Tag Archives: Hacking

U.S. state election officials still in the dark on Russian hacking

FILE PHOTO: Voters cast their votes during the U.S. presidential election in Elyria, Ohio, U.S. November 8, 2016. REUTERS/Aaron Josefczyk/File Photo

By Dustin Volz

ANAHEIM, Calif. (Reuters) – The federal government has not notified U.S. state election officials if their voting systems were targeted by suspected Russian hackers during the 2016 presidential campaign, and the information will likely never be made public, a top state election chief told Reuters.

“You’re absolutely never going to learn it, because we don’t even know it,” Judd Choate, state election director for Colorado and president of the National Association of State Election Directors, said in an interview on Thursday during the group’s summer conference.

Nearly 10 months after Republican Donald Trump’s upset presidential victory over Democrat Hillary Clinton, Choate said he had not spoken to a single state election director who had been told by the U.S. Department of Homeland Security if their state was among those attacked.

The lack of information-sharing on the election breaches reflects the difficulty state and federal officials have had in working together to protect U.S. voting from cyber threats. All U.S. elections are run by state and local governments, which have varying degrees of technical competence.

DHS told Congress in June that 21 states were targeted during the 2016 presidential race, and that while a small number were breached, there was no evidence any votes were manipulated.

Other reports have said 39 states were targeted. Choate said he had heard both numbers mentioned.

Several lawmakers, including Senator Mark Warner, the top Democrat on the U.S. Senate Intelligence Committee, have expressed frustration at DHS’ refusal to identify which states had been targeted. Arizona and Illinois confirmed last year that hackers had targeted their voter registration systems.

In a statement, the DHS did not refute that states had not been notified if they were targeted, adding the agency informed the owners or operators of systems potentially victimized “who may not necessarily” be state election officials.

DHS was working with senior state election officials “to determine how best to share this information while protecting the integrity of investigations and the confidentiality of system owners,” the agency said.

U.S. intelligence agencies have concluded that the Kremlin orchestrated an operation that included hacking and online propaganda intended to tilt the November election in Trump’s favor.

Several congressional committees are investigating and Special Counsel Robert Mueller is leading a separate probe into the Russia matter, including whether Moscow colluded with the Trump campaign. Russia has denied election meddling and Trump has denied any collusion.

‘LEARN FROM THE MISSTEPS’

The four-day conference of election directors was originally supposed to be about issues like voter registration, but took a sharp turn following the election hacking.

“After the 2000 election, we all had to be lawyers,” Choate said. “And now after the 2016 election, we all have to be cyber security experts.”

DHS representatives at the event fended off questions about whether the federal government would be prepared to mobilize sufficient support for the states in the event of a catastrophic cyber attack near or during the 2018 elections.

“We want to make sure we learn from the missteps that may have happened in 2016 and we want to make sure we continue building on the things we did that were right,” Robert Gatlin, a DHS cyber official, said during a panel discussion.

Gatlin said the agency was working with U.S. intelligence agencies to “downgrade” more classified information so it could be shared with the states. Information about cyber attacks is typically guarded by a high classification because it may involve nation-state involvement or contain sensitive sources and methods, he said.

Legislation recently approved by the Senate Intelligence Committee would require the director of national intelligence to sponsor top-secret security clearance for eligible election officials in each state, something the National Association of Secretaries of State has advocated.

The bill would also require DHS to submit a report to Congress detailing cyber attacks and attempted cyber attacks by foreign governments on U.S. election infrastructure during the 2016 election.

Choate said communication about cyber threats had improved with federal agencies since the election and the decision by the outgoing Obama administration in January to elevate voting systems to a “critical infrastructure designation.”

Prior to the election, some state officials worried that closer oversight of election systems represented a dangerous federal intrusion into local affairs.

(Reporting by Dustin Volz; Editing by Jonathan Weber and Peter Cooney)

North Korea hacking increasingly focused on making money more than espionage: South Korea study

A projection of cyber code on a hooded man is pictured in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Christine Kim

SEOUL (Reuters) – North Korea is behind an increasingly orchestrated effort at hacking into computers of financial institutions in South Korea and around the world to steal cash for the impoverished country, a South Korean state-backed agency said in a report.

In the past, suspected hacking attempts by North Korea appeared intended to cause social disruption or steal classified military or government data, but the focus seems to have shifted in recent years to raising foreign currency, the South’s Financial Security Institute (FSI) said.

The isolated regime is suspected to be behind a hacking group called Lazarus, which global cybersecurity firms have linked to last year’s $81 million cyber heist at the Bangladesh central bank and the 2014 attack on Sony’s Hollywood studio.

The U.S. government has blamed North Korea for the Sony hack and some U.S. officials have said prosecutors are building a case against Pyongyang in the Bangladesh Bank theft.

In April, Russian cybersecurity firm Kaspersky Lab also identified a hacking group called Bluenoroff, a spin off of Lazarus, as focused on attacking mostly foreign financial institutions.

The new report, which analyzed suspected cyber attacks between 2015 and 2017 on South Korean government and commercial institutions, identified another Lazarus spinoff named Andariel.

“Bluenoroff and Andariel share their common root, but they have different targets and motives,” the report said. “Andariel focuses on attacking South Korean businesses and government agencies using methods tailored for the country.”

Pyongyang has been stepping up its online hacking capabilities as one way of earning hard currency under the chokehold of international sanctions imposed to stop the development of its nuclear weapons program.

Cyber security researchers have also said they have found technical evidence that could link North Korea with the global WannaCry “ransomware” cyber attack that infected more than 300,000 computers in 150 countries in May.

“We’ve seen an increasing trend of North Korea using its cyber espionage capabilities for financial gain. With the pressure from sanctions and the price growth in cryptocurrencies like Bitcoin and Ethereum – these exchanges likely present an attractive target,” said Luke McNamara, senior analyst at FireEye, a cybersecurity company.

North Korea has routinely denied involvement in cyber attacks against other countries. The North Korean mission to the United Nations was not immediately available for comment.

ATM, ONLINE POKER

The report said the North Korean hacking group Andariel has been spotted attempting to steal bank card information by hacking into automated teller machines, and then using it to withdraw cash or sell the bank information on the black market. It also created malware to hack into online poker and other gambling sites and steal cash.

“South Korea prefers to use local ATM vendors and these attackers managed to analyze and compromise SK ATMs from at least two vendors earlier this year,” said Vitaly Kamluk, director of the APAC research center at Kaspersky.

“We believe this subgroup (Andariel) has been active since at least May 2016.”

The latest report lined up eight different hacking instances spotted within the South in the last few years, which North Korea was suspected to be behind, by tracking down the same code patterns within the malware used for the attacks.

One case spotted last September was an attack on the personal computer of South Korea’s defense minister as well as the ministry’s intranet to extract military operations intelligence.

North Korean hackers used IP addresses in Shenyang, China to access the defense ministry’s server, the report said.

Established in 2015, the FSI was launched by the South Korean government in order to boost information management and protection in the country’s financial sector following attacks on major South Korean banks in previous years.

The report said some of the content has not been proven fully and is not an official view of the government.

(Additional reporting by Jeremy Wagstaff in SINGAPORE; Editing by Soyoung Kim and Michael Perry)

U.S. Justice Department shuts down dark web bazaar AlphaBay

FILE PHOTO: The Department of Justice (DOJ) logo is pictured on a wall after a news conference in New York December 5, 2013. REUTERS/Carlo Allegri

By Dustin Volz

WASHINGTON (Reuters) – The U.S. Justice Department said on Thursday it had shut down the dark web marketplace AlphaBay, working with international partners to knock offline the site accused of allowing a global trade in drugs, firearms, computer hacking tools and other illicit goods.

Authorities said the law enforcement action was one of the largest ever taken against criminals on the dark web, part of the internet that is accessible only through certain software and typically used anonymously.

AlphaBay allowed users to sell and buy opioids, including fentanyl and heroin, contributing to a rising drug epidemic in the United States, Attorney General Jeff Sessions said at a news briefing in Washington, D.C. to announce the action.

“The dark net is not a place to hide,” Sessions said. “This is likely one of the most important criminal investigations of the year – taking down the largest dark net marketplace in history.

The move struck a blow to an international drug trade that has increasingly moved online in recent years, though some experts thought its impact would be limited.

“The takedown of AlphaBay is significant, but it’s a bit of a whac-a-mole,” said Frank Cilluffo, director of the Center for Cyber and Homeland Security at George Washington University.

Criminals, he said, “are going to flock to other places.”

AlphaBay mysteriously went offline earlier this month, prompting speculation among its users that authorities had seized the site. It was widely considered the biggest online black market for drugs, estimated to host daily transactions totaling hundreds of thousands of dollars.

The Justice Department said law enforcement partners in the Netherlands had taken down Hansa Market, another dark web marketplace.

AlphaBay and Hansa Market were two of the top three criminal marketplaces on the dark web, Europol chief Rob Wainwright said at the press conference.

The international exercise to seize AlphaBay’s servers also involved authorities in Thailand, Lithuania, Canada, Britain and France.

The operation included the arrest on July 5 of suspected AlphaBay founder Alexandre Cazes, a Canadian citizen arrested on behalf of the United States in Thailand.

Cazes was logged on to AlphaBay at the time of his arrest, allowing authorities to find his passwords and other information about the site’s servers, according to legal documents.

Cazes, 25, apparently took his life a week later while in Thai custody, the Justice Department said. He faced charges relating to narcotics distribution, identity theft, money laundering and related crimes.

FBI Acting Director Andrew McCabe said AlphaBay was ten times as large as Silk Road, a similar dark website the agency shut down in 2013.

About a year later, AlphaBay was launched, growing quickly in size and allowing users to browse goods via the anonymity service Tor and to purchase them with bitcoin currency.

(Additional reporting by Doina Chiacu and Julia Edwards Ainsley; Editing by Bernadette Baum)

U.S. Energy Department helping power firms defend against cyber attacks

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

By Jim Finkle, Scott DiSavino and Timothy Gardner

(Reuters) – The U.S. Department of Energy said on Friday it is helping U.S. firms defend against a hacking campaign that targeted power companies including at least one nuclear plant, saying the attacks have not impacted electricity generation or the grid.

News of the attacks surfaced a week ago when Reuters reported that the U.S. Department of Homeland Security and Federal Bureau of Investigation issued a June 28 alert to industrial firms, warning them of hacking targeting the nuclear, power and critical infrastructure sectors.

“DOE is working with our government and industry partners to mitigate any impact from a cyber intrusion affecting entities in the energy sector,” a Department of Energy representative said in an email to Reuters. “At this time, there has been no impact to systems controlling U.S. energy infrastructure. Any potential impact appears to be limited to administrative and business networks.”

It was not clear who was responsible for the hacks. The joint report by the DHS and the FBI did not identify the attackers, though it described the hacks as “an advanced persistent threat,” a term that U.S. officials typically but not always use to describe attacks by culprits.

The DOE discussed its response to the attacks after Bloomberg News reported on Friday that the Wolf Creek nuclear facility in Kansas was among at least a dozen U.S. power firms breached in the attack, citing current and former U.S. officials who were not named.

A representative with the Wolf Creek Nuclear Operating Corp declined to say if the plant was hacked, but said it continued to operate safely.

“There has been absolutely no operational impact to Wolf Creek. The reason that is true is because the operational computer systems are completely separate from the corporate network,” company spokeswoman Jenny Hageman said via email.

A separate Homeland Security technical bulletin issued on June 28 included details of code used in a hacking tool that suggest the hackers sought to use the password of a Wolf Creek employee to access the network.

Hageman declined to say if hackers had gained access to that employee’s account. The employee could not be reached for comment.

The June 28 alert said that hackers have been observed using tainted emails to harvest credentials to gain access to networks of their targets.

“Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,” the report said.

David Lochbaum, a nuclear expert at the nonprofit group Union of Concerned Scientists, said reactors have a certain amount of immunity from cyber attacks because their operation systems are separate from digital business networks. But over time it would not be impossible for hackers to potentially do harm.

“Perhaps the biggest vulnerability nuclear plants face from hackers would be their getting information on plant designs and work schedules with which to conduct a physical attack,” Lochbaum said.

The DOE said it has shared information about this incident with industry, including technical details on the attack and mitigation suggestions.

“Security professionals from government and industry are working closely to share information so energy system operators can defend their systems,” the agency representative said.

Earlier, the FBI and DHS issued a joint statement saying “There is no indication of a threat to public safety” because the impact appears limited to administrative and business networks.

The Nuclear Regulatory Commission has not received any notifications of a cyber event that has affected critical systems at a nuclear plant, said spokesman Scott Burnell.

A nuclear industry spokesman told Reuters last Saturday that hackers have never gained access to a nuclear plant.

(Reporting by Jim Finkle in Toronto, Scott DiSavino in New York and Timothy Gardner in Washington; Additional reporting by Dustin Volz in Washington and Joseph Menn in San Francisco; Editing by Bernard Orr)

U.S. warns businesses of hacking campaign against nuclear, energy firms

Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC) located just outside Washington in Arlington, Virginia September 24, 2010. REUTERS/Hyungwon Kang/File Photo

By Jim Finkle

TORONTO (Reuters) – The U.S government warned industrial firms this week about a hacking campaign targeting the nuclear and energy sectors, the latest event to highlight the power industry’s vulnerability to cyber attacks.

Since at least May, hackers used tainted “phishing” emails to “harvest credentials” so they could gain access to networks of their targets, according to a joint report from the U.S. Department of Homeland Security and Federal Bureau of Investigation.

The report provided to the industrial firms was reviewed by Reuters on Friday. While disclosing attacks, and warning that in some cases hackers succeeded in compromising the networks of their targets, it did not identify any specific victims.

“Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,” the report said.

Homeland Security and FBI officials could not be reached for comment on the report, which was dated June 28.

The report was released during a week of heavy hacking activity.

A virus dubbed “NotPetya” attacked on Tuesday, spreading from initial infections in Ukraine to businesses around the globe. It encrypted data on infected machines, rendering them inoperable and disrupting activity at ports, law firms and factories.

On Tuesday the energy-industry news site E&E News reported that U.S. investigators were looking into cyber intrusions this year at multiple nuclear power generators.

Reuters has not confirmed details of the E&E News report, which said there was no evidence safety systems had been compromised at affected plants.

The activity described in the U.S. government report comes at a time when industrial firms are particularly anxious about threat that hackers pose to their operations.

Industrial firms, including power providers and other utilities, have been particularly worried about the potential for destructive cyber attacks since December 2016, when hackers cut electricity in Ukraine.

U.S. nuclear power generators PSEG <PEG.N>, SCANA Corp <SCG.N> and Entergy Corp <ETR.N> said they were not impacted by the recent cyber attacks. SCANA’s V.C. Summer nuclear plant in South Carolina shut down on Thursday due to a problem with a valve in the non-nuclear portion of the plant, a spokesman said.

Another nuclear power generator, Dominion Energy <D.N>, said it does not comment on cyber security.

Two cyber security firms said on June 12 that they had identified the malicious software used in the Ukraine attack, which they dubbed Industroyer, warning that it could be easily modified to attack utilities in the United States and Europe.

Industroyer is only the second piece of malware uncovered to date that is capable of disrupting industrial processes without the need for hackers to manually intervene.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

The U.S. government report said attackers conducted reconnaissance to gain information about the individuals whose computers they sought to infect so that they create “decoy documents” on topics of interest to their targets.

In an analysis, it described 11 files used in the attacks, including malware downloaders and tools that allow the hackers to take remote control of victim’s computers and travel across their networks.

Chevron Corp <CVX.N>, Exxon Mobil Corp <XOM.N> and ConocoPhillips <COP.N>, the three largest U.S. oil producers, declined to comment on their network security.

(Reporting by Jim Finkle; Additional reporting by Timothy Gardner in Washington and Ernest Scheyder in Houston; editing by Grant McCool and Tom Brown)

Global shipping feels fallout from Maersk cyber attack

The Maersk ship Adrian Maersk is seen as it departs from New York Harbor in New York City, U.S., June 27, 2017. REUTERS/Brendan McDermid

By Jonathan Saul

LONDON (Reuters) – Global shipping is still feeling the effects of a cyber attack that hit A.P. Moller-Maersk <MAERSKb.CO> two days ago, showing the scale of the damage a computer virus can unleash on the technology dependent and inter-connected industry.

About 90 percent of world trade is transported by sea, with ships and ports acting as the arteries of the global economy. Ports increasingly rely on communications systems to keep operations running smoothly, and any IT glitches can create major disruptions for complex logistic supply chains.

The cyber attack was among the biggest-ever disruptions to hit global shipping. Several port terminals run by a Maersk division, including in the United States, India, Spain, the Netherlands, were still struggling to revert to normal operations on Thursday after experiencing massive disruptions.

South Florida Container Terminal, for example, said dry cargo could not be delivered and no container would be received. Anil Diggikar, chairman of JNPT port, near the Indian commercial hub of Mumbai, told Reuters that he did not know “when exactly the terminal will be running smoothly”.

His uncertainty was echoed by Maersk itself, which told Reuters that a number of IT systems were still shut down and that it could not say when normal business operations would be resumed.

It said it was not able to comment on specific questions regarding the breach of its IT systems or the state of its cyber security as it had “all available hands focused on practical stuff and getting things back to normal”.

The impact of the attack on the company has reverberated across the industry given its position as the world’s biggest container shipping line and also operator of 76 ports via its APM Terminals division.

Container ships transport much of the world’s consumer goods and food, while dry bulk ships haul commodities including coal and grain and tankers carry vital oil and gas supplies.

“As Maersk is about 18 percent of all container trade, can you imagine the panic this must be causing in the logistic chain of all those cargo owners all over the world?” said Khalid Hashim, managing director of Precious Shipping <PSL.BK>, one of Thailand’s largest dry cargo ship owners.

“Right now none of them know where any of their cargoes (or)containers are. And this ‘black hole’ of lack of knowledge will continue till Maersk are able to bring back their systems on line.”

BACK TO BASICS

The computer virus, which researchers are calling GoldenEye or Petya, began its spread on Tuesday in Ukraine and affected companies in dozens of countries.

Maersk said the attack had caused outages at its computer systems across the world.

In an example of the turmoil that ensued, the unloading of vessels at the group’s Tacoma terminal was severely slowed on Tuesday and Wednesday, said Dean McGrath, president of the International Longshore and Warehouse Union Local 23 there.

The terminal is a key supply line for the delivery of domestic goods such as milk and groceries and construction materials to Anchorage, Alaska.

“They went back to basics and did everything on paper,” McGrath said.

Ong Choo Kiat, President of U-Ming Marine Transport <2606.TW>, Taiwan’s largest dry bulk ship owner, said the fact Maersk had been affected rang alarm bells for the whole shipping industry as the Danish company was regarded as a leader in IT technology.

“But they ended up one of the first few casualties. I therefore conclude that shipping is lacking behind the other industry in term of cyber security,” he said.

“How long would it takes to catch up? I don’t know. But recently all owners and operators are definitely more aware of the risk of cyber security and beginning to pay more attention to it.”

In a leading transport survey by international law firm Norton Rose Fulbright published this week, 87 percent of respondents from the shipping industry believed cyber attacks would increase over the next five years – a level that was higher than counterparts in the aviation, rail and logistics industries.

VULNERABLE

Apart from the reliance on computer systems, ships themselves are increasingly exposed to interference through electronic navigation devices such as the Global Positioning System (GPS) and lack the backup systems airliners have to prevent crashes, according to cyber security experts.

There were no indications that GPS and other electronic navigation aids were affected by this week’s attack, but security specialists say such systems are vulnerable to signal loss from deliberate jamming by hackers.

Last year, South Korea said hundreds of fishing vessels had returned early to port after its GPS signals were jammed by North Korea, which denied responsibility.

“The Maersk attack raises our awareness of the vulnerability of shipping and ports to technological failure,” said Professor David Last, a previous president of Britain’s Royal Institute of Navigation.

“When GPS fails, ships’ captains lose their principal means of navigation and much of their communications and computer links. They have to slow down and miss port schedules,” said Last, who is also a strategic advisor to the General Lighthouse Authorities of the UK and Ireland.

A number of countries including the UK and the United States are looking into deploying a radar based back up navigation system for ships called eLoran, but this will take time to develop.

David Nordell, head of strategy and policy for London-based think tank, the Centre for Strategic Cyberspace and Security Science, said the global shipping and port industries were vulnerable to cyber attack, because their operating technologies tend to be old.

“It’s certainly possible to imagine that two container ships, or, even worse, oil or gas tankers, could be hacked into colliding, resulting in loss of life and cargo, and perhaps total loss of the vessels,” Nordell said.

“Carried out in a strategically sensitive location such as the Malacca Straits or the Bosphorus, a collision like this could block shipping for enough time to cause serious dislocations to trade.”

SECRETIVE INDUSTRY

Cyber risks also pose challenges for insurance cover.

In a particularly secretive industry, information about the nature of cyber attacks is still scarce, which insurance and shipping officials say is an obstacle to mitigating the risk, which means there are gaps in insurance cover available.

“There has been a lot of non-reporting (of breaches) on ships, and we’re trying efforts where even if there could be anonymous reporting on a platform so we can start to get the information and the data,” said Andrew Kinsey, senior marine consultant at insurer Allianz Global Corporate & Specialty.

There is also a gap in provision, because most existing cyber or hull insurance policies – which insure the ship itself – will not cover the risk of a navigation system being jammed or physical damage to the ship caused by a hacking attack.

“The industry is just waking up to its vulnerability,” said Colin Gillespie, deputy director of loss prevention with ship insurer North.

“Perhaps it is time for insurers, reinsurers, ship operators and port operators to sit down together and consider these risks in detail. A collective response is needed – we are all under attack.”

(Additional reporting by Jacob Gronholt-Pedersen in Copenhagen, Keith Wallis and Carolyn Cohn in London, Euan Rocha in Mumbai, Miyoung Kim in Singapore, Alexander Cornwell in Dubai, Michael Hirtzer in Chicago, Noor Zainab Hussain in Bangalore, Adam Jourdan and Shanghai newsroom; Editing by Pravin Char)

Pro-Islamic State hackers threaten President Trump on Ohio governor’s website

FILE PHOTO: Ohio Governor John Kasich speaks to reporters after an event at the White House in Washington, U.S., on November 10, 2016. REUTERS/Kevin Lamarque/File Photo

By Gabriella Borter

(Reuters) – Nearly a dozen Ohio state websites, including Governor John Kasich’s, were up and running again on Monday, a day after hackers posted messages of support for the Islamic State on their homescreens.

After the hack, the homescreen of governor.ohio.gov, Kasich’s official website, displayed a black background and an Arabic symbol, and the top of the screen said “Hacked by Team System Dz.”

The text on the screen read: “You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries,” and “I Love Islamic State.” The militant group Islamic State is largely made up of Sunni militants from Iraq and Syria but has drawn jihadi fighters from across the Muslim world and Europe.

The Ohio Department of Public Safety was working with federal agencies to investigate the hacking “to make sure nothing like this happens again,” said Tom Hoyt, a spokesman for Ohio’s Department of Administrative Services, on Monday.

Technicians are scanning websites and data banks but have found no services that have been disrupted by the hack, nor any evidence that information about employees or private citizens was accessed or disturbed, Hoyt said.

Along with Kasich’s website, the websites of First Lady Karen Kasich, the Department of Medicaid, and the Department of Rehabilitation and Correction were among the 10 other Ohio state sites that were hacked.

The websites of Howard County, Maryland and the town of Brookhaven, New York were also targets of the hacking spree and displayed the same message. The Brookhaven website remained inaccessible on Monday.

The FBI’s Columbus, Ohio, office declined comment on whether it knew anything about the group “Team System Dz.”

Earlier this year, a group using the same name claimed responsibility for hacking websites in Wisconsin, as well as in Scotland, England and Italy.

(This story has been refiled to remove extra word in paragraph 5)

(Reporting by Gabriella Borter; Editing by Marguerita Choy)

U.S. banks, corporations establish principles for cyber risk ratings firms

A view of the exterior of the JP Morgan Chase & Co. corporate headquarters in New York City May 20, 2015. REUTERS/Mike Segar/Files

By Anna Irrera and Olivia Oran

(Reuters) – More than two dozen U.S. companies, including several big banks, have teamed up to establish shared principles that would allow them to better understand their cyber security ratings and to challenge them if necessary, the U.S. Chamber of Commerce said on Tuesday. Large corporations often use the ratings, the cyber equivalent of a FICO credit score, to assess how prepared the companies they work with are to withstand cyber attacks. Insurers also look at the ratings when they make underwriting decisions on cyber liability.

The group includes big banks like JPMorgan Chase & Co <JPM.N>, Goldman Sachs Group Inc <GS.N> and Morgan Stanley <MS.N>, as well as non-financial companies like coffee retailer Starbucks Corp <SBUX.O>, health insurer Aetna Inc <AET.N> and home improvement chain Home Depot Inc <HD.N>. They are organizing the effort through the Chamber of Commerce, a broad trade group for corporate America.

The move comes in response to the emergence of such startups as BitSight Technologies, RiskRecon and SecurityScorecard that collect and analyze large swaths of data to rate companies on cyber security.

As these startups have gained prominence and venture capital funding, the companies they rate have complained of a lack of transparency.

“The challenge is that their (startups’) methodologies are proprietary and there hasn’t been transparency on how they go about creating the ratings,” JPMorgan Global Chief Information Security Officer Rohan Amin said in an interview.

The financial services industry is among the most vulnerable to cyber crime because of the massive amount of money and valuable data that banks, brokerages and investment firms process each day. Several technology companies, including Microsoft Corp <MSFT.O> and Verizon Communications Inc <VZ.N>, also support the principles being developed, as do the cyber ratings firms, the Chamber of Commerce said.

Ratings issued by those companies could help guide the standards being set by U.S. corporations. BitSight, for example, rates companies on a scale of 250 to 900 with a higher rating indicating better security performance.

“For organizations to use your platform you have to demonstrate trustworthiness and reliability,” said Jake Olcott, BitSight’s vice president of strategic partnerships.

(Reporting by Anna Irrera and Olivia Oran in New York; Editing by Lauren Tara LaCapra and Lisa Von Ahn)

U.S. muni market slowly starts paying heed to cyber risks

FILE PHOTO: An advertisement about the Microsoft Cybercrime Center plays behind a window reflecting a nearby building at the Microsoft office in Cambridge, Massachusetts, U.S. May 15, 2017. REUTERS/Brian Snyder/File Photo

By Hilary Russ

NEW YORK (Reuters) – A rise in cyber attacks on U.S. public sector targets so far has had little impact in the $3.8 trillion municipal debt market, with no issuer as yet hit by a downgrade or higher borrowing costs because of a cyber security threat.

That is beginning to change.

S&P Global has begun to quiz states, cities and towns about their cyber defenses, and some credit analysts are starting to factor cyber security when they look at bonds. Moody’s Investors Service is also trying to figure out how to best evaluate cyber risk.

The shift follows a particularly steep rise in ransomware attacks, when criminals hold an entity’s computer system hostage until a small ransom is paid.

The number of global ransomware detections rose 36 percent in 2016 from the year before, to 463,841, with the United States most heavily affected, according to cyber security firm Symantec Corp.

Such attacks, which have also hit companies and federal entities, have spared no kind of municipal issuer large or small, from police departments to school districts and transit agencies. Ransomware attacks on state and local governments and their agencies have risen in proportion with the overall increase, according to cyber insurance provider Beazley Group.

“State and local governments are a huge target, quite frankly an easy target for bad guys,” said Bob Anderson, managing director for information security at Navigant management consulting firm in Washington and a former global cyber investigator at the Federal Bureau of Investigation.

Last month’s “WannaCry” ransomware attack, which hobbled global businesses and Britain’s National Health Service, may also be prompting renewed focus on cyber security, though it had minimal impact in the United States.

Considering a potential cyber attack as a similar risk to a natural disaster, S&P has already been reviewing cyber security defenses of utilities, hospitals and colleges because they were early public sector targets for hackers.

Now it is also beginning to ask cities and states about the costs and level of security measures and the financial impact of successful attacks, said Geoffrey Buswick, who manages S&P’s public sector ratings.

HEAD IN THE SAND

The answers feed into broader categories that affect an issuer’s ratings, particularly governance, liquidity and operations.

Many breaches are handled quickly and financial damage is limited, but not every attack will necessarily end that way, Buswick said. “We’re trying to get sense of who has their head in the sand and who doesn’t.”

Fitch Ratings said it does not consider cyber security in its ratings, and many investors still are not concerned enough to ask for details.

In part, that is because it can be difficult to assess the operational and financial fallout of such attacks. Some high profile breaches so far have also done limited damage to issuers’ finances.

Case in point is the state of South Carolina, which in August 2012 suffered possibly the worst cyber attack yet of any city or state.

When hackers stole the personal data of more than 3.5 million taxpayers, the state had to investigate, provide credit monitoring and consumer fraud protection, and implement a slew of post-breach upgrades, according to State Senator Thomas Alexander.

The total cost is around $76 million and counting, he said. That is enough to pay for several school programs combined. But against South Carolina’s annual general fund budget of roughly $8 billion, the costs made no dent in its standing as a borrower.

Many issuers do not disclose any information to potential investors in bond documents about cyber risks or defenses. But a few, particularly hospitals and utilities, have started doing so.

In a February prospectus, the Maryland Health and Higher Educational Facilities Authority, the state’s largest public debt issuer, included nearly a full page devoted to the growing risk of cyber attacks.

“Because we’re such a large issuer, and because healthcare is often treated much more like a corporate credit, the legal counsels to the transaction weigh in on the bondholder risk section,” said Annette Anselmi, the authority’s Executive Director, noting that such disclosures also evolve depending on what kinds of questions the market is asking.

Hospitals are also ahead on cyber security disclosure because they rely on huge amounts of data, said Court Street Group analyst Joseph Krist.

Eventually, he expects others to follow suit.

“We went through this with getting munis to … disclose more pension information. Those were frankly long and painful processes. It just has to get to a critical mass.”

(Reporting by Hilary Russ; Additional reporting by Jim Finkle in Toronto; Editing by Daniel Bases and Tomasz Janowski)

U.S. spy agencies probe another flank in Russian hacking

Reality Leigh Winner, 25, a federal contractor charged by the U.S. Department of Justice for sending classified material to a news organization, poses in a picture posted to her Instagram account. Reality Winner/Social Media via REUTERS

By Joseph Menn

SAN FRANCISCO (Reuters) – Russian hacking of the 2016 U.S. election included sophisticated targeting of state officials responsible for voter rolls and voting procedures, according to a top secret U.S. intelligence document that was leaked and published this week, revealing another potential method of attempted interference in the vote.

The month-old National Security Agency document outlined activities including impersonating an election software vendor to send trick emails to more than 100 state election officials. Analysts at the NSA believed the hackers were working for the Russian military’s General Staff Main Intelligence Directorate, or GRU, according to the document.

The document’s publication on Monday by The Intercept, a news outlet that focuses on security issues, received particular attention because an intelligence contractor, Reality Leigh Winner, was charged the same day with leaking it.

U.S. intelligence agencies have previously said the Kremlin tried to influence the election outcome in favor of Republican candidate Donald Trump through leaks during the campaign of hacked emails from Democratic Party officials, aimed at discrediting Democratic candidate Hillary Clinton.

The new revelations suggest that U.S. investigators are also still probing a more direct attempt to attack the election itself, and a federal official confirmed that is the case. However, there is no evidence that hackers were able to manipulate votes, or the vote tally.

The document says at least one employee of the software vendor had an account compromised but does not cover whether any of the elections officials were also successfully compromised.

If they did compromise the officials, hackers could have planted malicious software, then captured proof of the infection to suggest that there had been fraud on Clinton’s behalf, had she won the Nov. 8 election, experts said.

“If your goal is to disrupt an election, you don’t need to pick the winner or actually tamper with tally result,” said Matt Blaze, a University of Pennsylvania computer science professor who has written on the security of voting machines. Simply casting doubt on the legitimacy of the results could achieve the goals of a government-sponsored hacking campaign, he said.

U.S. intelligence officials had previously stated that Russian intelligence had won access to “multiple” election officials but had said that compromised machines were not involved with vote tallies. But they had not said how sophisticated and extensive the effort was or how it worked.

Russian President Vladimir Putin has strongly denied Russian government involvement in election hacking, though he said last week that “patriotic” Russians could have been involved. Trump has denied any collusion.

SPEAR-PHISHING ON ELECTIONS OFFICIALS

The newly leaked NSA report said the hackers used so-called “spear-phishing” techniques on election officials, trying to convince targets to click on links in emails that seemed to come from legitimate correspondents.

The report describes just one phishing campaign, which hit state officials a week before the election, but does not give any locations or say if it was successful. Although there may have been many others, security experts said one coming so late in the game would be more likely to be about sowing chaos than trying to alter vote counts.

The report did not say what the hackers were trying to accomplish, and any investigation of the computers of people who were targeted would be the jurisdiction of the FBI.

An FBI spokeswoman declined to comment Tuesday, as did the office of the special counsel Robert Mueller, who is investigating possible collusion between Trump campaign officials and the Russian government.

ATTACKING VOTER ROLLS

The “bait” used in the spear-phishing campaign involved software for managing voter registration rolls. The hackers might have been considering deleting some records and forcing officials to turn legitimate voters away, said elections technology security expert Alex Halderman, of the University of Michigan.

There were no wide reports of mass rejections of voters, so perhaps that plan was abandoned or proved too hard to execute, he said.

It is also possible that the idea was to get onto the machines of officials who oversaw both registration and voting software. Elections are run by counties in the United States.

“Depending on the county’s configuration and security practices and what is separated from what, they could have access to potentially every aspect, from lists of registered voters, to voting machines, to firmware on those machines, to the ballots that are presented, to the software that controls the final tally,” Blaze said.

“This is the holy grail of what an attacker would want to compromise.”

Members of Congress said they hoped to learn more about the hacking attempts.

“It’s important that the American people understand that the Russian attempts to break into a number of our state voting processes – we talked about this in the fall – was broad-based,” Democrat Mark Warner, vice chairman of the Senate Intelligence committee, told reporters.

“It’s my hope in the coming days that we can get more information out about that.”

(Reporting by Joseph Menn in San Francisco; Additonal reporting by Dustin Volz, Jim Finkle and Mark Hosenball in Washington; Editing by Jonathan Weber and Frances Kerry)