Tag Archives: Hacking

U.S. trade group hacked with Chinese software ahead of Xi summit

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017.REUTERS/Kacper Pempel/Illustration/File Photo

By Joseph Menn

SAN FRANCISCO (Reuters) – A sophisticated hacking group that pursues Chinese government interests broke into the website of a private U.S. trade group ahead of Thursday’s summit between U.S. President Donald Trump and Chinese President Xi Jinping, according to researchers.

The hackers left a malicious link on web pages where members of the National Foreign Trade Council (NFTC) register for upcoming meetings, according to researchers at Fidelis Cybersecurity and a person familiar with the trade group.

The nonprofit NFTC is a prominent advocate on international trade policy, with corporate members including Wal-Mart Stores Inc <WMT.N>, Johnson & Johnson <JNJ.N>, Amazon.com Inc <AMZN.O>, Ford Motor Co <F.N> and Microsoft Corp <MSFT.O>.

The malicious link deployed a spying tool called Scanbox, which would have recorded the type and versions of software running on the computers of those exposed to it, said Fidelis researcher John Bambenek. Such reconnaissance is typically followed by new attacks using known flaws in the detected software, especially older versions.

Scanbox has only been used by groups associated with the Chinese government, Fidelis said, and was recently seen on a political site aimed at Uyghurs, an ethnic minority under close government scrutiny in China.

The breach was detected about five weeks ago by a NFTC director who is a customer of Fidelis, the security company said. Both the Federal Bureau of Investigation and the NFTC were notified and the malicious link removed, and Fidelis said it had no evidence of NFTC members being infected.

The FBI and the NFTC declined to comment. A spokesman for the Chinese foreign ministry did not respond to a request for comment.

Bambenek said he believed the attack was classic espionage related to international trade talks, rather than a violation of a 2015 agreement between former U.S. President Barack Obama and Xi to end spying for commercial motives.

The summit starting on Thursday is the first meeting between Xi and Trump, who blamed China on the campaign trail for the loss of many U.S. jobs and vowed to confront the country’s leaders on the matters of trade and currency manipulation.

“I think it’s traditional espionage that happens ahead of any summit,” said Bambenek. “They would like to know what we, the Americans, really care about and use that for leverage.”

Other security firms agreed that wholesale theft of U.S. intellectual property has not returned.

Instead, FireEye Inc <FEYE.O> and BAE Systems Plc <BAES.L> said that the hacking group identified by Fidelis, called APT10, has recently attacked government and commercial targets in Europe.

FireEye researcher John Hultquist said heavy industries in Nordic countries have been hacked more often as Beijing switches priorities.

“They are certainly taking those resources and pushing them to other places where they can still get away with this behavior,” Hultquist said.

(Reporting by Joseph Menn in San Francisco; Addtional reporting by Dustin Volz in Washington; Editing by Bill Rigby)

UK and Swedish watchdogs warn of international cyber attack

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

STOCKHOLM (Reuters) – A large-scale cyber attack from a group targeting organizations in Japan, the United States, Sweden and many other European countries through IT services providers has been uncovered, the Swedish computer security watchdog said on Wednesday.

The cyber attack, uncovered through a collaboration by Britain’s National Cyber Security Centre, PwC and cyber security firm BAE Systems, targeted managed service providers to gain access to their customers’ internal networks since at least May 2016 and potentially as early as 2014.

The exact scale of the attack, named Cloud Hopper from an organization called APT10, is not known but is believed to involve huge amounts of data, Sweden’s Civil Contingencies Agency said in a statement. The agency did not say whether the cyber attacks were still happening.

“The high level of digitalization in Sweden, along with the amount of services outsourced to managed service providers, means that there is great risk that several Swedish organizations are affected by the attacks,” the watchdog said.

The agency said those behind the attacks had used significant resources to identify their targets and sent sophisticated phishing e-mails to infect computers.

It also said Swedish IP addresses had been used to coordinate the incursions and retrieve stolen data and that APT10 specifically targeted IT, communications, healthcare, energy and research sectors.

(Reporting by Johan Ahlander; Editing by Niklas Pollard and Stephen Powell)

McDonald’s Canada says 95,000 affected in careers website hack

A Canadian flag waves beside McDonalds fast food restaurant in Toronto, May 1, 2014. REUTERS/Mark Blinch

(Reuters) – McDonald’s Corp’s <MCD.N> Canadian unit said on Friday personal information of about 95,000 restaurant job applicants was compromised in a cyber attack on its careers website.

The information included names, addresses, email addresses, phone numbers and employment backgrounds of candidates who applied online for jobs at McDonald’s Canada restaurants between March 2014 and March 2017.

The careers website was shut down after McDonald’s learned of the attack, and will remain closed until an ongoing investigation is complete, the unit said.

The company said it currently had no evidence that the information taken had been misused.

McDonald’s Canada said its job application forms do not ask for sensitive personal information such as social insurance numbers, banking or health information.

McDonald’s said earlier this month its official Twitter handle was compromised after a tweet sent from the account slammed U.S. President Donald Trump.

(Reporting by Vishaka George and Anya George Tharakan in Bengaluru; Editing by Sai Sachin Ravikumar)

A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense

The logo of Cisco is seen at Mobile World Congress in Barcelona, Spain, February 27, 2017. REUTERS/Eric Gaillard

By Joseph Menn

SAN FRANCISCO (Reuters) – When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by U.S. companies, security engineers at Cisco Systems <CSCO.O> swung into action.

The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco’s widely used Internet switches, which direct electronic traffic, to enable eavesdropping.

Senior Cisco managers immediately reassigned staff from other projects to figure out how the CIA hacking tricks worked, so they could help customers patch their systems and prevent criminal hackers or spies from using the same methods, three employees told Reuters on condition of anonymity.

The Cisco engineers worked around the clock for days to analyze the means of attack, create fixes, and craft a stopgap warning about a security risk affecting more than 300 different products, said the employees, who had direct knowledge of the effort.

That a major U.S. company had to rely on WikiLeaks to learn about security problems well-known to U.S. intelligence agencies underscores concerns expressed by dozens of current and former U.S. intelligence and security officials about the government’s approach to cybersecurity.

That policy overwhelmingly emphasizes offensive cyber-security capabilities over defensive measures, these people told Reuters, even as an increasing number of U.S. organizations have been hit by hacks attributed to foreign governments.

Larry Pfeiffer, a former senior director of the White House Situation Room in the Obama administration, said now that others were catching up to the United States in their cyber capabilities, “maybe it is time to take a pause and fully consider the ramifications of what we’re doing.”

U.S. intelligence agencies blamed Russia for the hack of the Democratic National Committee during the 2016 election. Nation-states are also believed to be behind the 2014 hack of Sony Pictures Entertainment and the 2015 breach of the U.S. Government’s Office of Personnel Management.

CIA spokeswoman Heather Fritz Horniak declined to comment on the Cisco case, but said it was the agency’s “job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad.”

The Office of the Director of National Intelligence, which oversees the CIA and NSA, referred questions to the White House, which declined to comment.

Across the federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters.

President Donald Trump’s budget proposal would put about $1.5 billion into cyber-security defense at the Department of Homeland Security (DHS). Private industry and the military also spend money to protect themselves.

But the secret part of the U.S. intelligence budget alone totaled about $50 billion annually as of 2013, documents leaked by NSA contractor Edward Snowden show. Just 8 percent of that figure went toward “enhanced cyber security,” while 72 percent was dedicated to collecting strategic intelligence and fighting violent extremism.

Departing NSA Deputy Director Rick Ledgett confirmed in an interview that 90 percent of government cyber spending was on offensive efforts and agreed it was lopsided.

“It’s actually something we’re trying to address” with more appropriations in the military budget, Ledgett said. “As the cyber threat rises, the need for more and better cyber defense and information assurance is increasing as well.”

The long-standing emphasis on offense stems in part from the mission of the NSA, which has the most advanced cyber capabilities of any U.S. agency.

It is responsible for the collection of intelligence overseas and also for helping defend government systems. It mainly aids U.S. companies indirectly, by assisting other agencies.

“I absolutely think we should be placing significantly more effort on the defense, particularly in light of where we are with exponential growth in threats and capabilities and intentions,” said Debora Plunkett, who headed the NSA’s defensive mission from 2010 to 2014.

GOVERNMENT ROLE

How big a role the government should play in defending the private sector remains a matter of debate.

Former military and intelligence leaders such as ex-NSA Director Keith Alexander and former Secretary of Defense Ashton Carter say that U.S. companies and other institutions cannot be solely responsible for defending themselves against the likes of Russia, China, North Korea and Iran.

For tech companies, the government’s approach is frustrating, executives and engineers say.

Sophisticated hacking campaigns typically rely on flaws in computer products. When the NSA or CIA find such flaws, under current policies they often choose to keep them for offensive attacks, rather than tell the companies.

In the case of Cisco, the company said the CIA did not inform the company after the agency learned late last year that information about the hacking tools had been leaked.

“Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers,” said company spokeswoman Yvonne Malmgren.

SIDE BY SIDE

A recent reorganization at the NSA, known as NSA21, eliminated the branch that was explicitly responsible for defense, the Information Assurance Directorate (IAD), the largest cyber-defense workforce in the government. Its mission has now been combined with the dominant force in the agency, signals intelligence, in a broad operations division.

Top NSA officials, including director Mike Rogers, argue that it is better to have offensive and defensive specialists working side by side. Other NSA and White House veterans contend that perfect defense is impossible and therefore more resources should be poured into penetrating enemy networks – both to head off attacks and to determine their origin.

Curtis Dukes, the last head of IAD, said in an interview after retiring last month that he feared defense would get even less attention in a structure where it does not have a leader with a direct line to the NSA director.

“It’s incumbent on the NSA to say, ‘This is an important mission’,” Dukes said. “That has not occurred.”

(Reporting by Joseph Menn in San Francisco. Additional reporting by Warren Strobel in Washington.; Editing by Jonathan Weber and Ross Colvin)

U.S. may accuse North Korea in Bangladesh cyber heist: WSJ

Federal Reserve and New York City Police officers stand guard in front of the New York Federal Reserve Building in New York, October 17, 2012. REUTERS/Keith Bedford/File Photo

NEW YORK (Reuters) – U.S. prosecutors are building potential cases that would accuse North Korea of directing the theft of $81 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York last year, and that would charge alleged Chinese middlemen, the Wall Street Journal reported on Wednesday.

The U.S. Federal Bureau of Investigation believes that North Korea is responsible for the heist, an official briefed on the probe told Reuters. Richard Ledgett, deputy director of the U.S. National Security Agency, publicly suggested on Tuesday that North Korea may be linked to the incident, while private firms have long pointed the finger at the reclusive state.

The Journal, citing people familiar with the matter, reported that prosecutors believe Chinese middlemen helped North Korea orchestrate the theft from Bangladesh’s central bank, which was among the biggest bank robberies in modern times.

The current cases being pursued may not include charges against North Korean officials, but would likely implicate the country, the newspaper reported, with the United States accusing a foreign government of orchestrating the heist.

A U.S. Department of Justice spokesman declined to comment.

FBI offices in Los Angeles and New York have been leading an international investigation into the February 2016 incident, in which hackers breached Bangladesh Bank’s systems and used the SWIFT messaging network to request nearly $1 billion from its account at the New York Fed.

The branch of the U.S. central bank rejected most of the requests but filled some of them, resulting in $81 million disappearing into casinos and other entities in the Philippines. A top police investigator in Dhaka told Reuters in December that some Bangladesh Bank officials deliberately exposed its computer systems, enabling the hackers to get in.

The incident exposed bungling and miscommunication between central banks, and left the Fed, Bangladesh, SWIFT, and the Philippine lender that initially received the funds trading blame for months.

SWIFT – or the Society for Worldwide Interbank Financial Telecommunication that serves as the backbone of global finance – has since revealed that its messaging system has been targeted in a “meaningful” number of other attacks last year using a similar approach as in the Bangladesh incident.

Last week, SWIFT said it planned to cut off the remaining North Korean banks still connected to its system as concerns about the country’s nuclear program and missile tests grow.

The Journal reported that federal investigators are focusing on Chinese individuals or businesses who allegedly helped North Korea orchestrate the heist, and that the U.S. Treasury is considering sanctions against these alleged middlemen.

The New York Fed and SWIFT declined to comment.

(Reporting by Jonathan Spicer and Joseph Menn; Editing by Jonathan Oatis and James Dalgleish)

G20 to jointly fight bank sector hacking

A general view shows the G20 Finance Ministers and Central Bank Governors Meeting in Baden-Baden, Germany, March 17, 2017. REUTERS/Kai Pfaffenbach

By Balazs Koranyi

BADEN-BADEN, Germany (Reuters) – The world’s biggest economies will pledge to jointly fight cyber attacks on the global banking system, one of the biggest coordinated efforts yet to protect lenders since an $81 million heist of the Bangladesh central bank’s account last year.

Meeting in the German resort town of Baden-Baden, G20 finance chiefs will agree to fight attacks regardless of their origin and promise cross-border cooperation to maintain financial stability, according to a draft document seen by Reuters.

“We will promote the resilience of financial services and institutions in G20 jurisdictions against malicious use of information and communication technologies, including from countries outside the G20,” it said.

However, it dropped an earlier reference for enhanced security requirements for financial services.

Cyber crime became a top priority after an elaborate heist on the Bangladesh central bank’s account at the Federal Reserve Bank of New York last year, an unprecedented theft that exposed the vulnerabilities of the system.

The agreement, set to be finalised on Saturday, will come just days after the United States charged two intelligence agents from Russia, another G20 member, with masterminding the 2014 theft of 500 million Yahoo accounts.

The indictment was the first time U.S. authorities have criminally charged Russian spies for cyber offences including for computer fraud, economic espionage, theft of trade secrets, and wire fraud.

The charges came amid a swirl of controversies relating to alleged Kremlin-backed hacking of the 2016 U.S. presidential election and possible links between Russian figures and associates of U.S. President Donald Trump.

In the banking world, attacks through the global SWIFT bank transfer system have continued to increase with the network recording a “meaningful” number of attacks with about a fifth of them resulting in stolen funds since the Bangladesh heist, the firm said late last year.

In other highly publicized attacks, retailer Tesco Plc’s banking arm said 2.5 million pounds ($3 million) had been stolen from 9,000 customers last year while hackers also stole more than 2 billion rubles ($34 million) from correspondent accounts at the Russian central bank and from accounts in commercial banks.

The European Union is considering testing banks’ defenses against cyber attacks with concerns growing about the industry’s vulnerability to hacking.

(Editing by Julia Glover)

U.S. indicts Russian spies, hackers over massive Yahoo hack

Acting AAG for National Security Mary McCord speaks in front of a poster of a suspected Russian hacker during FBI National Security Division and the U.S. Attorney's Office for the Northern District of California joint news conference at the Justice Department in Washington, U.S., March 15, 2017. REUTERS/Yuri Gripas

By Dustin Volz

WASHINGTON (Reuters) – The U.S. government on Wednesday unsealed charges against two Russian spies and two criminal hackers for allegedly pilfering 500 million Yahoo user accounts in 2014.

The indictments, announced at a news conference in Washington, represent the first time the U.S. government has criminally charged Russian officials for cyber offenses.

The contents of at least 30 million accounts were accessed as part of a spam campaign and at least 18 people who used other internet service providers, such as Google, were also victimized, the government charged.

The officers of the FSB, Russia’s Federal Security Service, which is a successor to the KGB, were identified as Dmitry Dokuchaev and his superior, Igor Sushchin, the government said.

Both men are in Russia, it said.

Alexsey Belan, who is on the list of most-wanted cyber criminals, and Karim Baratov, who was born in Kazakhstan but has Canadian citizenship, were also named in the indictment.

The Justice Department said Baratov was arrested in Canada on Tuesday and his case is pending with Canadian authorities.

Belan was arrested in Europe in June 2013 but escaped to Russia before he could be extradited to the United States, according to the Justice Department.

“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters, is beyond the pale,” said Acting Assistant Attorney General Mary McCord.

McCord said the hacking campaign was waged by the FSB to collect intelligence but that the two hackers used the collected information as an opportunity to “line their pockets.”

The United States does not have an extradition treaty with Russia, but McCord said she was hopeful Russian authorities would cooperate in bringing criminals to justice. The United States often charges cyber criminals with the intent of deterring future state-sponsored activity.

The administration of former President Barack Obama brought similar charges against Chinese and Iranian hackers who have not been extradited.

The 47-count indictment includes conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identify theft.

The charges are not related to the hacking of Democratic Party emails during the 2016 U.S. presidential election. Intelligence agencies have said they were carried out by Russia to help the campaign of Republican candidate Donald Trump.

Yahoo said when it announced the then-unprecedented breach last September that it believed the attack was state-sponsored, and on Wednesday the company said the indictment “unequivocally shows” that to be the case.

Yahoo in December also announced a breach that occurred in 2013 affecting one billion accounts, though it has not linked that intrusion to the one in 2014.

The Russian hacking conspiracy, which began as early as 2014, allowed Belan to use his relationship with the Russian spy agency and access to Yahoo’s network to engage in financial crimes, according to the indictment.

The breaches were the latest in a series of setbacks for the Internet pioneer, which has fallen on hard times in recent years after being eclipsed by younger, fast-growing rivals including Alphabet Inc’s Google and Facebook Inc.

Yahoo’s disclosure of the years-old cyber invasions and its much-criticized slow response forced it to accept a discount of $350 million in what had been a $4.83 billion deal to sell its main assets to Verizon Communications Inc.

Shares of Yahoo were down 0.9 percent.

“We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cyber crime,” Chris Madsen, Yahoo’s assistant general counsel, said in a statement.

(Reporting by Dustin Volz and Joseph Menn; Additional reporting by Julia Edwards; Editing by Jeffrey Benkoe and James Dalgleish)

WikiLeaks offers CIA hacking tools to tech companies: Assange

WikiLeaks founder Julian Assange makes a speech from the balcony of the Ecuadorian Embassy, in central London, Britain February 5, 2016. REUTERS/Peter Nicholls/Files

By Dustin Volz and Eric Auchard

WASHINGTON/FRANKFURT (Reuters) – WikiLeaks will provide technology companies with exclusive access to CIA hacking tools that it possesses, to allow them to patch software flaws, founder Julian Assange said on Thursday.

The offer, if legitimate, could put Silicon Valley in the unusual position of deciding whether to cooperate with Assange, a man believed by some U.S. officials and lawmakers to be an untrustworthy pawn of Russian President Vladimir Putin, or a secretive U.S. spy agency.

It was not clear how WikiLeaks intended to cooperate with technology companies, or if they would accept his offer. The anti-secrecy group published documents on Tuesday describing secret Central Intelligence Agency hacking tools and snippets of computer code. It did not publish the full programs that would be needed to actually conduct cyber exploits against phones, computers and Internet-connected televisions.

Representatives of Alphabet Inc’s Google Apple Inc, Microsoft Corp <MSFT.O> and Cisco Systems Inc <CSCO.O>, all of whose wares are subject to attacks described in the documents, did not immediately respond to requests for comment before regular business hours on the U.S. West Coast.

“Considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have so that the fixes can be developed and pushed out, so people can be secure,” Assange said during a press conference broadcast via Facebook Live.

Responding to Assange’s comments, CIA spokesman Jonathan Liu, said in a statement, “As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity.”

“Despite the efforts of Assange and his ilk, CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”

The disclosures alarmed the technology world and among consumers concerned about the potential privacy implications of the cyber espionage tactics that were described.

One file described a program known as Weeping Angel that purportedly could take over a Samsung smart television, making it appear it was off when in fact it was recording conversations in the room.

Other documents described ways to hack into Apple Inc <AAPL.O> iPhones, devices running Google’s <GOOGL.O> Android software and other gadgets in a way that could observe communications before they are protected by end-to-end encryption offered by messaging apps like Signal or WhatsApp.

Several companies have already said they are confident that their recent security updates have already accounted for the purported flaws described in the CIA documents. Apple said in a statement on Tuesday that “many of the issues” leaked had already been patched in the latest version of its operating system.

WikiLeaks’ publication of the documents reignited a debate about whether U.S. intelligence agencies should hoard serious cyber security vulnerabilities rather than share them with the public. An interagency process created under former President Barack Obama called for erring on the side of disclosure.

President Donald Trump believed changes were needed to safeguard secrets at the CIA, White House spokesman Sean Spicer told a news briefing on Thursday. “He believes that the systems at the CIA are outdated and need to be updated.”

Two U.S. intelligence and law enforcement officials told Reuters on Wednesday that intelligence agencies have been aware since the end of last year of a breach at the CIA, which led to WikiLeaks releasing thousands of pages of information on its website.

The officials, speaking on condition of anonymity, said contractors likely breached security and handed over the documents to WikiLeaks. The CIA has declined to comment on the authenticity of the documents leaked, but the officials said they believed the pages about hacking techniques used between 2013 and 2016 were authentic.

Contractors have been revealed as the source of sensitive government information leaks in recent years, most notably Edward Snowden and Harold Thomas Martin, both employed by consulting firm Booz Allen Hamilton <BAH.N> while working for the National Security Agency.

Assange said he possessed “a lot more information” about the CIA’s cyber arsenal that would be released soon. He criticized the CIA for “devastating incompetence” for not being able to control access to such sensitive material.

Nigel Farage, the former leader of the populist UK Independence Party, visited Assange at the Ecuadorean embassy in London earlier on Thursday. A representative for Farage said he was unaware what was discussed.

Assange has been holed up since 2012 at the embassy, where he fled to avoid extradition to Sweden over allegations of rape, which he denies.

(Reporting by Dustin Volz; Additional reporting by Eric Auchard in Frankfurt, Joseph Menn in San Francisco and Guy Falconbridge in London; Editing by Frances Kerry and Grant McCool)

New York state cyber security regulation to take effect March 1

projection of man in binary code representing cyber security or cyber attack

By Karen Freifeld and Jim Finkle

NEW YORK/BOSTON (Reuters) – New York state on Thursday announced final regulations requiring banks and insurers to meet minimum cyber-security standards and report breaches to regulators as part of an effort to combat a surge in cyber crime and limit damages to consumers.

The rules, in the works since 2014, followed a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars to U.S. companies, including Target Corp, Home Depot Inc and Anthem Inc .

They lay out unprecedented requirements on steps financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators.

“These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes,” Governor Andrew Cuomo said in a statement.

The state in December delayed implementation of the rules by two months and loosened some requirements after financial firms complained they were onerous and said they would need more time to comply.

The new rules call for banks and insurers to scrutinize security at third-party vendors that provide them goods and services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.

The revised rule requires firms to perform risk assessments in order to design a program particular to them, and gives them at least a year-and-a-half to comply with the requirements. The final rule took into account the burden on smaller companies, a spokeswoman for the agency said.

Covered entities must annually certify compliance.

Institutions subject to the regulation include state-chartered banks, as well as foreign banks licensed to operate in the state, along with any insurer that does business in New York.

A task force of U.S. state insurance regulators is also developing a model cyber security law, which individual state legislatures could ultimately choose to adopt.

Hong Kong police struggle to stop brokerage hacking spree

Electric display chart

By Michelle Price

HONG KONG (Reuters) – Hong Kong police are struggling to deal with digital pump-and-dump schemes targeting brokerages – a little-known type of computer-generated fraud that surged in the Chinese territory last year.

Although the money involved was small – only about $20 million worth of shares – there were 81 such incidents reported in 2016, more than triple the number in 2015, according to police.

In the scheme, criminals invest in thinly traded penny stocks and then manipulate their share prices by ordering trades from hacked brokerage accounts. They earn profits by selling before the fraudulent trades are reported.

After last year’s cyber-heist of $81 million at Bangladesh’s central bank and a series of hacks of ATM’s around the world, authorities fear such pump-and-dump schemes could be increasingly used for electronic theft.

Hong Kong is a favored place for such attacks because of the number of thinly-traded penny stocks in the territory and because its securities industry has fallen behind other financial centers in defending against cyber fraud.

At least seven brokers and eight banks have been targeted in Hong Kong, including HSBC Holdings Plc and Bank of China International (BOCI) Securities, according to regulators and people familiar with confidential investigations.

A spokesman for HSBC declined to comment.

A spokeswoman for BOCI Securities said he could not comment on its case but the brokerage would continue to invest in IT security.

“If you ask regulators in the industry what is the number one threat, not surprisingly it’s all about cyber attacks,” Ashley Alder, CEO of the Hong Kong Securities and Futures Commission (SFC) and chairman of the International Organization of Securities Commissions, said in a speech to the local legislature last week.

“We’ve seen that happen not only in banking but also at brokers in Hong Kong, in particular recent attacks to do with basically hijacking share trading accounts.”

Such schemes surfaced more than a decade ago in the United States. Charles Schwab Corp, E*Trade Financial Corp and JP Morgan Chase & Co. were identified as victims of these schemes in a 2006 complaint filed by the Securities and Exchange Commission.

The pace of attacks reported in the United States has slowed in recent years after big brokerages implemented a variety of strategies to thwart the hacks, said John Reed Stark, a former chief of the Securities and Exchange Commission’s (SEC) Office of Internet Enforcement.

Some use algorithms to identify and halt unusual trading activity, others scrutinize Internet traffic for orders coming from suspicious servers and one stopped permitting customers to use its online trading platform from buying penny stocks, said Stark, who now runs cyber-security consulting firm John Reed Stark Consulting LLC.

But such protections are rare in Hong Kong, where the government has only recently started suggesting security improvements to banks and brokerages which have traditionally considered stock trading to be low-risk.

TWO-FACTOR AUTHENTICATION

The Hong Kong SFC last year told firms to increase surveillance of client transactions and data protection.

Authorities believe that hackers accessed brokerage accounts using stolen or guessed passwords, according to investigators. This might have been thwarted if they were protected with two-factor authentication, the Hong Kong Monetary Authority has said.

Two-factor authentication typically includes a password and a piece of information only the user has, for instance an electronic token with changing numbers.

“Hong Kong is being targeted because they have not instituted the same cyber protections that we see in the U.S. and certain parts of Europe,” said Jeff Cramer, a former U.S. prosecutor.

Cramer, who is managing director with cyber-security investigations firm Berkeley Research Group, said he expects to see more attacks in Hong Kong and perhaps other Asian nations, including China, Japan and South Korea that are also behind in cyber security.

FIGHTING BACK

Such pump and dump cases have proven tough to crack in the United States because the masterminds are typically overseas, using surrogates and pseudonyms to make investments.

Brokerages are typically not required to go public when they are hacked, so cases often only surface when the government files a complaint against suspected cyber criminals, or the hack results in litigation.

The attack involving BOCI Securities year became public after it was sued by a customer that claimed its account was breached.

Trading firm Fast Track Holdings Limited alleged in court documents that somebody hacked into its brokerage account on the afternoon of September 23 using a valid user ID and password. Within 18 minutes, the intruder had emptied the account by spending HK$38 million to buy 49 million shares of thinly traded Pa Shun Pharmaceutical, according to Fast Track.

The stock soared more than 30 percent after the purchase, which was made at a 36 percent premium to the previous day’s closing price, Reuters data shows.

BOCI alerted Fast Track of the suspicious activity an hour later, but it has said in court documents it should not be held financially responsible, saying it found no evidence its systems had been compromised.

Peter Pang, Pa Shun’s CFO, told Reuters the management “would keep an eye to the incident and report to the regulators and the public when necessary”.

One person familiar with the case said Fast Track’s management believes the incident was a pump and dump scam and that Pa Shun was targeted because it is thinly-traded, but it remained unclear who was responsible.

Fast Track’s directors did not respond to requests for comment.

(Additional reporting by Jim Finkle in Boston and Jessica Yu, Katy Wong and Donny Kwok in Hong Kong; Editing by Raju Gopalakrishnan)