Exclusive: Ukraine says Russia hackers laying groundwork for massive strike

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by cyber attacks, in Kiev, Ukraine June 27, 2017. Picture taken June 27, 2017. REUTERS/Valentyn Ogirenko

By Pavel Polityuk

KIEV (Reuters) – Hackers from Russia are infecting Ukrainian companies with malware to create so-called ‘back doors’ for a large coordinated attack, Ukraine’s cyber police chief told Reuters on Tuesday, almost a year after a strike on Ukraine spread around the world.

Affected companies range across various industries, such as banks or energy infrastructure. The pattern of the malware being rolled out suggests the people behind it want to activate it on a particular day, Serhiy Demedyuk said.

Demedyuk said his staff were cooperating with foreign agencies to track the hackers, without naming the agencies.

Police had identified viruses designed to hit Ukraine since the start of the year, including phishing emails sent from legitimate domains of state institutions whose systems were hacked, or a fake webpage mimicking that of a real state body.

They had intercepted hackers sending malware from different sources and broken into various components so as to remain undetected by antivirus software until activated as a single unit, Demedyuk said.

“Analysis of the malicious software that has already been identified and the targeting of attacks on Ukraine suggest that this is all being done for a specific day,” he said.

Relations between Ukraine and Russia plunged following Russia’s annexation of Crimea in 2014, and Kiev has accused Russia of orchestrating large-scale cyber attacks as part of a “hybrid war” against Ukraine, which Moscow repeatedly denies.

Some attacks coincided with major Ukrainian holidays and Demedyuk said another strike could be launched on Thursday — Constitution Day — or on Independence Day in August.

On June 27 last year, the country was hit by a massive strike known as “NotPetya”, which knocked out Ukrainian IT systems before spreading around the world. The United States and Britain joined Ukraine in blaming Russia for the attack.

Demedyuk said the scale of the latest detected preparations was the same as NotPetya.

“This is support on a government level – very expensive and very synchronized. Without the help of government bodies it would not be possible. We’re talking now about the Russian Federation,” he said.

“Everything we’re seeing, everything we’ve intercepted in this period: 99 percent of the traces come from Russia.”

The Kremlin did not immediately respond to a request for comment.

Ukraine is better prepared to withstand such attacks thanks to cooperation with foreign allies since the NotPetya strike, Demedyuk said. Ukraine has received support from the U.S., Britain and NATO among others to beef up its cyber defenses.

But Demedyuk said some Ukrainian companies had not bothered to clean their computers after NotPetya struck, leaving machines still infected by the virus and vulnerable to being used for another attack.

“We are sounding the alarm to remind people – come to your senses, check your equipment,” he said. “It’s better to be on the safe side than clean up a mess like last time.”

He also appealed to global companies who were hit by NotPetya, including U.S. and European firms in Ukraine, to share details of their investigations and steps to localize the hack.

“They have a huge amount of very interesting evidence, which they store themselves. We would like it if they weren’t scared and approached us.”

(Additional reporting by Margarita Popova in Moscow; writing by Matthias Williams; editing by Philippa Fletcher)

France frets over internal threat two years after Paris attacks

A white rose hangs near a commemorative plaque facing the 'Le Carillon' bar and 'Le Petit Cambodge' during a ceremony marking the second anniversary of the Paris attacks of November 2015 in which 130 people were killed, in Paris, France, November 13, 2017.

By Marine Pennetier

PARIS (Reuters) – Two years after militants killed 130 people in coordinated attacks across Paris, French officials say there remains an unprecedented level of “internal” threat from both within and outside the country.

With Islamic State losing ground in Iraq and Syria, hundreds of French citizens – and in some cases their children – have started to return to France, leaving the government in a quandary over how to deal with them.

For the first time as president, Emmanuel Macron will pay tribute on Monday to the victims of the mass shootings and suicide bombing that took place across Paris and in the city’s northern suburb of Saint-Denis on Nov. 13, 2015.

The attacks, the deadliest on French soil since World War Two, prompted the country to strike back, joining international military operations targeting IS and other Islamist militant groups in Iraq, Syria, Libya and elsewhere.

There has also been the passage of more stringent French legislation, with the most recent law, effective this month, giving police extended powers to search properties, conduct electronic eavesdropping and shut mosques or other locations suspected of preaching hatred.

Conservative politicians say the regulations don’t go far enough, while human rights groups express alarm, saying security forces are being given too much freedom to curtail rights.

Macron – often parodied for his ‘on the one hand, on the other hand’ policy pronouncements – has emphasized the need to balance security and liberty. While he has ended the state of emergency brought in after the attacks, heavily armed soldiers still patrol the streets of Paris daily, and barely a week goes by without a police operation to round up suspects.

 

“MORE DISAPPOINTED THAN SORRY”

According to the interior ministry, extraordinary measures have helped intelligence agencies thwart more than 30 attacks in the last two years. Last week, the police arrested nine people and another was apprehended in Switzerland in a coordinated counter-terrorism operation.

“What worries us are plans for terrorist attacks prepared by teams that are still operating in fighting zones in Syria and Iraq,” Laurent Nunez, head of France’s internal intelligence agency DGSI told French daily Le Figaro in a rare interview.

The risk of a home-grown attack also remains strong, with a risk of more attacks from isolated individuals using “low-cost” methods such as cars or knives to kill, he said.

The hypothesis of a car bomb attack or suicide bomber cannot be excluded either although his services had not uncovered any such plan, he said.

Of particular concern is what to do about hundreds of French citizens who went to fight with IS and may now seek to return home, now that the militant group has lost nearly all the territory its self-proclaimed caliphate ruled in Syria and Iraq.

“We know that the will of the jihadists to take action is intact,” Nunez said.

Visiting Abu Dhabi last week, Macron said those returning would be studied on “a case-by-case” basis.

“Some of them will be coming back (by their own means), others will be repatriated and some, in specific circumstances, will be facing trial with their families in the countries where they are currently, Iraq in particular,” he said.

“A majority doesn’t want to come back to France given the legal proceedings they face upon their return. But some women, widows, with their children, are inclined to travel back,” French prosecutor Francois Molins said. “We should not be naive. We are dealing with people who are more ‘disappointed’ than ‘sorry.'”

(This version of the story adds dropped words in first paragraph)

 

(Writing by Matthias Blamont, additional reporting by Sybille de La Hamaide; Editing by Luke Baker, Peter Graff and Richard Balmforth)