ming Marine Transport <2606.TW>, Taiwan’s largest dry bulk ship owner, said the fact Maersk had been affected rang alarm bells for the whole shipping industry as the Danish company was regarded as a leader in IT technology.

“But they ended up one of the first few casualties. I therefore conclude that shipping is lacking behind the other industry in term of cyber security,” he said.

“How long would it takes to catch up? I don’t know. But recently all owners and operators are definitely more aware of the risk of cyber security and beginning to pay more attention to it.”

In a leading transport survey by international law firm Norton Rose Fulbright published this week, 87 percent of respondents from the shipping industry believed cyber attacks would increase over the next five years – a level that was higher than counterparts in the aviation, rail and logistics industries.

VULNERABLE

Apart from the reliance on computer systems, ships themselves are increasingly exposed to interference through electronic navigation devices such as the Global Positioning System (GPS) and lack the backup systems airliners have to prevent crashes, according to cyber security experts.

There were no indications that GPS and other electronic navigation aids were affected by this week’s attack, but security specialists say such systems are vulnerable to signal loss from deliberate jamming by hackers.

Last year, South Korea said hundreds of fishing vessels had returned early to port after its GPS signals were jammed by North Korea, which denied responsibility.

“The Maersk attack raises our awareness of the vulnerability of shipping and ports to technological failure,” said Professor David Last, a previous president of Britain’s Royal Institute of Navigation.

“When GPS fails, ships’ captains lose their principal means of navigation and much of their communications and computer links. They have to slow down and miss port schedules,” said Last, who is also a strategic advisor to the General Lighthouse Authorities of the UK and Ireland.

A number of countries including the UK and the United States are looking into deploying a radar based back up navigation system for ships called eLoran, but this will take time to develop.

David Nordell, head of strategy and policy for London-based think tank, the Centre for Strategic Cyberspace and Security Science, said the global shipping and port industries were vulnerable to cyber attack, because their operating technologies tend to be old.

“It’s certainly possible to imagine that two container ships, or, even worse, oil or gas tankers, could be hacked into colliding, resulting in loss of life and cargo, and perhaps total loss of the vessels,” Nordell said.

“Carried out in a strategically sensitive location such as the Malacca Straits or the Bosphorus, a collision like this could block shipping for enough time to cause serious dislocations to trade.”

SECRETIVE INDUSTRY

Cyber risks also pose challenges for insurance cover.

In a particularly secretive industry, information about the nature of cyber attacks is still scarce, which insurance and shipping officials say is an obstacle to mitigating the risk, which means there are gaps in insurance cover available.

“There has been a lot of non-reporting (of breaches) on ships, and we’re trying efforts where even if there could be anonymous reporting on a platform so we can start to get the information and the data,” said Andrew Kinsey, senior marine consultant at insurer Allianz Global Corporate & Specialty.

There is also a gap in provision, because most existing cyber or hull insurance policies – which insure the ship itself – will not cover the risk of a navigation system being jammed or physical damage to the ship caused by a hacking attack.

“The industry is just waking up to its vulnerability,” said Colin Gillespie, deputy director of loss prevention with ship insurer North.

“Perhaps it is time for insurers, reinsurers, ship operators and port operators to sit down together and consider these risks in detail. A collective response is needed – we are all under attack.”

(Additional reporting by Jacob Gronholt-Pedersen in Copenhagen, Keith Wallis and Carolyn Cohn in London, Euan Rocha in Mumbai, Miyoung Kim in Singapore, Alexander Cornwell in Dubai, Michael Hirtzer in Chicago, Noor Zainab Hussain in Bangalore, Adam Jourdan and Shanghai newsroom; Editing by Pravin Char)

Ransomware virus hits computer servers across the globe

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko

By Jack Stubbs and Pavel Polityuk

MOSCOW/KIEV (Reuters) – A ransomware attack hit computers across the world on Tuesday, taking out servers at Russia’s biggest oil company, disrupting operations at Ukrainian banks, and shutting down computers at multinational shipping and advertising firms.

Cyber security experts said those behind the attack appeared to have exploited the same type of hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May before a British researcher created a kill-switch.

“It’s like WannaCry all over again,” said Mikko Hypponen, chief research officer with Helsinki-based cyber security firm F-Secure.

He said he expected the outbreak to spread in the Americas as workers turned on vulnerable machines, allowing the virus to attack. “This could hit the U.S.A. pretty bad,” he said.

The U.S. Department of Homeland Security said it was monitoring reports of cyber attacks around the world and coordinating with other countries.

The first reports of organizations being hit emerged from Russia and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.

Within hours, the attack had gone global.

Danish shipping giant A.P. Moller-Maersk, which handles one out of seven containers shipped globally, said the attack had caused outages at its computer systems across the world on Tuesday, including at its terminal in Los Angeles.

Pharmaceutical company Merck & Co said its computer network had been affected by the global hack.

A Swiss government agency also reported computer systems were affected in India, though the country’s cyber security agency said it had yet to receive any reports of attacks.

“DON’T WASTE YOUR TIME”

After the Wannacry attack, organizations around the globe were advised to beef up IT security.

“Unfortunately, businesses are still not ready and currently more than 80 companies are affected,” said Nikolay Grebennikov, vice president for R&D at data protection firm Acronis.

One of the victims of Tuesday’s cyber attack, a Ukrainian media company, said its computers were blocked and it had a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.

“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the message said, according to a screenshot posted by Ukraine’s Channel 24.

The same message appeared on computers at Maersk offices in Rotterdam and at businesses affected in Norway.

Other companies that said they had been hit by a cyber attack included Russian oil producer Rosneft, French construction materials firm Saint Gobain and the world’s biggest advertising agency, WPP – though it was not clear if their problems were caused by the same virus.

“The building has come to a standstill. It’s fine, we’ve just had to switch everything off,” said one WPP employee who asked not to be named.

WANNACRY AGAIN

Cyber security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of hacking tool exploited by WannaCry, and to identify ways to stop the onslaught.

Experts said the latest ransomware attacks unfolding worldwide, dubbed GoldenEye, were a variant of an existing ransomware family called Petya.

It uses two layers of encryption which have frustrated efforts by researchers to break the code, according to Romanian security firm Bitdefender.

“There is no workaround to help victims retrieve the decryption keys from the computer,” the company said.

Russian security software maker Kaspersky Lab, however, said its preliminary findings suggested the virus was not a variant of Petya but a new ransomware not seen before.

Last’s month’s fast-spreading WannaCry ransomware attack was crippled after a 22-year-old British security researcher Marcus Hutchins created a so-called kill-switch that experts hailed as the decisive step in slowing the attack.

Any organization that heeded strongly worded warnings in recent months from Microsoft Corp to urgently install a security patch and take other steps appeared to be protected against the latest attacks.

Ukraine was particularly badly hit, with Prime Minister Volodymyr Groysman describing the attacks on his country as “unprecedented”.

An advisor to Ukraine’s interior minister said the virus got into computer systems via “phishing” emails written in Russian and Ukrainian designed to lure employees into opening them.

According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

Yevhen Dykhne, director of the Ukrainian capital’s Boryspil Airport, said it had been hit. “In connection with the irregular situation, some flight delays are possible,” Dykhne said in a post on Facebook. A Reuters reporter who visited the airport late on Tuesday said flights were operating as normal.

Ukrainian Deputy Prime Minister Pavlo Rozenko said the government’s computer network had gone down and the central bank said a operation at a number of banks and companies, including the state power distributor, had been disrupted by the attack.

“As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations,” the central bank said in a statement.

Russia’s Rosneft, one of the world’s biggest crude producers by volume, said its systems had suffered “serious consequences” from the attack. It said it avoided any impact on oil production by switching to backup systems.

The Russian central bank said there were isolated cases of lenders’ IT systems being infected by the cyber attack. One consumer lender, Home Credit, had to suspend client operations.

(Additional reporting by European bureaux and Jim Finkle in Toronto; writing by Christian Lowe; editing by David Clarke)

Anthem to pay record $115 million to settle U.S. lawsuits over data breach

The office building of health insurer Anthem is seen in Los Angeles, California February 5, 2015. REUTERS/Gus Ruelas

By Brendan Pierson

(Reuters) – Anthem Inc <ANTM.N>, the largest U.S. health insurance company, has agreed to settle litigation over hacking in 2015 that compromised about 79 million people’s personal information for $115 million, which lawyers said would be the largest settlement ever for a data breach.

The deal, announced Friday by lawyers for people whose information was compromised, must still be approved by U.S. District Judge Lucy Koh in San Jose, California, who is presiding over the case.

The money will be used to pay for two years of credit monitoring for people affected by the hack, the lawyers said. Victims are believed to include current and former customers of Anthem and of other insurers affiliated with Anthem through the national Blue Cross Blue Shield Association.

People who are already enrolled in credit monitoring may choose to receive cash instead, which may be up to $50 per person, according to a motion filed in California federal court Friday.

“We are very satisfied that the settlement is a great result for those affected and look forward to working through the settlement approval process,” Andrew Friedman, a lawyer for the victims, said in a statement.

The credit monitoring in the settlement is in addition to the two years of credit monitoring Anthem offered victims when it announced the breach in February 2015, according to Anthem spokeswoman Jill Becher, who said the company was pleased to be resolving the litigation.

The Indianapolis-based company did not admit wrongdoing, and there was no evidence any compromised information was sold or used to commit fraud, Becher said.

Anthem said in February 2015 that an unknown hacker had accessed a database containing personal information, including names, birthdays, social security numbers, addresses, email addresses and employment and income information. The attack did not compromise credit card information or medical information, the company said.

More than 100 lawsuits filed against Anthem over the breach were consolidated before Judge Koh.

The breach is one of a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies in recent years, including Target Corp <TGT.N>, which agreed to pay $18.5 million to settle claims by 47 states in May, and Home Depot Inc <HD.N>, which agreed to pay at least $19.5 million to consumers last year.

(Reporting by Brendan Pierson in New York; Editing by Lisa Shumaker)

Google to push for law enforcement to have more access to overseas data

FILE PHOTO: A Google logo is seen in a store in Los Angeles, California, U.S., March 24, 2017. REUTERS/Lucy Nicholson/File Photo

By Dustin Volz

WASHINGTON (Reuters) – Alphabet Inc’s <GOOGL.O> Google will press U.S. lawmakers on Thursday to update laws on how governments access customer data stored on servers located in other countries, hoping to address a mounting concern for both law enforcement officials and Silicon Valley.

The push comes amid growing legal uncertainty, both in the United States and across the globe, about how technology firms must comply with government requests for foreign-held data. That has raised alarm that criminal and terrorism investigations are being hindered by outdated laws that make the current process for sharing information slow and burdensome.

Kent Walker, Google’s senior vice president and general counsel, will announce the company’s framework during a speech in Washington, D.C., at the Heritage Foundation, a conservative think tank that wields influence in the Trump White House and Republican-controlled Congress.

The speech urges Congress to update a decades-old electronic communications law and follows similar efforts by Microsoft Corp <MSFT.O>.

Both companies had previously objected in court to U.S. law enforcement efforts to use domestic search warrants for data held overseas because the practice could erode user privacy. But the tech industry and privacy advocates have also admitted the current rules for appropriate cross-border data requests are untenable.

The Mountain View, California-based company calls for allowing countries that commit to baseline privacy, human rights and due process principles to directly request data from U.S. providers without the need to consult the U.S. government as an intermediary. It is intended to be reciprocal.

Countries that do not adhere to the standards, such as an oppressive regime, would not be eligible.

Google did not detail specific baseline principles in its framework.

“This couldn’t be a more urgent set of issues,” Walker said in an interview, noting that recent acts of terrorism in Europe underscored the need to move quickly.

Current agreements that allow law enforcement access to data stored overseas, known as mutual legal assistance treaties, involve a formal diplomatic request for data and require the host country obtain a warrant on behalf of the requesting country. That can often take several months.

In January, a divided federal appeals court refused to reconsider its decision from last year that said the U.S. government could not force Microsoft or other companies to hand over customer data stored abroad under a domestic warrant.

The U.S. Justice Department has until midnight on Friday to appeal that decision to the Supreme Court. It did not respond to a request for comment.

U.S. judges have ruled against Google in similar recent cases, however, elevating the potential for Supreme Court review.

Companies, privacy advocates and judges themselves have urged Congress to address the problem rather than leave it to courts.

Google will also ask Congress to codify warrant requirements for data requests that involve content, such as the actual message found within an email.

Chris Calabrese, vice president of policy at the Center for Democracy & Technology, said Google’s framework was “broadly correct” but urged caution about the process for letting countries make direct requests to providers.

“We need to make sure the people in the club are the right people,” he said.

(Reporting by Dustin Volz; Editing by Lisa Shumaker)

U.S. banks, corporations establish principles for cyber risk ratings firms

A view of the exterior of the JP Morgan Chase & Co. corporate headquarters in New York City May 20, 2015. REUTERS/Mike Segar/Files

By Anna Irrera and Olivia Oran

(Reuters) – More than two dozen U.S. companies, including several big banks, have teamed up to establish shared principles that would allow them to better understand their cyber security ratings and to challenge them if necessary, the U.S. Chamber of Commerce said on Tuesday. Large corporations often use the ratings, the cyber equivalent of a FICO credit score, to assess how prepared the companies they work with are to withstand cyber attacks. Insurers also look at the ratings when they make underwriting decisions on cyber liability.

The group includes big banks like JPMorgan Chase & Co <JPM.N>, Goldman Sachs Group Inc <GS.N> and Morgan Stanley <MS.N>, as well as non-financial companies like coffee retailer Starbucks Corp <SBUX.O>, health insurer Aetna Inc <AET.N> and home improvement chain Home Depot Inc <HD.N>. They are organizing the effort through the Chamber of Commerce, a broad trade group for corporate America.

The move comes in response to the emergence of such startups as BitSight Technologies, RiskRecon and SecurityScorecard that collect and analyze large swaths of data to rate companies on cyber security.

As these startups have gained prominence and venture capital funding, the companies they rate have complained of a lack of transparency.

“The challenge is that their (startups’) methodologies are proprietary and there hasn’t been transparency on how they go about creating the ratings,” JPMorgan Global Chief Information Security Officer Rohan Amin said in an interview.

The financial services industry is among the most vulnerable to cyber crime because of the massive amount of money and valuable data that banks, brokerages and investment firms process each day. Several technology companies, including Microsoft Corp <MSFT.O> and Verizon Communications Inc <VZ.N>, also support the principles being developed, as do the cyber ratings firms, the Chamber of Commerce said.

Ratings issued by those companies could help guide the standards being set by U.S. corporations. BitSight, for example, rates companies on a scale of 250 to 900 with a higher rating indicating better security performance.

“For organizations to use your platform you have to demonstrate trustworthiness and reliability,” said Jake Olcott, BitSight’s vice president of strategic partnerships.

(Reporting by Anna Irrera and Olivia Oran in New York; Editing by Lauren Tara LaCapra and Lisa Von Ahn)

Canada cyber-spy agency expects hacktivist attacks in 2019 vote

Communications Security Establishment (CSE) Chief Greta Bossenmaier takes part in a news conference in Ottawa, Ontario, Canada, June 16, 2017. REUTERS/Chris Wattie

By Leah Schnurr and Alastair Sharp

OTTAWA/TORONTO (Reuters) – Canada’s electronic spy agency said on Friday it was “very likely” that hackers will try to influence Canada’s 2019 elections and it planned to advise political parties next week on how to guard against cyber threats.

The Communications Security Establishment (CSE) agency said it had not detected any nation-state attempts to interfere in prior Canadian elections but saw risk from hacktivists.

CSE said Canada’s 2015 federal election, which brought Prime Minister Justin Trudeau’s Liberals to power, was targeted by “low-sophistication cyber threat activity” that did not affect the outcome of the election, according to a report it released on Friday.

“CSE will be offering cyber advice and guidance to parliamentarians and to Canada’s political parties,” CSE chief Greta Bossenmaier told a news conference. “Cyber security is a team imperative; no one organization can go it alone,” she added.

Worries about interference in democratic processes have come to the fore amid allegations of Russian meddling in the U.S. presidential election last November and the French election in May.

U.S. intelligence agencies concluded last year that Russia hacked and leaked Democratic Party emails as part of an effort to tilt the presidential election in favor of Donald Trump, something Russia denies.

A British intelligence agency in March told political parties to protect themselves against potential cyber attacks, while the French government in March dropped plans to let its citizens abroad vote electronically in this month’s legislative elections because of concern about the risk of cyber attacks.

CSE said federal political parties, politicians and the media are more vulnerable to cyber threats than elections themselves, given that federal elections are largely paper-based.

Cyber security lawyer Imran Ahmed of Miller Thomson said engaging with political parties was “a good first step” but the spy agency should have already had a plan in place including expected standards for political parties to meet.

“We’re two years away from 2019 and there’s no timeline for what the next steps will be,” he said.

CSE said it expects some hacktivist efforts in 2019 will be well-planned, with targets ranging from voter suppression and stealing party information to trying to discredit candidates.

(Reporting by Leah Schnurr in Ottawa and Alastair Sharp in Toronto; Editing by Phil Berlowitz)

Security firms warn of new cyber threat to electric grid

An electricity station with high-tension electricity power lines is seen in Galapagar, Spain, January 20, 2017.

By Jim Finkle

(Reuters) – Two cyber security companies said they have uncovered a sophisticated piece of malicious software capable of causing power outages by ordering industrial computers to shut down electricity transmission.

Analysis of the malware, known as Crash Override or Industroyer, indicates it was likely used in a December 2016 cyber attack that cut power in Ukraine, according to the firms, Slovakian security software maker ESET and U.S. critical-infrastructure security firm Dragos Inc.

The discovery may stoke fears about cyber vulnerabilities in power grids that have intensified in the wake of the December Ukraine attack, and one a year earlier that also cut power in that nation.

Ukraine authorities have previously blamed Russia for the attacks on its grid. Moscow has denied responsibility.

Dragos founder Robert M. Lee said the malware is capable of causing outages of up to a few days in portions of a nation’s grid, but is not potent enough to bring down a country’s entire grid.

The firm has alerted government authorities and power companies about the threat, advising them of steps to defend against the threat, Lee said in an interview.

Crash Override can be detected if a utility specifically monitors its network for abnormal traffic, including signs that the malware is searching for the location of substations or sending messages to switch breakers, according to Lee, a former U.S. Air Force warfare operations officer.

The sample of Crash Override that was analyzed by Dragos is capable of attacking power operators across Europe, according to Lee.

“With small modifications, it could be leveraged against the United States,” he said.

Reuters reviewed an ESET technical analysis of the malware provided by the security firm, which they planned to release publicly on Monday. An ESET spokeswoman said the firm’s researchers were not available for comment ahead of its release.

ESET said in its report that it believed the malware was “very probably” used in the 2016 attack in Ukraine, noting it has an activation time stamp of Dec. 17, the day of the outage.

Crash Override is the second piece of malware discovered to date that is capable of disrupting industrial processes, according to Lee.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

Malware has been used in other attacks on industrial targets, including the 2015 Ukraine power outage, but in those cases human intervention was required to interfere with operations, Lee said.

(Reporting by Jim Finkle in Toronto; Editing by Tom Brown and Richard Pullin)

Blame game for cyber attacks grows murkier as spying, crime tools mix

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

By Eric Auchard

TALLINN, Estonia (Reuters) – Veteran espionage researcher Jon DiMaggio was hot on the trail three months ago of what on the face of it looked like a menacing new industrial espionage attack by Russian cyber spies.

All the hallmarks were there: targeted phishing emails common to government espionage, an advanced Trojan horse for stealing data from inside organizations, covert communication channels for grabbing documents and clues in the programming code indicating its authors were Russian speakers.

It took weeks before the lead cyber spying investigator at Symantec, a top U.S. computer security firm, figured out instead he was tracking a lone-wolf cyber criminal.

DiMaggio won’t identify the name of the culprit, whom he has nicknamed Igor, saying the case is a run-of-the-mill example of increasing difficulties in separating national spy agency activity from cyber crime. The hacker comes from Transdniestria, a disputed, Russian-speaking region of Moldova, he said.

“The malware in question, Trojan.Bachosens, was so advanced that Symantec analysts initially thought they were looking at the work of nation-state actors,” DiMaggio told Reuters in a phone interview on Wednesday. “Further investigation revealed a 2017 equivalent of the hobbyist hackers of the 1990s.”

Reuters could not contact the alleged hacker.

The example highlights the dangers of jumping to conclusions in the murky world of cyber attack and defense, as tools once only available to government intelligence services find their way into the computer criminal underground.

Security experts refer to this as “the attribution problem”, using technical evidence to assign blame for cyber attacks in order to take appropriate legal and political responses.

These questions echo through the debate over whether Russia used cyber attacks to influence last year’s U.S. presidential elections and whether Moscow may be attempting to disrupt national elections taking place in coming months across Europe.

The topic is a big talking point for military officials and private security researchers at the International Conference on Cyber Conflict in Tallin this week. It has been held each year since Estonia was swamped in 2007 by cyber attacks that took down government, financial and media websites amid a dispute with Russia. Attribution for those attacks remains disputed.

THE SMOKING GUN

“Attribution is almost never a clean, smoking-gun,” said Paul Vixie, creator of the first commercial anti-spam service, whose latest firm, Farsight Security, helps firms track down cyber attackers to identify and block them.

Raising the stakes, a mystery group calling itself ShadowBrokers has taken credit for leaking cyber-spying tools that are now being turned to criminal use, including ones used in the recent WannaCry global ransomware attack, ratcheting up cyber security threats to a whole new level.

In recent weeks, ShadowBrokers has threatened to sell more such tools, believed to have been stolen from the U.S. National Security Agency, to enable hacking into the world’s most used computers, software and phones. (http://reut.rs/2rmTZmm)

“The bar for what’s considered advanced is lowered as time goes by,” said Sean Sullivan, a security researcher with Finnish cyber firm F-Secure.

The Moldovan hacker’s campaign to steal data and resell it on the web came to light only after infections popped up last year at a major airline, an online gambling firm and a Chinese automotive software maker, which are all customers of Symantec products used to secure their business networks.

Igor appears to have targeted the auto-tech company to steal its car diagnostics software, which retails for around $1,100 but Igor sold for just a few hundred dollars on underground forums and websites he had created. His aims in trying to break into the airline and gambling firm remain a mystery.

“Considering the audacity of this attack, the financial rewards for Igor are pretty low,” DiMaggio wrote in a blog post on his findings to be published on Wednesday.

As a threat, Symantec rates Trojan.Bachosens as a very low risk virus, in part because the attack singles out only a handful of specific firms rather than the wide-ranging, random attacks used by many cyber criminals to scoop up the greatest number of victims.

“I think those days are over when we can say in black and white: We know this is an espionage group,” DiMaggio said.

The Symantec researcher has not reported Igor to local authorities, calculating that exposing the methods of the attack will be enough to neutralize them.

(Editing by Peter Millership)