Tag Archives: Hackers

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)

U.S. waging cyber war on Islamic State, commandos active

WASHINGTON (Reuters) – The United States is waging cyber attacks against Islamic State in Syria and Iraq, and its newly deployed commandos are also carrying out secret missions on the ground, Pentagon leaders said on Monday, in the latest signs of quietly expanding U.S. activity.

U.S. Defense Secretary Ash Carter said the cyber attacks, particularly in Syria, were designed to prevent Islamic State from commanding its forces, and Washington was looking to accelerate the cyber war against the Sunni militant group.

“The methods we’re using are new. Some of them will be surprising,” Carter told a Pentagon news conference.

General Joseph Dunford, chairman of the U.S. military’s Joint Chiefs of Staff, said the cyber attacks were helping lay the groundwork for an eventual offensive operation to recapture the city of Mosul in Iraq from Islamic State.

Carter and Dunford, the Pentagon’s top civilian and uniformed officials, both suggested the attacks were aimed at overloading the militants’ networks. They declined to delve into specifics.

“We don’t want the enemy to know when, where and how we’re conducting cyber operations. We don’t want them to have information that will allow them to adapt over time,” Dunford said.

Dunford suggested Islamic State might not know why its computer networks were proving unreliable.

“They’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age. And frankly, we don’t want them to know the difference.”

U.S. COMMANDOS

The United States disclosed in January that a new, roughly 200-strong U.S. continent of special operations forces was “in place” in Iraq, poised to carry out raids against Islamic State and other secret missions, both in Iraq and in Syria.

Carter disclosed on Monday that the so-called “expeditionary targeting force,” or ETF, was already operating on the ground.

“The ETF is in position, it is having an effect and operating, and I expect it to be a very effective part of our acceleration campaign,” he said, without elaborating.

Its deployment represents increased U.S. military activity on the ground against Islamic State, exposing American forces to greater risk – something President Barack Obama has done only sparingly.

The force follows another deployment last year of up to 50 U.S. special operations troops in Syria to coordinate on the ground with U.S.-backed forces battling Islamic State.

The U.S. military disclosed last week that those U.S. forces helped opposition forces recapture the strategic Syrian town of al-Shadadi from Islamic State.

The Pentagon said recapturing the town helped sever links between Mosul in Iraq and Raqqa in Syria, the two major power centers in Islamic State’s self-declared caliphate.

More knowledge about the group’s operations is expected to be discovered, Carter said.

“As our partners take control of Shadadi, I believe we will learn a great deal more about ISIL’s criminal networks, its criminal enterprise and what it does to sustain them,” Carter said, using an acronym for the group.

(Reporting by Phil Stewart and David Alexander; Editing by Susan Heavey and Richard Chang)

Sony hackers linked to breaches in 4 other countries, report finds

SAN FRANCISCO (Reuters) – The perpetrators of the 2014 cyber attack on Sony Pictures Entertainment were not activists or disgruntled employees, and likely had attacked other targets in China, India, Japan and Taiwan, according to a coalition of security companies that jointly investigated the Sony case for more than a year.

The coalition, organized by security analytics company Novetta, concluded in a report released on Wednesday that the hackers were government-backed but it stopped short of endorsing the official U.S. view that North Korea was to blame.

The Obama administration has tied the attack on Sony Corp’s film studio to its release of “The Interview,” a comedy that depicted the fictional assassination of North Korean leader Kim Jong Un.

Novetta said the breach “was not the work of insiders or hacktivists.”

“This is very much supportive of the theory that this is nation-state,” Novetta Chief Executive Peter LaMontagne told Reuters. “This group was more active, going farther back, and had greater capabilities and reach than we thought.”

Novetta worked with the largest U.S. security software vendor Symantec Corp, top Russian security firm Kaspersky Lab and at least 10 other institutions on the investigation, a rare collaboration involving so many companies.

They determined that the unidentified hackers had been at work since at least 2009, five years before the Sony breach. The hackers were able to achieve many of their goals despite modest skills because of the inherent difficulty in establishing an inclusive cyber security defense, the Novetta group said.

LaMontagne said the report was the first to tie the Sony hack to breaches at South Korean facilities including a power plant. The FBI and others had previously said the Sony attackers reused code that had been used in destructive attacks on South Korean targets in 2013.

The Novetta group said the hackers were likely also responsible for denial-of-service attacks that disrupted U.S. and South Korean websites on July 24, 2009. The group said it found overlaps in code, tactics and infrastructure between the attacks.

Symantec researcher Val Saengphaibul said his company connected the hackers to attacks late last year, suggesting the exposure of the Sony breach and the threat of retaliation by the United States had not silenced the gang.

The coalition of security companies distributed technical indicators to help others determine if they had been targeted by the same hackers, which Novetta dubbed the Lazarus Group.

(Reporting by Joseph Menn; Editing by Tiffany Wu)

California hospital makes rare admission of hack, ransom payment

LOS ANGELES/BOSTON (Reuters) – While it was not the first hacked organization to acquiesce to attackers’ demands, the California hospital that paid $17,000 in ransom to hackers to regain control of its computer system was unusual in one notable way: It went public with the news.

Hollywood Presbyterian Medical Center relented to the demands, President Allen Stefanek said, because he believed it was the “quickest and most efficient way” to free the Los Angeles hospital’s network, which was paralyzed for about 10 days.

That announcement sparked fears Thursday among hospitals and security experts that it would embolden hackers to launch more “ransomware” attacks and calls in California for tougher laws.

“It’s no different than if they took all the patients and held them in one room at gunpoint,” said California State Senator Robert Hertzberg, who on Thursday introduced legislation to make a ransomware attack equivalent to extortion and punishable by up to four years in prison.

Usually embarrassment and a desire to discourage hackers keep attacked companies quiet. Hollywood Presbyterian did not say why it made the disclosure, but its hand may have been forced by spreading rumors a week after the hack. Stefanek confirmed the cyber attack after at least one doctor appeared to have told local media.

In addition, he disputed media reports the 434-bed hospital had faced a ransom demand of $3.4 million, far more than the amount paid in the hard-to-trace cyber-currency bitcoin.

In a ransomware attack, hackers infect PCs with malicious software that encrypts valuable files so they are inaccessible, then offer to unlock the data only if the victim pays a ransom.

The hack at Hollywood Presbyterian forced doctors to use pen and paper in an age of computerization. News reports said its fax lines were jammed because normal e-mail communication was unavailable, and some emergency patients had to be diverted to other hospitals.

Investigators said administrators were so alarmed that they may have paid ransom first and called police later.

Medical facilities in the area plan to consult cyber security experts on how to protect themselves, the Hospital Association of Southern California said. “Hospitals are certainly now aware of ransomware more than they ever were before, and this has become a very real threat,” said spokeswoman Jennifer Bayer.

Some experts said ransomware encryption can be so hard to crack that victims feel they have little choice but to pay if they want their systems back. The hackers’ success could also prompt other hospitals to make quick payments to avoid the disruption and bad publicity Hollywood Presbyterian faced.

“Our number one fear is that this now pretty much opens the door for other people to pay,” said Bob Shaker, a manager at cyber security firm Symantec Corp.

‘CAT AND MOUSE’

He knew of at least 20 other attacks on healthcare facilities in the past year and hundreds more in other industries that had been kept secret.

Some of those put patients at risk and affected infusion pumps that deliver chemotherapy drugs, risking patient overdoses, he said.

Because hackers hide their identities and demand payment in bitcoin, authorities may have to work harder to find them than if they used old-fashioned methods.

But cyber-crime experts say that they can still be traced.

“The public nature of the network does give law enforcement an angle to help defeat them,” said Jonathan Levin, co-founder of Chainalysis, a New York company working with bitcoin users. “But it’s a game of cat and mouse.”

Ransomware is big business for cyber criminals and security professionals. Although ransoms typically are less than the hospital paid, $200 to $10,000, victims of a ransomware known as CryptoWall reported losses over $18 million from April 2014 to June 2015, the FBI said.

Ransomware attacks climbed sharply in 2014, when Symantec observed some 8.8 million cases, more than double the previous year. IBM said that last year more than half of all customer calls reporting cyber attacks involved ransomware.

(Editing by Sharon Bernstein and Cynthia Osterman)

Cyber attack snarls Los Angeles hospital’s patient database

LOS ANGELES (Reuters) – The FBI is investigating a cyber attack that has crippled the electronic database at Hollywood Presbyterian Medical Center for days, forcing doctors at the Los Angeles hospital to rely on telephones and fax machines to relay patient information.

The origin of the computer network intrusion was unknown but since it began late last week has bogged down communications between physicians and medical staff newly dependent on paper records and doctors’ notoriously messy handwriting, doctors and a Federal Bureau of Investigation spokeswoman said on Tuesday.

“It’s right there on paper, but it may not be legible,” Dr. Rangasamy Ramanathan, a neonatal-perinatal specialist affiliated with the 434-bed facility, said. “The only problem is doctors’ writing.”

Although the cyber attack has snarled the hospital’s patient database, doctors have managed to relay necessary medical records the old-fashioned way through phone lines and fax machines, Ramanathan said.

The FBI is seeking to pinpoint hackers responsible for the intrusion, FBI spokeswoman Ari Dekofsky said. She declined to release further details.

Allen Stefanek, the hospital’s president and CEO, told Los Angeles television station KNBC-TV the hospital declared an internal emergency on Friday, after encountering significant information technology problems due to the hack.

A spokeswoman for the hospital could not be reached for comment.

(Reporting by Alex Dobuzinskis; Editing by Lisa Shumaker)

U.S. planned major cyber attack on Iran if diplomacy failed, NYT reports

WASHINGTON (Reuters) – The United States had a plan for an extensive cyber attack on Iran in case diplomatic attempts to curtail its nuclear program failed, The New York Times reported on Tuesday, citing a forthcoming documentary and military and intelligence officials.

Code-named Nitro Zeus, the plan was aimed at crippling Iran’s air defenses, communications systems and key parts of its electrical power grid, but was put on hold after a nuclear deal was reached last year, the Times said.

The plan developed by the Pentagon was intended to assure President Barack Obama that he had alternatives to war if Iran moved against the United States or its regional allies, and at one point involved thousands of U.S. military and intelligence personnel, the report said. It also called for spending tens of millions of dollars and putting electronic devices in Iran’s computer networks, the Times said.

U.S. intelligence agencies at the same time developed a separate plan for a covert cyberattack to disable Iran’s Fordo nuclear enrichment site inside a mountain near the city of Qom, the report said.

The existence of Nitro Zeus was revealed during reporting on a documentary film called “Zero Days” to be shown on Wednesday at the Berlin Film Festival, the Times said. The film describes rising tensions between Iran and the West in the years before the nuclear agreement, the discovery of the Stuxnet cyberattack on the Natanz uranium enrichment plant, and debates in the Pentagon over the use of such tactics, the paper reported.

The Times said it conducted separate interviews to confirm the outlines of the program, but that the White House, the Department of Defense and the Office of the Director of National Intelligence all declined to comment, saying that they do not discuss planning for military contingencies.

There was no immediate response to a request by Reuters for comment from the Pentagon.

(Reporting by Eric Walsh; Editing by Chris Reese)

Ukraine sees Russian hand in cyber attacks on power grid

KIEV (Reuters) – Hackers used a Russian-based internet provider and made phone calls from inside Russia as part of a coordinated cyber attack on Ukraine’s power grid in December, Ukraine’s energy ministry said on Friday.

The incident was widely seen as the first known power outage caused by a cyber attack, and has prompted fears both within Ukraine and outside that other critical infrastructure could be vulnerable.

The ministry, saying it had completed an investigation into the incident, did not accuse the Russian government directly of involvement in the attack, which knocked out electricity supplies to tens of thousands of customers in central and western Ukraine and prompted Kiev to review its cyber defenses.

But the findings chime with the testimony of the U.S. intelligence chief to Congress this week, which named cyber attacks, including those targeting Washington’s interests in Ukraine, as the biggest threat to U.S. national security.

Relations between Kiev and Moscow soured after Russia annexed the Crimean peninsula in March 2014 and pro-Russian separatist violence erupted in Ukraine.

Hackers targeted three power distribution companies in December’s attack, and then flooded those companies’ call centers with fake calls to prevent genuine customers reporting the outage.

“According to one of the power companies, the connection by the attackers to its IT network occurred from a subnetwork … belonging to an (internet service) provider in the Russian Federation,” the ministry said in a statement.

Deputy Energy Minister Oleksander Svetelyk told Reuters hackers had prepared the attacks at least six months in advance, adding that his ministry had ordered tighter security procedures.

“The attack on our systems took at least six months to prepare – we have found evidence that they started collecting information (about our systems) no less than 6 months before the attack,” Svetelyk said by phone.

Researchers at Trend Micro, one of the world’s biggest security software firms, said this week that the software used to infect the Ukrainian utilities has also been found in the networks of a large Ukrainian mining company and a rail company.

The researchers said one possible explanation was that it was an attempt to destabilize Ukraine as a whole. It was also possible these were test probes to determine vulnerabilities that could be exploited later, they said.

(Writing by Matthias Williams; additional reporting by Eric Auchard; Editing by Ruth Pitchford)

U.S. intelligence chief warns of cyber, ‘homegrown’ security threats

WASHINGTON (Reuters) – Attacks by “homegrown” Islamist extremists are among the most imminent security threats facing the United States in 2016, along with dangers posed overseas by Islamic State and cyber security concerns, the top U.S. intelligence official said on Tuesday.

In his annual assessment of threats to the United States, Director of National Intelligence James Clapper warned that fast-moving cyber and technological advances “could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems.”

In prepared testimony before the Senate Armed Services and Intelligence Committees, Clapper outlined an array of other threats from Russia and North Korean nuclear ambitions to instability caused by the Syrian migrant crisis.

“In my 50 plus years in the intelligence business I cannot recall a more diverse array of crises and challenges than we face today,” Clapper said.

Islamic State poses the biggest danger among militant groups because of the territory it controls in Iraq and Syria, and is determined to launch attacks on U.S. soil, Clapper said. It also has demonstrated “unprecedented online proficiencies,” he said.

While the United States “will almost certainly remain at least a rhetorically important enemy” for many foreign militant groups, “homegrown violent extremists … will probably continue to pose the most significant Sunni terrorist threat to the U.S. homeland in 2016,” he said, referring to Sunni Muslim jihadists.

“The perceived success” of attacks by such extremists in Europe and San Bernardino, California, “might motivate others to replicate opportunistic attacks with little or no warning,” Clapper said.

A married couple inspired by Islamist militants shot and killed 14 people in San Bernardino in December.

General Vincent Stewart, director of Defense Intelligence Agency, told the Senate Armed Services Committee that Islamic State aims to conduct more attacks in Europe during 2016 and has ambitions to attack inside the United States.

The group is taking advantage of the refugee flow from Syria’s civil war to hide militants among them and is adept at obtaining false documentation, Clapper said.

Al Qaeda affiliates, most notably the one in Yemen known as Al Qaeda in the Arabian Peninsula, have proven resilient and are positioned to make gains this year despite pressure from Western counterterrorism operations, Clapper said.

He cited threats from Russia’s increasingly assertive international policies, saying “We could be into another Cold War-like spiral.”

U.S. intelligence assesses that North Korea, which launched a satellite into orbit last weekend, is committed to developing a long-range nuclear armed missile that can reach the United States and has carried out some steps towards fielding a mobile intercontinental ballistic missile system, Clapper said.

He said North Korea has followed through on publicly stated plans to re-start a plutonium production reactor and could begin to assemble a plutonium stockpile within months.

CIA director John Brennan said one of North Korean leader Kim Jong Un’s objectives in conducting nuclear and missile tests is to advance efforts by North Korea to “market” such technology, presumably to other rogue regimes around the world.

(Writing by Doina Chiacu; Editing by Mohammad Zargham and Alistair Bell)

National Security Agency merging offensive, defensive hacking operations

WASHINGTON (Reuters) – The U.S. National Security Agency on Monday outlined a reorganization that will consolidate its spying and domestic cyber-security operations, despite recommendations by a presidential panel that the agency focus solely on espionage.

The NSA said the reorganization, known as “NSA21,” or NSA in the 21st century, will take two years to complete, well into the first term of whoever is elected president in November.

A review board appointed by President Barack Obama recommended in December 2013 that the NSA concentrate solely on foreign intelligence gathering. The board’s recommendations came as the United States was reeling from disclosures from former NSA contractor Edward Snowden about the collection of vast amounts of domestic and international communications data.

Under the board’s plan, a separate agency would have been housed within the Department of Defense with responsibility for enhancing the security of government networks and assisting corporate computer systems.

Ignoring that recommendation, the Obama administration will replace its separate spying and cyber-defense directorates with a unified organization responsible for both espionage and helping defend U.S. computer networks.

The “new structure will enable us to consolidate capabilities and talents to ensure that we’re using all of our resources to maximum effect to accomplish our mission,” NSA Director Mike Rogers said in a workforce address made publicly available on Monday.

Some technology specialists and privacy advocates have said the government agency responsible for building and exploiting flaws in computer software for spying purposes should not be the same one entrusted to warn companies about detected software weaknesses.

The presidential panel cited concerns about “potential conflicts of interest” between the NSA’s offensive and defensive objectives, in addition to the need to restore confidence with the U.S. technology industry to induce better cyber-security collaboration.

“I hope the NSA will explain its strategy for continuing to rebuild trust with the private sector,” Peter Swire, a professor of law at the Georgia Institute of Technology, who served on the five-member review group, said on Monday.

In November, the NSA told Reuters it informed U.S. technology firms more than 90 percent of the time about serious software flaws it found. The spy agency did not say how quickly it alerted those firms, leaving open the possibility it exploits software vulnerabilities before sharing details about them.

(Reporting by Dustin Volz; Editing by Peter Cooney)

Hackers attack 20 million accounts on Chinese shopping site

BEIJING (Reuters) – Hackers in China attempted to access over 20 million active accounts on Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service, according to a state media report posted on the Internet regulator’s website.

Analysts said the report from The Paper led to the price of Alibaba’s U.S.-listed shares falling as much as 3.7 percent in late Wednesday trade.

An Alibaba spokesman on Thursday said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.

Chinese companies are grappling a sharp rise in the number of cyber attacks, and cyber security experts say firms have a long way to go before defenses catch up to U.S. counterparts.

In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.

The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.

The hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police, the ministry website said. The hackers have since been caught, it said.

Alibaba’s systems discovered and blocked the vast majority of log-in attempts, according to the ministry website.

The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings, the newspaper said. The hackers also sold accounts to be used for fraud, it said.

Alibaba’s spokesman said the hackers rented the cloud computing service, but declined to comment on security measures designed to stop the system being used for the attack. He said they could have used any such service, and that the attack was not aided by any possible loopholes in Alibaba’s platform.

“Alibaba’s system was never breached,” the spokesman said.

The number of accounts, 20.59 million, represents about 1 out of every 20 annual active buyers on Alibaba’s China retail marketplaces.

(Reporting by Paul Carsten; Additional reporting by Beijing Newsroom; Editing by Christopher Cushing)