Tag Archives: Hackers

Hackers target HSBC, disrupt online banking for UK customers

Hackers targeted one of the world’s largest banks on Friday morning, preventing some of HSBC’s customers in the United Kingdom from being able to access their online accounts.

HSBC issued a statement saying it “successfully defended” against a denial-of-service attack, in which hackers try to prevent people from accessing a given site by overwhelming it with traffic.

The company said the attack targeted its Internet banking system for the United Kingdom, but no transactions were affected. However, some United Kingdom customers who tried to log into their accounts Friday were greeted by a message that said online banking was unavailable.

That message did not appear on the company’s website for online banking in the United States.

HSBC tweeted that its service was recovering, though it was still seeing some denial-of-service attacks some five hours after it initially reported the incident. The bank added it was “working closely with law enforcement authorities to pursue the criminals responsible.”

About 17 million United Kingdom residents are HSBC customers, the bank says. It apologized to all those inconvenienced by the outage, and encouraged them to visit a branch for urgent issues.

It was the second time this month that HSBC customers had an issue with online banking.

The company tweeted that “an internal technical issue” prevented some people from accessing their accounts on Jan. 4 and Jan. 5. In a video tweeted from the company’s account, an HSBC official said that was not caused by a cyber attack and that customers’ data was never at risk.

HSBC has about 6,100 offices in more than 70 countries and territories across the globe, according to its website.

U.S. utilities worry about cyber cover after Ukraine grid attack

(Reuters) – U.S. utilities are looking hard at their cyber vulnerabilities and whether they can get insurance to cover what could be a multi-billion dollar loss after hackers cut electric power to more than 80,000 Ukrainians last month.

The Dec. 23 incident in Ukraine was the first cyber attack to cause a power outage, and is one of just a handful of incidents in which computer hacking has caused physical effects on infrastructure rather than the loss or theft of electronic data.

A similar attack in the United States could cripple utilities and leave millions of people in the dark, costing the economy more than $200 billion, an insurance study estimated last year.

Security experts, insurance brokers, insurers and attorneys representing utilities told Reuters that the Ukraine attack has exposed long-standing ambiguity over which costs would be covered by insurance in various cyber attack scenarios.

“People in the insurance industry never did a great job clarifying the scope of coverage,” said Paul Ferrillo, an attorney with Weil, Gotshal & Manges who advises utilities.

Cyber insurance typically covers the cost of attacks involving stolen personal data. Some general property and liability policies may cover physical damage from cyber attacks, but insurers do not always provide clear answers about coverage for industrial firms, said Ben Beeson, a partner with broker Lockton Companies.

That has led to some unease among U.S. utilities.

“When you get these kind of headline-grabbing cyber incidents, there is obviously a flurry of interest,” said Dawn Simmons, an executive with Associated Energy and Gas Insurance Services, or AEGIS, a U.S. mutual insurer that provides coverage to its 300 or so members.

Getting a policy that includes cyber property damage is not cheap.

Sciemus Cyber Ltd, a specialty insurer at the Lloyd’s of London insurance market, charges energy utilities roughly $100,000 for $10 million in data breach insurance. The price balloons to as much as seven times that rate to add coverage for attacks that cause physical damage, said Sciemus Chief Executive Rick Welsh.

INDUSTRY WARNINGS

Security experts have warned for several years that a cyber attack could cause power outages due to the growing reliance on computer technology in plants that is accessible from the Internet.

In the Ukraine attack, hackers likely gained control of systems remotely, then switched breakers to cut power, according to an analysis by the Washington-based SANS Institute. Ukraine’s state security service blamed Russia for the attack, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as Sandworm Team.

Utilities are now trying to determine if they have insurance to cover these kinds of attacks, and if not, whether they need it, said Patrick Miller, founder of the Energy Sector Security Consortium, an industry group that shares information on cyber threats.

American Electric Power Company Inc, Duke Energy Corp, Nextera Energy Inc and PG&E Corp are among publicly-traded utility companies that have warned of their exposure to cyber risks in their most recent annual reports to securities regulators, and that their insurance coverage might not cover all expenses related to an attack.

Representatives with AEP, Duke and PG&E declined to disclose the limits of their insurance. Officials with Nextera could not be reached for comment.

The potential costs of an attack in the United States are huge. Last year Lloyd’s and the University of Cambridge released a 65-page study estimating that simultaneous malware attacks on 50 generators in the Northeastern United States could cut power to as many as 93 million people, resulting in at least $243 billion in economic damage and $21 billion to $71 billion in insurance claims.

The study called such a scenario improbable but “technologically possible.”

There are precedents, including the 2010 ‘Stuxnet’ attack that damaged centrifuges at an Iranian uranium enrichment facility and the 2012 ‘Shamoon’ campaign that crippled business operations at Saudi Aramco and RasGas by wiping drives on tens of thousands of PCs.

In late 2014, the German government reported that hackers had damaged an unnamed steel mill, the first attack that damaged industrial equipment. Details remain a mystery.

AMBIGUITY OVER COVERAGE

“It’s getting a little competitive just to get a carrier quoting your policy,” said Lynda Bennett, an attorney with Lowenstein Sandler, who helps businesses negotiate insurance. Some insurers have cut back on cyber coverage in response to the increase in the number and types of breaches, she added.

American International Group Inc, for example, will only write cyber policies over $5 million for a power utility after an in-depth review of its technology, including the supervisory control and data acquisition (SCADA) systems that remotely control grid operations.

“There are companies that we have walked away from providing coverage to because we had concerns about their controls,” said AIG executive Tracie Grella.

AIG and AEGIS declined to discuss pricing of policies. It seems likely they will find coverage more in demand after the Ukraine attack.

“A lot more companies will be asked by their stakeholders internally: Do we have coverage for this type of thing?” said Robert Wice, an executive with Beazley Plc, which offers cyber insurance. “Whether they actually start to buy more or not will depend on pricing.”

(Reporting by Jim Finkle; Additional reporting by Rory Carroll; Editing by Bill Rigby)

Hackers may have wider access to Ukrainian industrial facilities

KIEV (Reuters) – Hackers were able to attack four sections of Ukraine’s power grid with malware late last year because of basic security lapses and they could take down other industrial facilities at any time, a consultant to government investigators said.

Three power cuts reported in separate areas of western and central Ukraine in late December were the first known electrical outages caused by cyber attacks, causing consternation among businesses and officials around the world.

The consultant, Oleh Sych, told Reuters a fourth Ukrainian energy company had been affected by a lesser attack in October, but declined to name it.

He also said a similar type of malware had been identified by the Ukrainian anti-virus software company Zillya! where he works as far back as July, making it impossible to know how many other systems were at risk.

“This is the scariest thing – we’re living on a powder keg. We don’t know where else has been compromised. We can protect everything, we can teach administrators never to open emails, but the system is already infected,” he said.

Sych, whose firm is advising the State Security Service SBU and a commission set up by the energy ministry, said power distributors had ignored their own security rules by allowing critical computers to be hooked up to the Internet when they should have been kept within an internal network.

This so-called “air gap” separates computer systems from any outside Internet connections accessible to hackers.

“A possible objective was to bring down some branches (of the Ukrainian energy system) and create a ‘domino effect’ to collapse the entire system of Ukraine or a significant part,” Sych said.

Ukraine has also been targeted in other cyber attacks, which included hacking into the system of Ukraine’s biggest airport and TV news channels.

Security services and the military blamed the attacks on Russia, an allegation dismissed by the Kremlin as evidence of Ukraine’s tendency to accuse Russia of “all mortal sins”.

Russia annexed Crimea from Ukraine in 2014 and has supported separatist rebels in east of the former Soviet republic, arguing that Kiev’s Western-backed government, elected after the Moscow-backed president fled widespread protests, was illegitimate.

Sych, who said he could not reveal all the details of the probe, said there was no conclusive evidence that the attacks originated in Russia. One of the emails was sent from the server of a German university, another from the United States, he said.

INSIDER

International cyber-security researchers who have studied the attacks believe the attackers broke into networks by sending targeted emails designed to trick utility insiders to click on Excel documents that were poisoned with malware used to gain control inside the networks.

Sych agreed, saying:

“We understand that this couldn’t have happened without an insider. To carry out this kind of attack you need to know what kind of operating system and SCADA (supervisory control and data acquisition) are used and what software controls the industrial facility,” he said.

SCADA software is widely used to control industrial systems worldwide.

“The attackers must have known what software was installed … to test (the malware) on it. Clearly preliminary investigations were carried out and this was easy to do with this kind of insider information.”

He said the hackers had sent the e-mails in question to workers at the affected power distribution companies with infected Word or Excel files that were meant to look like official correspondence from the energy ministry.

They contained topics that would have been recognizable to the workers and were not sent out en masse but targeted certain individuals instead. One of the emails was about regional electricity production levels, he said.

“It was all very simple and stupid,” Sych said, adding that the hackers totally wiped the data of some of the computers in one of the firms.

Details of the impact of the attacks have been sketchy, but one is reported to have affected 80,000 customers for two hours. The three named companies declined to comment on Sych’s remarks.

“All experts agree this sort of attack on electric utilities or other critical infrastructure was bound to happen because engineering-wise, physics-wise it is technically possible to do,” said Kenneth Geers, a Kiev-based national security analyst who worked for U.S. intelligence agencies for 20 years until 2013.

All it takes is political will or opportunism to try something like this, he said.

Ukrainian Deputy Energy Minister Oleksander Svetelyk has also accused the companies of lapses, saying on Tuesday there had been a “a lot of errors”. He added that U.S. cyber experts would come to Kiev later this week to help with the investigation.

(Additional reporting by Maria Tsvetkova in Moscow and Eric Auchard in Brussels; Writing by Matthias Williams; Editing by Philippa Fletcher)

South Korea suspects North Korea may have attempted cyber attacks

SEOUL (Reuters) – South Korea said on Wednesday it suspected North Korea of attempting cyber attacks against targets in the South, following a nuclear test by the North this month that defied United Nations sanctions.

South Korea has been on heightened military and cyber alert since the Jan. 6 test, which Pyongyang called a successful hydrogen bomb test, although U.S. officials and experts doubt that it managed such a technological advance.

“At this point, we suspect it is an act by North Korea,” Jeong Joon-hee, a spokesman of the South’s Unification Ministry, told a news briefing, when asked about reports that the North might have attempted cyber attacks.

Authorities were investigating, Jeong said, but did not provide further details.

Last week, South Korean President Park Geun-hye said the scope of threats from North Korea was expanding to include cyber warfare and the use of drones to infiltrate the South.

North Korea has been using balloons to drop propaganda leaflets in the South, amid heightened tension on the Korean peninsula since the nuclear test.

Since the test, there have been unconfirmed news reports that the computer systems of some South Korean government agencies and companies had been infected with malicious codes that might have been sent by the North.

Defectors from the North have previously said the country’s spy agency, run by the military, operates a sophisticated cyber-warfare unit that attempts to hack, and sabotage, enemy targets.

South Korea and the United States blamed North Korea for a 2014 cyber attack on Sony Pictures that crippled its systems and led to the leaks of unreleased films and employee data.

At the time, the company was set to release the film, “The Interview”, featuring a fictional plot to assassinate North Korean leader Kim Jong Un.

North Korea has denied the allegation.

In 2013, cybersecurity researchers said they believed North Korea was behind a series of attacks against computers at South Korean banks and broadcasting companies.

(Reporting by Ju-min Park and Jack Kim; Editing by Tony Munroe)

Companies look beyond firewalls in cyber battle with hackers

TEL AVIV (Reuters) – With firewalls no longer seen as enough of a defense against security breaches, companies are looking at new tools to foil hackers trying to enter a computer network.

U.S. and Israeli startups are leading the way, with new approaches such as “honeytraps” that lure a hacker to fake data or “polymorphic” technology that constantly changes the structure of applications running on a computer.

Some of the technology is still in the early stages and it remains to be seen whether it will be good enough to outfox the hackers.

But with corporate giants such as Sony and Twitter Inc facing high-profile hacks in recent years, companies are desperate for new ideas to make sure financial, personal and corporate data stays safe.

“We view this (deception technologies) as a $3 billion market over the next three years, with Israel and Silicon Valley being the epicenter of this innovation wave,” said Daniel Ives, a senior technology analyst at FBR Capital Markets.

TopSpin Security, Illusive Networks, Cymmetria and GuardiCore in Israel, California-based TrapX and Attivo Networks are among a handful of start-ups forging ahead with deception technology. Israel’s Morphisec and U.S. Shape Security are developing “polymorphic” systems.

Many of those companies use techniques partly developed in the U.S. and Israeli military that were taken to startups by veterans such as Gadi Evron, the head of Cymmetria and of Israel’s Computer Emergency Response Team.

TrapX Security offers DeceptionGrid, a technology using fake information that triggers a security alert.

TrapX clients include Israel’s central bank, U.S. hospital chain HCA, Bezeq, Israel’s largest telecoms group, and Union Bank of Israel, according to Asaf Aviram, sales director for Israel and emergent markets at TrapX.

TopSpin Chief Executive Doron Kolton said his clients include one of Israel’s top five banks, a large U.S. hospital and a mobility technology company. The product is resold by Optiv Security in the United States and Benefit in Israel.

EARLY DAYS

While still a fraction of the overall cybersecurity market, Gartner, a leading technology consultancy, sees 10 percent of businesses using deception tactics by 2018.

But Gartner analyst Laurence Pingree noted that they “have so far had only nascent adoption” as many of the companies don’t yet understand the technology.

“Educating security buyers on its usefulness will be crucial,” he said.

Some in the industry note that several companies including FireEye and CrowdStrike tried to launch similar products three or four years ago before pulling back although analysts say the technologies have improved greatly in the past two years.

“A lot of companies are looking at it but it’s still early days,” said a security executive with a Fortune 500 company.

He said deployments were quite limited, with most trials where business test the product on a limited basis at no cost.

Others said hackers may quickly be able to detect the traps.

“They will be challenged by the fact that (some) hackers are so sophisticated they might detect decoy servers or fake data,” said Ziv Mador, head of research at Chicago-based cybersecurity firm Trustwave.

The technology could offer a second layer of defense to firewalls, which cannot always block malicious attempts, he said, and did not rule out Trustwave offering deception tools in the future.

TopSpin’s Kolton also noted that deception would be “part of a bigger solution” and to “be combined with other things”.

TRAIL OF BREADCRUMBS

The system developed by TopSpin, whose investors include Check Point Software Technologies co-founder Shlomo Kramer, engages attackers once they have penetrated the network. It leads hackers to decoys by sprinkling “breadcrumbs”, such as fake credentials.

While the idea of a honeypot is not new, in the past they were used to alert IT administrators that there was a hacker in the system.

With more advanced technology they slow the hacker and set off tools to stop them getting further into the system. If they follow the trail to the trap, the company knows they are a hacker.

“When someone hits a honeypot it’s malicious activity,” Kolton said.

Attivo’s website says their system lures attackers into revealing themselves when they start to look for “high-value assets”. It also promises no false-alarms, a problem with traditional detection systems.

Other tools are being developed that would prevent hackers from penetrating a network entirely.

Morphisec, backed by Jerusalem Venture Partners, Deutsche Telekom and GE Ventures, has developed technology that randomly changes the structure of applications running on the computer.

“When an attack seeks its target it expects to find a certain memory structure. With Morphisec it finds something different,” Morphisec CEO Ronen Yehoshua said.

Shape Security of California also uses such “polymorphic” technology.

While these new ideas have mainly been generated by start-up companies, investors say bigger, more established security players are interested.

“I’d say that many antivirus companies are already looking into building similar technologies on their own or buying them,” JVP managing partner Gadi Tirosh said.

(Additional reporting by Jim Finkle in Boston; Editing by Anna Willard)

Ukraine to review cyber defenses after airport targeted from Russia

KIEV (Reuters) – Ukrainian authorities will review the defenses of government computer systems, including at airports and railway stations, after a cyber attack on Kiev’s main airport was launched from a server in Russia, officials told Reuters on Monday.

Malware similar to that which attacked three Ukrainian power firms in late December was detected last week in a computer in the IT network of Kiev’s main airport, Boryspil. The network includes the airport’s air traffic control.

Although there is no suggestion at this stage that Russia’s government was involved, the cyber attacks have come at a time of badly strained relations between Ukraine and Russia over a nearly two-year-long separatist conflict in eastern Ukraine.

“In connection with the case in Boryspil, the ministry intends to initiate a review of anti-virus databases in the companies which are under the responsibility of the ministry,” said Irina Kustovska, a spokeswoman for Ukraine’s infrastructure ministry, which oversees airports, railways and ports.

Ukraine’s state-run Computer Emergency Response Team (CERT-UA) issued a warning on Monday of the threat of more attacks.

“The control center of the server, where the attacks originate, is in Russia,” military spokesman Andriy Lysenko said by telephone, adding that the malware had been detected early in the airport’s system and no damage had been done.

A spokeswoman for the airport said Ukrainian authorities were investigating whether the malware was connected to a malicious software platform known as “BlackEnergy”, which has been linked to other recent cyber attacks on Ukraine. There are some signs that the attacks are linked, she said.

“Attention to all system administrators … We recommend a check of log-files and information traffic,” CERT-UA said in a statement.

In December three Ukrainian regional power firms experienced short-term blackouts as a result of malicious software in their networks. Experts have described the incident as the first known power outage caused by a cyber attack.

A U.S. cyber intelligence firm in January traced the attack back to a Moscow-backed group known as Sandworm.

The Dec. 23 outage at Western Ukraine’s Prykarpattyaoblenergo cut power to 80,000 customers for about six hours, according to a report from a U.S. energy industry security group.

Ukraine’s SBU state security service has blamed Russia, but the energy ministry said it would hold off on attribution until after it completes a formal probe.

(Editing by Matthias Williams and Gareth Jones)

U.S. helping Ukraine investigate December power grid hack

WASHINGTON (Reuters) – The U.S. Department of Homeland Security said on Tuesday it was helping Ukraine investigate an apparent attack last month on the country’s power grid that caused a blackout for 80,000 customers.

Experts have widely described the Dec. 23 incident at western Ukraine’s Prykarpattyaoblenergo utility as the first known power outage caused by a cyber attack. Ukraine’s SBU state security service has blamed Russia for the incident, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as “Sandworm.”

In an advisory, DHS said they had linked the blackout to malicious code detected in 2014 within industrial control systems used to operate U.S. critical infrastructure. There was no known successful disruption to the U.S. grid, however.

DHS said the “BlackEnergy Malware” appears to have infected Ukraine’s systems with a spear phishing attack via a corrupted Microsoft Word attachment.

The DHS bulletin from the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is the first public comment about the Ukraine incident.

A report released by Washington-based SANS Inc over the weekend concluded hackers likely caused Ukraine’s six-hour outage by remotely switching breakers in a way that cut power, after installing malware that prevented technicians from detecting the intrusion. The attackers are also believed to have spammed the Ukraine utility’s customer-service center with phone calls in order to prevent real customers from communicating about their downed power.

DHS and the FBI did not immediately respond to requests for additional comment.

(Reporting by Dustin Volz and Jim Finkle; Editing by Doina Chiacu and Andrew Hay)

Hackers Access Power Grid, N.Y. Dam; Might Have Accessed Government Talks

Hackers gained access to the United States power grid, including detailed drawings that could have been used to cut power to millions of people, according to a new Associated Press report.

The report, published Monday, indicated that there have been roughly 12 times in the past 10 years when foreign hackers accessed the networks controlling lights across the United States.

That includes one instance where hackers, believed to be from Iran, had swiped passwords and detailed sketches of dozens of power plants, invaluable tools if one planned to cut off the power. Cybersecurity experts told the Associated Press the breach (which affected energy company Calpine, which operates 83 power plants) dates to at least August 2013 and could be ongoing.

The Associated Press reported that hackers accessed passwords that could have been used to access Calpine’s networks remotely, along with highly detailed drawings of 71 energy-related facilities across the country. That could allow skilled hackers to specifically target certain plants.

But targeting a plant and successfully shutting off the power are two different things.

The Associated Press report noted the power grid is designed to keep the lights on when utility lines or equipment fail. To cause a widespread blackout, a hacker would have to be exceptionally skilled, bypassing not only a company’s security measures but also creating specialized code that disrupts the interactions of the company’s equipment. Still, experts told the AP that it remains possible for a sufficiently skilled and motivated hacker to send a large swath of the country into blackout, and enough intrusions have occurred that a foreign hacker can likely “strike at will.”

The Associated Press report was published the same day the Wall Street Journal unveiled that Iranian hackers accessed the controls of a dam about 20 miles away from New York City in 2013.

In another breach, tech company Juniper Networks announced last Thursday that it discovered some “unauthorized code” in its software that could have allowed skilled hackers to improperly access some devices and decrypt secure communications. CNN reported the FBI is investigating the hack because it fears the code might have been used to spy on government correspondence.

Because government use of Juniper products is so widespread, one U.S. official told CNN the hack was like “stealing a master key to get into any government building.” CNN reported a foreign government is believed to be behind the hack, but it still is not clear who is responsible.

Juniper said it released a patch that corrects the issue. The company said it wasn’t aware of “any malicious exploitation” of the security loophole, but noted there likely wasn’t a way to reliably detect if a device had been compromised because hackers could have easily erased the evidence.

U.K. to Build Cyber Attack Forces to Take On ISIS

British Finance Minister George Osborne said on Tuesday that Britain was building an elite cyber force to take down ISIS fighters, hackers, and hostile powers.

Osborne went on to tell Reuters that the Islamic State is trying to develop a way to attack British infrastructure including power networks, air traffic control systems, and hospital.

“The stakes could hardly be higher – if our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost,” he told CNBC News.

As a response, he stated that Britain would fight fire with fire by developing their own cyber attack force.

“We will defend ourselves. But we will also take the fight to you,” Osborne said in a speech at Britain’s GCHQ eavesdropping agency.

“We are building our own offensive cyber capability – a dedicated ability to counter-attack in cyberspace. When we talk about tackling (Islamic State), that means tackling their cyber threat as well as their guns, bombs and knives.”

The cyber attack force will be headed jointly by GCHQ – Britain’s spy agency – and the Defence Ministry. They will target criminal gangs, individual hackers, militant groups, and hostile powers.

Public spending on cyber security will be doubled by 2020 Osborne told Reuter, raising the budget to almost $3 billion. GCHQ has already been monitoring various cyber threats as cyber security issues have doubled to 200 a month since last year. The new cyber security plan also includes training coders, blocking bad URLs, and fending off malware attacks.

Currently, ISIS has been using the Internet to spread its propaganda and lead more people to their radical cause.

“They have not been able to use it to kill people yet by attacking our infrastructure through cyber attack,” Osborne added. “But we know they want it and are doing their best to build it.”

The global cyber war against ISIS has also caught the attention of the hacktivist group “Anonymous” who released a video earlier this week declaring cyber war on the Islamic State.

“Anonymous” Hackers Declare War on ISIS

The hacker collective known as “Anonymous” declared war on ISIS in a video posted on YouTube in response to the horrendous attacks that took place in Paris on Friday.

According to NBC News, the video has yet to be verified by officials, but in the video a spokesman wears the group’s signature Guy Fawkes mask and says in French that the group will use their expertise in a “war” against the Islamic terrorist group.

“Expect massive cyber attacks. War is declared. Get prepared,” the announcer says in French.

“Anonymous from all over the world will hunt you down. You should know that we will find you and we will not let you go. We will launch the biggest operation ever against you,” the spokesperson continued, according to translated transcripts of the video.

The spokesman continued to call the members of ISIS “vermin,” and that their actions would not go “unpunished.”

As of Monday at 8:30 a.m. Central Time, the video had accumulated 1.1 million views on YouTube, according to the Jerusalem Post.

The Huffington Post reports that the hacktivist group also posted on Twitter: “Make no mistake: Anonymous is at war with Daesh.” Daesh is another name for ISIS.

Anonymous is a group of international network of activist computer hackers who have claimed responsibility for numerous cyberattacks against corporate, religious, and government websites over the past 12 years. Since the Charlie Hebdo attack in January that led to the death of 17 people, Anonymous has been targeting and shutting down Twitter profiles believed to be used by ISIS and their supporters. The Jerusalem Post reports that the hacktivist group has reported more than 39,000 ISIS accounts to Twitter. Out of those, more than 25,000 have been suspended, but almost 14,000 are still active.