Global cyber attack fuels concern about U.S. vulnerability disclosures

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Dustin Volz

WASHINGTON (Reuters) – A global cyber attack on Friday renewed concerns about whether the U.S. National Security Agency and other countries’ intelligence services too often hoard software vulnerabilities for offensive purposes, rather than quickly alerting technology companies to such flaws.

Hacking tools believed to belong to the NSA that were leaked online last month appear to be the root cause of a major cyber attack unfurling throughout Europe and beyond, security researchers said, stoking fears that the spy agency’s powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.

Some cyber security experts and privacy advocates said the massive attack reflected a flawed approach by the United States to dedicate more cyber resources to offense rather than defense, a practice they argued makes the internet less secure.

Across the U.S. federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters in March. (http://reut.rs/2o7qHqN)

“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.

The NSA did not respond to a request for comment.

Hospitals and doctors’ surgeries in parts of England on Friday were forced to turn away patients and cancel appointments after they were infected with the “ransomware”, which scrambled data on computers and demanded payments of $300 to $600 to restore access.

Security software maker Avast said it had observed more than 57,000 infections in 99 countries. Russia, Ukraine and Taiwan were the top targets, it said.

Private security firms identified the virus as a new variant of ‘WannaCry’ ransomware with the ability to automatically spread across large networks by exploiting a bug in Microsoft Corp’s Windows operating system.

Security experts said the ransomware used in the attacks leveraged a hacking tool found in a leak of documents in April by a group known as Shadow Brokers.

At the time, Microsoft acknowledged the vulnerabilities and said they had been patched in a series of earlier updates pushed to customers, the most recent of which had been rolled out only a month earlier in March. But the episode prompted concerns about whether the tools could be leveraged by hackers to attack unpatched systems.

In a statement, a Microsoft spokesman said on Friday its engineers had provided additional detection and protection services against the WannaCry malware and that it was working with customers to provide additional assistance. The spokesman reiterated that customers who have Windows Updates enabled and use the company’s free antivirus software are protected.

Shadow Brokers first emerged last year and began dumping tranches of documents that it said belonged to the NSA, though the files appeared at least a few years old.

Over time, western researchers have grown more confident that Russia may be behind Shadow Brokers and possibly other recent disclosures of sensitive information about cyber capabilities that have been pilfered from U.S. intelligence agencies.

Some researchers cast blame not on the NSA but on the hospitals and other customers that appeared to leave themselves open to attack.

“The main problem here is organizations taking more than eight weeks to patch once Microsoft released the update,” said Chris Wysopal, chief technology officer at the cyber firm Veracode. “Eight weeks is plenty of time for a criminal organization to develop a sophisticated attack on software and launch it on a wide scale.”

Former intelligence contractor Edward Snowden, who in 2013 leaked documents to journalists revealing the existence of broad U.S. surveillance programs, said on Twitter the NSA had built attack tools targeting U.S. software that “now threatens the lives of hospital patients.”

“Despite warnings, (NSA) built dangerous attack tools that could target Western software,” Snowden said. “Today we see the cost.”

(This version of the story has been refiled to correct spelling of hoard in first paragraph)

(Reporting by Dustin Volz; Editing by Lisa Shumaker)

Global cyber attack hits hospitals and companies, threat seen fading for now

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Costas Pitas

SINGAPORE/LONDON (Reuters) – A global cyber attack leveraging hacking tools believed to have been developed by the U.S. National Security Agency has infected tens of thousands of computers in nearly 100 countries, disrupting Britain’s health system and global shipper FedEx.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, limiting the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The British-based researcher who may have foiled the ransomware’s spread told Reuters he had not seen any such tweaks yet, “but they will.”

Finance chiefs from the Group of Seven rich countries will commit on Saturday to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, although the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government.

“Things could likely emerge on Monday.”

China’s official Xinhua news agency said some secondary schools and universities had been affected, without specifying how many or identifying them.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been affected.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur added.

MICROSOFT UPS DEFENSES

The U.S. Department of Homeland Security said it was sharing information with domestic and foreign partners and was ready to lend technical support.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm”, or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began the previous week when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus.The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

The British government did not know who was behind the attack but its National Crime Agency was working to find out, interior minister Amber Rudd said.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French one.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations.

“Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; Editing by Rob Birsel and Mike Collett-White)

Hackers exploit stolen U.S. spy agency tool to launch global cyberattack

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency hit international shipper FedEx, disrupted Britain’s health system and infected computers in nearly 100 countries on Friday.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Still, only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur said.

The U.S. Department of Homeland Security said late on Friday that it was aware of reports of the ransomware, was sharing information with domestic and foreign partners and was ready to lend technical support.

Telecommunications company Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“Once it gets in and starts moving across the infrastructure, there is no way to stop it,” said Adam Meyers, a researcher with cyber security firm CrowdStrike.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm,” or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft on Friday said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement. It said the company was working with its customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that kicked off a week earlier when hackers posted a huge trove of campaign documents tied to French candidate Emmanuel Macron just 1-1/2 days before a run-off vote in which he was elected as the new president of France.

On Wednesday, hackers disputed the websites of several French media companies and aerospace giant Airbus.Also, the hack happened four weeks before a British parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed an entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as the country’s biggest bank, Sberbank, said they were targeted. The interior ministry said on its website that around 1,000 computers had been infected but it had localized the virus.

The emergencies ministry told Russian news agencies it had repelled the cyberattacks while Sberbank said its cyber security systems had prevented viruses from entering its systems.

NEW BREED OF RANSOMWARE

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh; Writing by Mark Trevelyan and Jim Finkle; Editing by Ralph Boulton and Grant McCool)

NSA collected Americans’ phone records despite law change: report

An illustration picture shows the logo of the U.S. National Security Agency on the display of an iPhone in Berlin, June 7, 2013. REUTERS/Pawel Kopczynski

By Mark Hosenball

WASHINGTON (Reuters) – The U.S. National Security Agency collected more than 151 million records of Americans’ phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report issued on Tuesday by the top U.S. intelligence officer.

The report from the office of Director of National Intelligence Dan Coats was the first measure of the effects of the 2015 USA Freedom Act, which limited the NSA to collecting phone records and contacts of people U.S. and allied intelligence agencies suspect may have ties to terrorism.

It found that the NSA collected the 151 million records even though it had warrants from the secret Foreign Intelligence Surveillance court to spy on only 42 terrorism suspects in 2016, in addition to a handful identified the previous year.

The NSA has been gathering a vast quantity of telephone “metadata,” records of callers’ and recipients’ phone numbers and the times and durations of the calls – but not their content – since the September 11, 2001, attacks.

The report came as Congress faced a decision on whether to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA), which permits the NSA to collect foreign intelligence information on non-U.S. persons outside the United States, and is scheduled to expire at the end of this year.

Privacy advocates have argued that Section 702 permits the NSA to spy on Internet and telephone communications of Americans without warrants from the secret Foreign Intelligence Surveillance Court, and that foreign intelligence could be used for domestic law enforcement purposes in a way that evades traditional legal requirements.

The report said that on one occasion in 2016, the FBI obtained information about an American in response to a search of Section 702 data intended to produce evidence of a crime not related to foreign intelligence.

The report did not address how frequently the FBI obtained information about Americans while investigating a foreign intelligence matter, however.

On Friday, the NSA said it had stopped a form of surveillance that allowed it to collect the digital communications of Americans who mentioned a foreign intelligence target in their messages without a warrant.

TRUMP’S ALLEGATIONS

The new report also came amid allegations, recently repeated by U.S. President Donald Trump, that former President Barack Obama ordered warrantless surveillance of his communications and that former national security adviser Susan Rice asked the NSA to unmask the names of U.S. persons caught in the surveillance.

Both Republican and Democratic members of the congressional intelligence committees have said that so far they have found no evidence to support either allegation.

Officials on Tuesday argued that the 151 million records collected last year were tiny compared with the number collected under procedures that were stopped after former NSA contractor Edward Snowden revealed the surveillance program in 2013.

Because the 151 million would include multiple calls made to or from the same phone numbers, the number of people whose records were collected also would be much smaller, the officials said. They said they had no breakdown of how many individuals’ phone records were among those collected.

In all, according to the report, U.S. officials unmasked the names of fewer Americans in NSA eavesdropping reports in 2016 than they did the previous year, the top U.S. intelligence officer reported on Tuesday.

The report said the names of 1,934 “U.S. persons” were “unmasked” last year in response to specific requests, compared with 2,232 in 2015, but it did not identify who requested the names or on what grounds.

Officials said in the report that U.S. intelligence agencies had gone out of their way to make public more information about U.S. electronic eavesdropping.

“This year’s report continues our trajectory toward greater transparency, providing additional statistics beyond what is required by law,” said Office of the Director of National Intelligence spokesman Timothy Barrett.

(Reporting by Mark Hosenball; Additional reporting by Dustin Volz; Editing by John Walcott and Jonathan Oatis)

U.S. spy agency abandons controversial surveillance technique

FILE PHOTO - An aerial view shows the National Security Agency (NSA) headquarters in Ft. Meade, Maryland, U.S. on January 29, 2010. REUTERS/Larry Downing/File Photo

By Dustin Volz

WASHINGTON (Reuters) – The U.S. National Security Agency said on Friday it had stopped a form of surveillance that allowed it to collect without a warrant the digital communications of Americans who mentioned a foreign intelligence target in their messages, marking an unexpected triumph for privacy advocates long critical of the practice.

The decision to stop the once-secret activity, which involved messages sent to or received from people believed to be living overseas, came despite the insistence of U.S. officials in recent years that it was both lawful and vital to national security.

The halt is among the most substantial changes to U.S. surveillance policy in years and comes as digital privacy remains a contentious issue across the globe following the 2013 disclosures of broad NSA spying activity by former intelligence contractor Edward Snowden.

“NSA will no longer collect certain internet communications that merely mention a foreign intelligence target,” the agency said in a statement. “Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target.”

NSA also said it would delete the “vast majority” of internet data collected under the surveillance program “to further protect the privacy of U.S. person communications.”

The decision is an effort to remedy privacy compliance issues raised in 2011 by the Foreign Intelligence Surveillance Court, a secret tribunal that rules on the legality of intelligence operations, sources familiar with the matter said.

The court recently approved the changes, NSA said in its statement.

The NSA is not permitted to conduct surveillance within the United States. The so-called “about” collection went after messages that mentioned a surveillance target, even if the message was neither to nor from that person.

That type of collection sometimes resulted in surveillance of emails, texts and other communications that were wholly domestic. The NSA will continue to collect communications directly involving intelligence targets.

Friday’s announcement came as a surprise to privacy advocates who have long argued that “about” collection was overly broad and ran afoul of the U.S. Constitution’s protections against unreasonable searches.

Julian Sanchez, a privacy and surveillance expert with the Cato Institute, a libertarian think tank, called the decision “very significant” and among the top priorities of surveillance reform among civil liberties groups.

“Usually you identify a specific individual to scrutinize their content; this was scrutinizing everyone’s content to find mentions of an individual,” Sanchez said.

Other privacy advocates seized on the change to advocate for additional reforms to the Foreign Intelligence Surveillance Act (FISA). The part of the law under which the banned surveillance occurred, known as Section 702, is due to expire at the end of the year unless Congress reauthorizes it.

Democratic Senator Ron Wyden said in a statement he would introduce legislation “banning this kind of collection in the future.”

A U.S. government official familiar with the matter said the change was motivated in part to ensure that Section 702 is renewed before it sunsets on Dec. 31, 2017. FISA has come under increased scrutiny in recent months amid unsubstantiated claims by President Donald Trump and other Republicans that the Obama White House improperly spied on Trump or his associates.

Pieces of differing bits of digital traffic are often packaged together as they travel across the internet. Part of the issue with “about” collection stemmed from how an entire packet of information would be vacuumed up if one part of it contained information, such as an email address or phone number, connected to a foreign target.

NSA told the Privacy and Civil Liberties Oversight Board as recently as last year that changes to “about” collection were not “practical at this time,” according to a report from the government watchdog.

News of the surveillance activity being halted was first reported on Friday by The New York Times, which first revealed its existence in 2013, two months after Snowden leaked intelligence documents to journalists.

(Additional reporting by Mark Hosenball; writing by Eric Beech; editing by Tim Ahmann, Leslie Adler and Bill Rigby)

Top U.S. officials to testify in Trump-Russia probe reboot

Senate Intelligence Committee Chairman Sen. Richard Burr (R-NC), accompanied by Senator Mark Warner (D-VA), vice chairman of the committee, speaks at a news conference to discuss their probe of Russian interference in the 2016 election on Capitol Hill in Washington, D.C., U.S., March 29, 2017. REUTERS/Aaron P. Bernstein

By Patricia Zengerle

WASHINGTON (Reuters) – The U.S. House of Representatives Intelligence Committee said on Friday it had invited FBI, NSA and Obama administration officials to testify as it restarts its investigation into alleged Russian meddling in the 2016 U.S. election.

After stalling over the committee chairman’s ties to President Donald Trump’s White House and disagreements over who should testify, the bipartisan committee said it sent a letter inviting James Comey, director of the Federal Bureau of Investigation, and Admiral Mike Rogers, director of the National Security Agency, to appear behind closed doors on May 2.

A second letter invited three officials who left the government as President Barack Obama’s administration ended – former CIA Director John Brennan, former Director of National Intelligence James Clapper and former Deputy Attorney General Sally Yates – to appear at a public hearing to be scheduled after May 2.

The planned hearings are the first the committee has announced since its chairman, Republican Representative Devin Nunes, recused himself from the Russia investigation on April 6 after receiving information at the White House about surveillance that swept up some information about members of Trump’s transition team.

Echoing Trump, Nunes suggested that Obama’s administration had handled that information incorrectly.

Nunes remains the committee’s chairman.

TIES TO TRUMP

Comey and Rogers testified in a public hearing on March 20. At that hearing, Comey confirmed for the first time that the FBI was investigating possible ties between Trump’s presidential campaign and Russia as Moscow sought to influence the election.

Nunes was a supporter of Trump’s campaign and a member of his transition team. His decision two days after the public hearing to hold a press conference about the information and discuss it with Trump before disclosing it to Democrats raised questions about whether he could lead a credible investigation.

Committee Democrats also were angered when Nunes scrapped a scheduled public hearing with Brennan, Yates and Clapper. A planned closed hearing with Comey and Rogers also was put off.

The House panel is examining whether Russia tried to influence the election in Trump’s favor, mostly by hacking Democratic operatives’ emails and releasing embarrassing information, or possibly by colluding with Trump associates.

Russia denies the allegations, which Trump also dismisses.

The Senate Intelligence Committee is conducting a separate, similar investigation.

Senate investigators currently are interviewing analysts and intelligence agents who prepared public and classified reports in January that concluded that Russia had interfered in last year’s election on Trump’s behalf, an official familiar with the congressional activity said.

At this point they are a long way from scheduling interviews or hearings with any principal witnesses from either the Obama or Trump administrations, the official said.

(Reporting by Patricia Zengerle, additional reporting by Mark Hosenball; Editing by Cynthia Osterman and Mary Milliken)

Hackers release files indicating NSA monitored global bank transfers

FILE PHOTO: Swift code bank logo is displayed on an iPhone 6s among Euro banknotes in this picture illustration January 26, 2016. REUTERS/Dado Ruvic/File Photo - RTS11WHG

By Clare Baldwin

(Reuters) – Hackers released documents and files on Friday that cybersecurity experts said indicated the U.S. National Security Agency had accessed the SWIFT interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks.

The release included computer code that could be adapted by criminals to break into SWIFT servers and monitor messaging activity, said Shane Shook, a cyber security consultant who has helped banks investigate breaches of their SWIFT systems.

The documents and files were released by a group calling themselves The Shadow Brokers. Some of the records bear NSA seals, but Reuters could not confirm their authenticity.

The NSA could not immediately be reached for comment.

Also published were many programs for attacking various versions of the Windows operating system, at least some of which still work, researchers said.

In a statement to Reuters, Microsoft <MSFT.O>, maker of Windows, said it had not been warned by any part of the U.S. government that such files existed or had been stolen.

“Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers,” the company said.

The absence of warning is significant because the NSA knew for months about the Shadow Brokers breach, officials previously told Reuters. Under a White House process established by former President Barack Obama’s staff, companies were usually warned about dangerous flaws.

Shook said criminal hackers could use the information released on Friday to hack into banks and steal money in operations mimicking a heist last year of $81 million from the Bangladesh central bank.

“The release of these capabilities could enable fraud like we saw at Bangladesh Bank,” Shook said.

The SWIFT messaging system is used by banks to transfer trillions of dollars each day. Belgium-based SWIFT downplayed the risk of attacks employing the code released by hackers on Friday.

SWIFT said it regularly releases security updates and instructs client banks on how to handle known threats.

“We mandate that all customers apply the security updates within specified times,” SWIFT said in a statement.

SWIFT said it had no evidence that the main SWIFT network had ever been accessed without authorization.

It was possible that the local messaging systems of some SWIFT client banks had been breached, SWIFT said in a statement, which did not specifically mention the NSA.

When cyberthieves robbed the Bangladesh Bank last year, they compromised that bank’s local SWIFT network to order money transfers from its account at the New York Federal Reserve.

The documents released by the Shadow Brokers on Friday indicate that the NSA may have accessed the SWIFT network through service bureaus. SWIFT service bureaus are companies that provide an access point to the SWIFT system for the network’s smaller clients and may send or receive messages regarding money transfers on their behalf.

“If you hack the service bureau, it means that you also have access to all of their clients, all of the banks,” said Matt Suiche, founder of the United Arab Emirates-based cybersecurity firm Comae Technologies, who has studied the Shadow Broker releases and believes the group has access to NSA files.

The documents posted by the Shadow Brokers include Excel files listing computers on a service bureau network, user names, passwords and other data, Suiche said.

“That’s information you can only get if you compromise the system,” he said.

ATTEMPT TO MONITOR FLOW OF MONEY

Cris Thomas, a prominent security researcher with the cybersecurity firm Tenable, said the documents and files released by the Shadow Brokers show “the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor, if not disrupt, financial transactions to terrorists groups”.

Since the early 1990s, interrupting the flow of money from Saudi Arabia, the United Arab Emirates and elsewhere to al Qaeda, the Taliban, and other militant Islamic groups in Afghanistan, Pakistan and other countries has been a major objective of U.S. and allied intelligence agencies.

Mustafa Al-Bassam, a computer science researcher at University College London, said on Twitter that the Shadow Brokers documents show that the “NSA hacked a bunch of banks, oil and investment companies in Palestine, UAE, Kuwait, Qatar, Yemen, more.”

He added that NSA “completely hacked” EastNets, one of two SWIFT service bureaus named in the documents that were released by the Shadow Brokers.

Reuters could not independently confirm that EastNets had been hacked.

EastNets, based in Dubai, denied it had been hacked in a statement, calling the assertion “totally false and unfounded.”

EastNets ran a “complete check of its servers and found no hacker compromise or any vulnerabilities,” according to a statement from EastNets’ chief executive and founder, Hazem Mulhim.

In 2013, documents released by former NSA contractor Edward Snowden said the NSA had been able to monitor SWIFT messages.

The agency monitored the system to spot payments intended to finance crimes, according to the documents released by Snowden.

Reuters could not confirm whether the documents released Friday by the Shadow Brokers, if authentic, were related to NSA monitoring of SWIFT transfers since 2013.

Some of the documents released by the Shadow Brokers were dated 2013, but others were not dated.

The documents released by the hackers did not clearly indicate whether the NSA had actually used all the techniques cited for monitoring SWIFT messages.

(Additional reporting by Tom Bergin in London; Dustin Volz and John Walcott in Washington; Joseph Menn in San Franciso; and Jim Finkle in Buffalo, New York.; Editing by Brian Thevenot and Cynthia Osterman)

NSA contractor indicted over mammoth theft of classified data

NSA HQ

By Dustin Volz

(Reuters) – A former National Security Agency contractor was indicted on Wednesday by a federal grand jury on charges he willfully retained national defense information, in what U.S. officials have said may have been the largest heist of classified government information in history.

The indictment alleges that Harold Thomas Martin, 52, spent up to 20 years stealing highly sensitive government material from the U.S. intelligence community related to national defense, collecting a trove of secrets he hoarded at his home in Glen Burnie, Maryland.

The government has not said what, if anything, Martin did with the stolen data.

Martin faces 20 criminal counts, each punishable by up to 10 years in prison, the Justice Department said.

“For as long as two decades, Harold Martin flagrantly abused the trust placed in him by the government,” said U.S. Attorney Rod Rosenstein.

Martin’s attorney could not immediately be reached for comment.

Martin worked for Booz Allen Hamilton Holding Corp when he was taken into custody last August.

Booz Allen also had employed Edward Snowden, who leaked a trove of secret files to news organizations in 2013 that exposed vast domestic and international surveillance operations carried out by the NSA.

The indictment provided a lengthy list of documents Martin is alleged to have stolen from multiple intelligence agencies starting in August 1996, including 2014 NSA reports detailing intelligence information “regarding foreign cyber issues” that contained targeting information and “foreign cyber intrusion techniques.”

The list of pilfered documents includes an NSA user’s guide for an intelligence-gathering tool and a 2007 file with details about specific daily operations.

The indictment also alleges that Martin stole documents from U.S. Cyber Command, the CIA and the National Reconnaissance Office.

Martin was employed as a private contractor by at least seven different companies, working for several government agencies beginning in 1993 after serving in the U.S. Navy for four years, according to the indictment.

His positions, which involved work on highly classified projects involving government computer systems, gave him various security clearances that routinely provided him access to top-secret information, it said.

Unnamed U.S. officials told the Washington Post this week that Martin allegedly took more than 75 percent of the hacking tools belonging to the NSA’s tailored access operations, the agency’s elite hacking unit.

Booz Allen, which earns billions of dollars a year contracting with U.S. intelligence agencies, came under renewed scrutiny after Martin’s arrest was revealed last October. The firm announced it had hired former FBI Director Robert Mueller to lead an audit of its security, personnel and management practices.

A Booz Allen spokeswoman did not have an immediate comment on Martin’s indictment.

Martin’s initial appearance in the U.S. District Court of Baltimore was scheduled for next Tuesday, the Justice Department said.

(Reporting by Dustin Volz in Washington and Jonathan Stempel in New York; editing by Jonathan Oatis and Phil Berlowitz)

Snowden continues contacts with Russian intel services

Edward Snowden speaks via video link during a conference at University of Buenos Aires Law School, Argentina,

By Mark Hosenball and Jonathan Landay

WASHINGTON (Reuters) – Former National Security Agency contractor Edward Snowden “has had and continues to have contact” with Russian intelligence services, according to newly declassified portions of a House Intelligence Committee report released on Thursday.

The Pentagon found 13 undisclosed “high risk” security issues caused by Snowden’s disclosure to media outlets of tens of thousands of the U.S. eavesdropping agency’s most sensitive documents, according to the new material.

If the Chinese or Russians obtained access to materials related to these issues, “American troops will be at greater risk in any future conflict,” the report said.

“The committee remains concerned that more than three years after the start of the unauthorized disclosures, NSA, and the IC (Intelligence Community) as a whole, have not done enough to minimize the risk of another massive unauthorized disclosure,” the report said.

Snowden lives in Moscow under an asylum deal that was made after his leaks of classified information in 2013 triggered an international furor over the reach of U.S. spy operations.

Snowden’s lawyer, Ben Wizner, declined to immediately comment to Reuters on the newly released material.

But in a Twitter post, Wizner called the newly declassified portions of the report “petulant nonsense.”

(Editing by Frances Kerry and Jeffrey Benkoe)

Dozens of U.S. lawmakers request briefing on Yahoo email scanning

Yahoo Mail logo

By Dustin Volz

WASHINGTON (Reuters) – A bipartisan group of 48 lawmakers in the U.S. House of Representatives on Friday asked the Obama administration to brief Congress “as soon as possible” about a 2015 Yahoo <YHOO.O> program to scan all of its users’ incoming email at the behest of the government.

The request comes amid scrutiny by privacy advocates and civil liberties groups about the legal authority and technical nature of the surveillance program, first revealed by Reuters last week. Custom software was installed to search messages to hundreds of millions of accounts under an order issued by the secretive Foreign Intelligence Surveillance Court.

“As legislators, it is our responsibility to have accurate information about the intelligence activities conducted by the federal government,” according to the letter, organized by Republican Representative Justin Amash of Michigan and Democratic Representative Ted Lieu of California.

“Accordingly, we request information and a briefing as soon as possible for all members of Congress to resolve the issues raised by these reports.”

Investigators searched for messages that contained a single piece of digital content linked to a foreign state sponsor of terrorism, sources have told Reuters, though the nature of the content remains unclear.

Intelligence officials said Yahoo modified existing systems used to stop child pornography and filter spam messages on its email service.

But three former Yahoo employees told Reuters the court-ordered search was done by a module buried deep near the core of the company’s email server operation system, far below where mail sorting was handled.

The Senate and House intelligence committees were given a copy of the order when it was issued last year, sources said, but other members of Congress have express concern at the scope of the email scanning.

Some legal experts have questioned the breadth of the court order and whether it runs afoul of the U.S. Constitution’s Fourth Amendment protections against unreasonable searches.

Half of registered U.S. voters believe the Yahoo program violated the privacy of customers, according to a poll of 1,989 people conducted last week by Morning Consult, a polling and media company.

Twenty-five percent were supportive of the program because of its potential to stop criminal acts, the survey found, while another quarter did not know or had no opinion.

The congressional letter is addressed to Attorney General Loretta Lynch and Director of National Intelligence James Clapper.

(Additional reporting by Mark Hosenball and Joseph Menn; Editing by Jeffrey Benkoe)