U.S. pipeline hackers say their aim is cash, not chaos

By Raphael Satter

WASHINGTON (Reuters) – The ransomware group accused of crippling the leading U.S. fuel pipeline operator said on Monday that its goal was to make money and not sow mayhem, a statement that experts saw as a sign the cybercriminals’ scheme had gone farther than they had intended.

The FBI accused the group that calls itself DarkSide of a digital extortion attempt that prompted Colonial Pipeline to shut down its network, potentially causing extraordinary disruption as gasoline deliveries dry up.

In a statement on Monday, Colonial said it expected to “substantially” restore operational service by the end of the week.

The terse news release posted to DarkSide’s website early on Monday did not directly mention Colonial Pipeline but, under the heading “About the latest news,” it noted that “our goal is to make money, and not creating problems for society.”

The statement did not say how much money the hackers were seeking. Colonial Pipeline did not immediately offer comment on the hackers’ statement. The hackers have yet to return repeated Reuters requests to their website for further comment.

DarkSide’s statement said its hackers would launch checks on fellow cybercriminals “to avoid social consequences in the future.” It added the group was “apolitical” and that observers “do not need to tie us” with any particular government.

The statement, which had several spelling and grammatical errors, appeared geared toward lowering the political temperature around one of the most disruptive digital ransom schemes ever reported.

Some security experts interpreted the statement as an indication that the DarkSide hackers were now trying to put some distance between themselves and the chaos they had unleashed.

“This isn’t the first time a threat group has gotten in over their heads,” said Lior Div, the co-founder and chief executive of Boston-based security company Cybereason.

He said that ransomware groups like DarkSide depended on being able to squeeze their victims discreetly, without attracting too much law enforcement scrutiny.

“The global backlash is hurting their business,” said Div. “It is the only reason they are offering a mea culpa.”

The crippling of Colonial’s IT system has led to isolated sales restrictions at retail pumps and is pushing benchmark gasoline prices to a three-year high.

On Sunday the largest U.S. refinery – Motiva Enterprises LLC’s 607,000 barrel-per-day (bpd) Port Arthur, Texas, refinery – shut two crude distillation units because of the outage at Colonial, according to people familiar with the matter.

In an interview with Reuters, a senior official with the U.S. Department of Homeland Security’s cyber arm, CISA, said that the dramatic hack should serve as a wakeup call for people well beyond the energy industry.

“All organizations should really sit up and take notice and make urgent investments to make sure that they’re protecting their networks against these threats,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity.

(Reporting by Raphael Satter; additional reporting by Stephanie Kelly in New York; Editing by Howard Goller)

Companies may be punished for paying ransoms to sanctioned hackers – U.S. Treasury

By Raphael Satter

WASHINGTON (Reuters) – Facilitating ransomware payments to sanctioned hackers may be illegal, the U.S. Treasury said on Thursday, signaling a crackdown on the fast-growing market for consultants who help organizations pay off cybercriminals.

In a pair of advisories, the Treasury’s Office of Foreign Assets Control and its Financial Crimes Enforcement Network warned that facilitators could be prosecuted even if they or the victims did not know that the hackers demanding the ransom were subject to U.S. sanctions.

Ransomware works by encrypting computers, holding a company’s data hostage until a payment is made. Organizations have often ponied up ransoms to liberate their data.

“It is a game changer,” said Alon Gal, chief technology officer of Hudson Rock, which works to head off ransomware attacks before they happen.

Before, companies could decide whether or not to pay cybercriminals off, he said. Now that those decisions are being brought under government oversight “we are going to see a much tougher handling of these incidents.”

The Enforcement Network’s advisory also warned that cybersecurity firms may need to register as money services businesses if they help make ransomware payments. That would impose a new reporting requirement on a previously little-regulated corner of the cybersecurity industry.

Ransomware has become an increasingly visible threat in the United States and abroad. Cybercriminals have long used the software to loot their victims. Some countries, notably North Korea, are also accused of deploying ransomware to earn cash.

(Reporting by Raphael Satter; Editing by Chizu Nomiyama and Richard Chang)

Trail in cyber heist suggests hackers were Chinese: senator

Bangladesh central bank

By Karen Lema

MANILA (Reuters) – A Philippine senator said on Wednesday that Chinese hackers were likely to have pulled off one of the world’s biggest cyber heists at the Bangladesh central bank, citing the network of Chinese people involved in the routing of the stolen funds through Manila.

Unidentified hackers infiltrated the computers at Bangladesh Bank in early February and tried to transfer a total of $951 million from its account at the Federal Reserve Bank of New York.

All but one of the 35 attempted transfers were to the Rizal Commercial Banking Corp (RCBC), confirming the Philippines’ centrality to the heist.

Most transfers were blocked, but a total of $81 million went to four accounts at a single RCBC branch in Manila. The stolen money was swiftly transferred to a foreign exchange broker and distributed to casinos and gambling agents in Manila.

“The hacking was done, chances are, by Chinese hackers,” Senator Ralph Recto told Reuters in a telephone interview. “Then they saw that, in the Philippines, RCBC particularly was vulnerable and sent the money over here.”

Beijing was quick to denounce the comments by Recto, vice chairman of the Senate Committee on Finance and a former head of the Philippines’ economic planning agency.

The suggestion that Chinese hackers were possibly involved was “complete nonsense” and “really irresponsible,” Chinese foreign ministry spokesman Lu Kang told reporters.

Recto said he couldn’t prove the hackers were Chinese, but was merely “connecting the dots” after a series of Senate hearings into the scandal.

At one hearing, a Chinese casino boss and junket operator called Kim Wong named two high-rolling gamblers from Beijing and Macau who he said had brought the stolen money into the Philippines. He displayed purported copies of their passports, showing they were mainland Chinese and Macau administrative region nationals respectively.

“BEST LEAD”

Wong, a native of Hong Kong who holds a Chinese passport, received almost $35 million of the stolen funds through his company and a foreign exchange broker.

The two Chinese named by Wong “are the best lead to determine who are the hackers,” said Recto. “Chances are… they must be Chinese.”

The whereabouts of the two high-rollers were unknown, Recto added, saying the Senate inquiry “may” seek help from the Chinese government to find them.

Recto also questioned the role of casino junket operators in the Philippines, saying many of them have links in Macau, the southern Chinese territory that is the world’s biggest casino hub. “There are junket operators who are from Macau, so it (the money) may find its way back to Macau,” he said.

A senior executive at a top junket operator in Macau told Reuters there was “no reason” to bring funds from the Philippines to Macau.

“This seems more like a political story in the Philippines,” he said, speaking anonymously because he was not authorized to talk to the media.

The U.S. State Department said in a report last month that the gaming industry was “a weak link” in the Philippines’ anti-money laundering regime.

Philrem, the foreign exchange agent, said it distributed the stolen $81 million to Bloomberry Resorts Corp, which owns and operates the upmarket Solaire casino in Manila; to Eastern Hawaii Leisure Company, which is owned by Wong; and to an ethnic Chinese man believed to be a junket operator in Manila.

Wong has returned $5.5 million to the Philippines’ anti-money laundering agency and has promised to hand over another $9.7 million. A portion of the money he received, he said, has already been spent on gambling chips for clients.

Solaire has told the Senate hearing that the $29 million that ended up with them was credited to an account of the Macau-based high-roller but it has managed to seize and confiscate $2.33 million in chips and cash.

(Writing by Andrew R.C. Marshall; Additional reporting by Farah Master in Hong Kong; Editing by Raju Gopalakrishnan)

Romania Focus Of Data Breach Investigation

Investigators looking into the massive data breach at Target and Neiman Marcus stores originated in Romania.

The total of customers whose personal data was stolen in a hacking attack on retail card machines continues to climb.  The latest reports now put the total over 110,000 potential victims of the hacking attack.

The FBI and U.S. Secret Service officials say that over the last year they have been involved with numerous arrests in Romania connected to hacking attacks on U.S. computers.  The rise of cybercrime has been so significant that the Council of Europe has opened an office in Romania’s capital focused on cybercrime.

The U.S. Embassy in Romania said that 80% of cyber attacks from Romania focus on American citizens.  They estimate $1 billion a year is stolen by Romanian hackers.

6 New York Cybercriminals arrested for stealing $45 million

Six people were arrested and charged Monday for stealing $45 million in a worldwide ATM heist.

The five men and one woman were accused of being members of an international cybercriminal organization that targeted prepaid debit cards issued by Middle Eastern banks. They deleted withdrawal limits from compromised accounts then sent teams of “cashers” to make synchronized withdrawals from ATMs worldwide. The six that were arrested visited over 140 ATMs in New York City and withdrew approximately $2.8 million.

“This case is another example of the ability of cybercriminals to inflict significant damage to world financial systems,” said Steven Hughes, Special Agent in Charge of the United States Secret Service New York field office.

Five of the defendants have pleaded not guilty in federal court. The sixth defendant is expected to be arraigned Tuesday. Each person faces up to 7.5 years in prison and a fine of up to $250,000.