Tag Archives: Cyber Attack

NATO likely to designate cyber as operational domain of war

A NATO flag flies at the Alliance headquarters in Brussels during a NATO ambassadors meeting on the situation in Ukraine and the Crimea region

BERLIN (Reuters) – NATO members will likely agree during a summit meeting in Warsaw next month to designate cyber as an official operational domain of warfare, along with air, sea, land and space, a senior German defense ministry official said Wednesday.

Major General Ludwig Leinhos, who heads the German military’s effort to build up a separate cyber command, told a conference at the Berlin air show that he expected all 28 NATO members to agree to the change during the coming Warsaw summit.

Leinhos, who previously held a senior job at NATO headquarters, said he also expected NATO members to agree to intensify their efforts in the cyber security arena.

The United States announced in 2011 that it viewed cyberspace as an operational domain of war, and said it would respond to hostile attacks in cyberspace as it would to any other threat.

Evert Dudok, a senior official with Europe’s largest aerospace company Airbus Group SE, called for adoption of Europe-wide or global standards in the cyber arena.

(Reporting by Andrea Shalal)

Trail in cyber heist suggests hackers were Chinese: senator

Bangladesh central bank

By Karen Lema

MANILA (Reuters) – A Philippine senator said on Wednesday that Chinese hackers were likely to have pulled off one of the world’s biggest cyber heists at the Bangladesh central bank, citing the network of Chinese people involved in the routing of the stolen funds through Manila.

Unidentified hackers infiltrated the computers at Bangladesh Bank in early February and tried to transfer a total of $951 million from its account at the Federal Reserve Bank of New York.

All but one of the 35 attempted transfers were to the Rizal Commercial Banking Corp (RCBC), confirming the Philippines’ centrality to the heist.

Most transfers were blocked, but a total of $81 million went to four accounts at a single RCBC branch in Manila. The stolen money was swiftly transferred to a foreign exchange broker and distributed to casinos and gambling agents in Manila.

“The hacking was done, chances are, by Chinese hackers,” Senator Ralph Recto told Reuters in a telephone interview. “Then they saw that, in the Philippines, RCBC particularly was vulnerable and sent the money over here.”

Beijing was quick to denounce the comments by Recto, vice chairman of the Senate Committee on Finance and a former head of the Philippines’ economic planning agency.

The suggestion that Chinese hackers were possibly involved was “complete nonsense” and “really irresponsible,” Chinese foreign ministry spokesman Lu Kang told reporters.

Recto said he couldn’t prove the hackers were Chinese, but was merely “connecting the dots” after a series of Senate hearings into the scandal.

At one hearing, a Chinese casino boss and junket operator called Kim Wong named two high-rolling gamblers from Beijing and Macau who he said had brought the stolen money into the Philippines. He displayed purported copies of their passports, showing they were mainland Chinese and Macau administrative region nationals respectively.

“BEST LEAD”

Wong, a native of Hong Kong who holds a Chinese passport, received almost $35 million of the stolen funds through his company and a foreign exchange broker.

The two Chinese named by Wong “are the best lead to determine who are the hackers,” said Recto. “Chances are… they must be Chinese.”

The whereabouts of the two high-rollers were unknown, Recto added, saying the Senate inquiry “may” seek help from the Chinese government to find them.

Recto also questioned the role of casino junket operators in the Philippines, saying many of them have links in Macau, the southern Chinese territory that is the world’s biggest casino hub. “There are junket operators who are from Macau, so it (the money) may find its way back to Macau,” he said.

A senior executive at a top junket operator in Macau told Reuters there was “no reason” to bring funds from the Philippines to Macau.

“This seems more like a political story in the Philippines,” he said, speaking anonymously because he was not authorized to talk to the media.

The U.S. State Department said in a report last month that the gaming industry was “a weak link” in the Philippines’ anti-money laundering regime.

Philrem, the foreign exchange agent, said it distributed the stolen $81 million to Bloomberry Resorts Corp, which owns and operates the upmarket Solaire casino in Manila; to Eastern Hawaii Leisure Company, which is owned by Wong; and to an ethnic Chinese man believed to be a junket operator in Manila.

Wong has returned $5.5 million to the Philippines’ anti-money laundering agency and has promised to hand over another $9.7 million. A portion of the money he received, he said, has already been spent on gambling chips for clients.

Solaire has told the Senate hearing that the $29 million that ended up with them was credited to an account of the Macau-based high-roller but it has managed to seize and confiscate $2.33 million in chips and cash.

(Writing by Andrew R.C. Marshall; Additional reporting by Farah Master in Hong Kong; Editing by Raju Gopalakrishnan)

U.S. hospitals face growing ransomware threat

The Hollywood Presbyterian Medical Center is pictured in Los Angeles

By Jim Finkle

(Reuters) – U.S. hospitals should brace for a surge in “ransomware” attacks by cyber criminals who infect and shut down computer networks, then demand payment in return for unlocking them, a non-profit healthcare group warned on Friday.

The Health Information Trust Alliance conducted a study of some 30 mid-sized U.S. hospitals late last year and found that 52 percent of them were infected with malicious software, HITRUST Chief Executive Daniel Nutkis told Reuters.

The most common type of malware was ransomware, Nutkis said, which was present in 35 percent of the hospitals included in the study of network traffic conducted by security software maker Trend Micro Inc.

Ransomware is malicious software that locks up data in computers and leaves messages demanding payment to recover the data. Last month, Hollywood Presbyterian Hospital in Los Angeles paid a ransom of $17,000 to regain access to its systems.

This week, an attack on MedStar Health forced the largest healthcare provider in Washington, D.C., to shut down much of its computer network. The Baltimore Sun reported a ransom of $18,500 was sought. MedStar declined to comment.

HITRUST said it expects such attacks to become more frequent because ransomware has turned into a profitable business for cyber criminals.

The results of the study, which HITRUST has yet to share with the public, demonstrate that hackers have moved away from focusing on stealing patient data, Nutkis said.

“If stuff isn’t working, they move on. If stuff is working, they keep doing it,” said Nutkis. “Organizations that are paying have considered their options, and unfortunately they don’t have a lot of options.”

Extortion has become more popular with cyber criminals because it is seen as a way to generate fast money, said Larry Whiteside, a healthcare expert with cyber security firm Optiv.

Stealing healthcare data is far more labor intensive, requiring attackers to keep their presence in a victim’s network undetected for months as they steal data, then they need to find buyers, he added.

“With ransomware I’m going to get paid immediately,” Whiteside said.

Frisco, Texas-based HITRUST’s board includes executives from Anthem, Health Care Services, Humana, UnitedHealth and Walgreens.

(Reporting by Jim Finkle; By Tiffany Wu)

Washington’s MedStar computers down for second day after virus

By Jim Finkle

(Reuters) – MedStar Health’s computer systems remained offline on Tuesday for the second straight day after the non-profit, one of the biggest medical service providers in the U.S. capital region, shut down parts of its network to stem the spread of a virus.

MedStar spokeswoman Ann Nickels said she did not know when the systems would be restored or what type of virus had infected the network.

“Medical services continue,” she said in an interview. When asked if elective procedures would be performed, she said that would determined “case by case.”

The non-profit, which runs 10 hospitals and some 250 outpatient facilities in Washington and Maryland, said Monday on its Facebook page that its computer network was infected by a virus that prevented some users from logging into the system early that day. MedStar quickly decided to take down “all system interfaces to prevent the virus from spreading” and moved to backup systems for paper record-keeping, the post said.

Nickels said she had no further information about the attack: “We are actively investigating.”

The FBI said on Monday that it was looking into the incident at MedStar, which is one of the largest medical providers to have operations interrupted by malicious software.

The discovery came after several recent attacks on U.S. hospitals by cyber extortionists using software known as ransomware, which encrypts data and demands that users pay to get it unlocked.

Last month, Hollywood Presbyterian Hospital in Los Angeles paid $17,000 to regain access to its systems after such an attack.

Security blogger Brian Krebs last week reported that Henderson, Kentucky-based Methodist Hospital declared a state of emergency after falling victim to a ransomware attack.

(Reporting by Jim Finkle; Additional reporting by Dustin Volz; Editing by Lisa Von Ahn)

FBI issues ransomware alert, requests help from U.S. businesses

ransomware

(Reuters) – The FBI is asking businesses and software security experts for emergency assistance in its investigation into a pernicious new type of “ransomware” virus used by hackers for extortion.

“We need your help!” the Federal Bureau of Investigation said in a confidential “Flash” advisory that was dated March 25 and obtained by Reuters over the weekend.

Ransomware is malicious software that encrypts a victim’s data so they cannot gain access to it on their computers, then offers to unlock the system in exchange for payment.

Friday’s FBI alert was focused on ransomware known as MSIL/Samas.A that the agency said seeks to encrypt data on entire networks, an alarming change because typically, ransomware has sought to encrypt data one computer at a time.

The plea asked recipients to immediately contact the FBI’s CYWATCH cyber center if they find evidence that they have been attacked or have other information that might help in its investigation.

It is the latest in a series of FBI advisories and warnings from security researchers about new ransomware tools and techniques.

“This is basically becoming a national cyber emergency,” said Ben Johnson, co-founder of Carbon Black, a cyber security firm that on Friday uncovered another type of ransomware that seeks to attack PCs through infected Microsoft Word documents.

The FBI first reported on MSIL/Samas.A in a Feb. 18 alert that lacked the urgency of Friday’s warning. The February message contained some technicals details but did not call for help. It said that MSIL/Samas.A targets servers running out-of-date versions of a type of business software known as JBOSS.

In its latest report, the FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.

The FBI provided a list of technical indicators to help companies determine if they were victims of such an attack.

“The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future,” the advisory said.

FBI representatives did not respond to requests for comment on the confidential warning.

The sectors hardest hit by ransomware include industries that rely on computer access for performing critical functions, such as healthcare and law enforcement. Publicly reported attacks in which hospitals and police have paid ransoms, then recovered data, has encouraged attackers to further target those groups, cyber security experts said.

(Reporting by Jim Finkle; editing by Grant McCool)

U.S. charges three Syrian hackers, Justice Department says

WASHINGTON (Reuters) – U.S. authorities have charged three Syrian nationals who are current or former members of the Syrian Electronic Army with multiple conspiracies related to computer hacking, the U.S. Justice Department said on Tuesday.

Ahmad Umar Agha, 22, and Firas Dardar, 27, were charged with a criminal conspiracy that included “a hoax regarding a terrorist attack” and “attempting to cause mutiny of the U.S. armed forces,” the department said in a statement. Dardar and Peter Romar, 36, were separately charged with other conspiracies, it said.

The FBI announced on Tuesday it was adding Agha and Dardar to its Cyber Most Wanted list and offering a reward of $100,000 for information leading to their arrest, the statement said.

Agha and Dardar, who are believed to reside in Syria, began their criminal activities in or around 2011 under the name of the Syrian Electronic Army in support of the Syrian government, the statement said.

In June 2015, the U.S. Army said it temporarily took down its website after the Syrian Electronic Army hacked into the site and posted messages.

(Reporting by Washington Newsroom)

Chinese hackers behind U.S. ransomware attacks, security firms say

(Reuters) – Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said.

Ransomware, which involves encrypting a target’s computer files and then demanding payment to unlock them, has generally been considered the domain of run-of-the-mill cyber criminals.

But executives of the security firms have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.

“It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,” said Phil Burdette, who heads an incident response team at Dell SecureWorks.

Burdette said his team was called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.

The victims included a transportation company and a technology firm that had 30 percent of its machines captured.

Security firms Attack Research, InGuardians and G-C Partners, said they had separately investigated three other similar ransomware attacks since December.

Although they cannot be positive, the companies concluded that all were the work of a known advanced threat group from China, Attack Research Chief Executive Val Smith told Reuters.

The ransomware attacks have not previously been reported. None of the companies that were victims of the hackers agreed to be identified publicly.

Asked about the allegations, China’s Foreign Ministry said on Tuesday that if they were made with a “serious attitude” and reliable proof, China would treat the matter seriously.

But ministry spokesman Lu Kang said China did not have time to respond to what he called “rumors and speculation” about the country’s online activities.

The security companies investigating the advanced ransomware intrusions have various theories about what is behind them, but they do not have proof and they have not come to any firm conclusions.

Most of the theories flow from the possibility that the Chinese government has reduced its support for economic espionage, which it pledged to oppose in an agreement with the United States late last year. Some U.S. companies have reported a decline in Chinese hacking since the agreement.

Smith said some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.

It is also possible, Burdette said, that companies which had been penetrated for trade secrets or other reasons in the past were now being abandoned as China backs away, and that spies or their associates were taking as much as they could on the way out. In one of Dell’s cases, the means of access by the team spreading ransomware was established in 2013.

The cyber security experts could not completely rule out more prosaic explanations, such as the possibility that ordinary criminals had improved their skills and bought tools previously used only by governments.

Dell said that some of the malicious software had been associated by other security firms with a group dubbed Codoso, which has a record of years of attacks of interest to the Chinese government, including those on U.S. defense companies and sites that draw Chinese minorities.

PAYMENT IN BITCOIN

Ransomware has been around for years, spread by some of the same people that previously installed fake antivirus programs on home computers and badgered the victims into paying to remove imaginary threats.

In the past two years, better encryption techniques have often made it impossible for victims to regain access to their files without cooperation from the hackers. Many ransomware payments are made in the virtual currency Bitcoin and remain secret, but institutions including a Los Angeles hospital have gone public about ransomware attacks.

Ransomware operators generally set modest prices that many victims are willing to pay, and they usually do decrypt the files, which ensures that victims will post positively online about the transaction, making the next victims who research their predicament more willing to pay.

Security software companies have warned that because the aggregate payoffs for ransomware gangs are increasing, more criminals will shift to it from credit card theft and other complicated scams.

The involvement of more sophisticated hackers also promises to intensify the threat.

InGuardians CEO Jimmy Alderson said one of the cases his company investigated appeared to have been launched with online credentials stolen six months earlier in a suspected espionage hack of the sort typically called an Advanced Persistent Threat, or APT.

“The tactics of getting access to these networks are APT tactics, but instead of going further in to sit and listen stealthily, they are used for smash-and-grab,” Alderson said.

(Reporting by Joseph Menn in San Francisco; Additional reporting by Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Clarence Fernandez)

North Korea tried to hack South’s railway system, spy agency claims

SEOUL (Reuters) – North Korea has tried to hack into email accounts of South Korean railway workers in an attempt to attack the transport system’s control system, South Korea’s spy agency said on Tuesday.

South Korea has been on heightened alert against the threat of cyberattacks by North Korea after it conducted a nuclear test in January and a long-range rocket launch last month, triggering new U.N. sanctions.

South Korea had previously blamed the North for cyberattacks against its nuclear power operator. North Korea denied that.

South Korea’s National Intelligence Service (NIS) said in a statement it had interrupted the hacking attempt against the railway workers and closed off their email accounts.

The agency issued the statement after an emergency meeting with other government agencies on the threat of cyberattacks by the North.

The agency detected hacking attempts by the North against workers for two regional railway networks this year, the spy agency said.

“The move was a step to prepare for cyber terror against the railway transport control system,” the agency said.

It did not elaborate on what it thought North Korea’s specific objective was in hacking into the system. An agency official reached by telephone declined to comment.

North Korea has been working for years to develop the ability to disrupt or destroy computer systems that control public services such as telecommunications and other utilities, according to a defector from the North.

The United States accused North Korea of a cyberattack against Sony Pictures in 2014 that led to the studio cancelling the release of a comedy based on the fictional assassination of the country’s leader, Kim Jong Un.

North Korea denied the accusation.

In 2013, South Korea blamed the North for crippling cyber-attacks that froze the computer systems of its banks and broadcasters for days.

New fears of attacks on South Korea’s computer systems came as South Korean and U.S. troops conducted large-scale military exercises which North Korea denounced as “nuclear war moves” and threatened to respond with an all-out military offensive.

(Reporting by Jack Kim and Ju-min Park; Editing by Robert Birsel)

Mac ransomware caught before large number of computers infected

(Reuters) – The first known ransomware attack on Apple Inc’s Mac computers, which was discovered over the weekend, was downloaded more than 6,000 times before the threat was contained, according to a developer whose product was tainted with the malicious software.

Hackers infected Macs with the “KeRanger” ransomware through a tainted copy of Transmission, a popular program for transferring data through the BitTorrent peer-to-peer file sharing network.

So-called ransomware is a type of malicious software that restricts access to a computer system in some way and demands the user pay a ransom to the malware operators to remove the restriction.

KeRanger, which locks data on Macs so users cannot access it, was downloaded about 6,500 times before Apple and developers were able to thwart the threat, said John Clay, a representative for the open-source Transmission project.

That is small compared to the number of ransomware attacks on computers running Microsoft Corp’s Windows operating system. Cyber security firm Symantec Corp observed some 8.8 million attacks in 2014 alone.

Still, cyber security experts said they expect to see more attacks on Macs as the KeRanger hackers and other groups look for new ways to infect Mac computers.

“It’s a small number but these things always start small and ramp up huge,” said Fidelis Cybersecurity threat systems manager John Bambenek. “There’s a lot of Mac users out there and a lot of money to be made.”

Symantec, which sells anti-virus software for Macs, warned on its blog that “Mac users should not be complacent.” The post offered tips on protecting against ransomware.

The Transmission project provided few details about how the attack was launched.

“The normal disk image (was) replaced by the compromised one” after the project’s main server was hacked, said Clay.

He added that “security on the server has since been increased” and that the group was in “frequent contact” with Apple as well as Palo Alto Networks, which discovered the ransomware on Friday and immediately notified Apple and Transmission.

An Apple representative said the company quickly took steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.

Transmission responded by removing the malicious 2.90 version of its software from its website. On Sunday, it released version 2.92, which its website says automatically removes the ransomware from infected Macs.

Forbes earlier reported on the number of KeRanger downloads, citing Clay.

(Reporting by Jim Finkle; Editing by Cynthia Osterman and Bill Rigby)

National Guard may join cyber offense against Islamic State, Carter says

JOINT BASE LEWIS-MCCHORD, Washington (Reuters) – U.S. Defense Secretary Ash Carter said the National Guard’s cyber squadrons will play an increasingly important role in assessing the vulnerabilities of U.S. industrial infrastructure and could be asked to join the fight against Islamic State.

The National Guard – a reserve military force that resides in the states but can be mobilized for national needs – is a key part of the military’s larger effort to set up over 120 cyber squadrons to respond to cyber attacks and prevent them.

One such unit, the 262nd squadron, is a 101-person team that includes employees of Microsoft Corp and Alphabet Inc’s Google. The unit is “famous throughout the country” for several high profile vulnerability assessments, Carter said at the Joint Base Lewis-McChord in Tacoma, Washington late on Friday.

He told reporters the squadron was not currently engaging in offensive cyber missions but could be in the future.

“Units like this can also participate in offensive cyber operations of the kind that I have stressed we are conducting, and actually accelerating, in Iraq and Syria, to secure the prompt defeat of ISIL, which we need to do and will do,” Carter said. “We’re looking for ways to accelerate that, and cyber’s one of them.”

The 262nd squadron’s work includes a study last year on the control system used by Snohomish County Public Utility District in Washington state, which helped the utility strengthen its security, and a 2010 case in which the U.S. Air Force briefly lost contact with 50 Minuteman III intercontinental ballistic missiles.

The 2010 assessment cost about $20,000, much less than the $150,000 that a private sector company would likely charge, said Lieutenant Colonel Kenneth Borchers, deputy commander of the 252nd Cyber Operations Group, which oversees the 262nd squadron.

Borchers said the squadron is the only National Guard group that currently assesses industrial control systems, but it is now looking to train others. It is also studying the security of big weapons programs, such as the B-52 bomber.

Using National Guard units for such work made sense because it allowed the military to benefit from private sector cyber experts, Carter said.

“It brings in the high-tech sector in a very direct way to the mission of protecting the country,” he told reporters. “And we’re absolutely going to do more of it.”

(Reporting by Andrea Shalal, editing by Tiffany Wu)