With paper and phones, Atlanta struggles to recover from cyber attack

By Laila Kearney

ATLANTA (Reuters) – Atlanta’s top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyber attack that plunged the Southeastern U.S. metropolis into technological chaos and forced some city workers to revert to paper.

On an Easter and Passover holiday weekend, city officials labored in preparation for the workweek to come.

Police and other public servants have spent the past week trying to piece together their digital work lives, recreating audit spreadsheets and conducting business on mobile phones in response to one of the most devastating “ransomware” virus attacks to hit an American city.

Three city council staffers have been sharing a single clunky personal laptop brought in after cyber extortionists attacked Atlanta’s computer network with a virus that scrambled data and still prevents access to critical systems.

“It’s extraordinarily frustrating,” said Councilman Howard Shook, whose office lost 16 years of digital records.

One compromised city computer seen by Reuters showed multiple corrupted documents with “weapologize” and “imsorry” added to file names.

Ransomware attacks have surged in recent years as cyber extortionists moved from attacking individual computers to large organizations, including businesses, healthcare organizations and government agencies. Previous high-profile attacks have shut down factories, prompted hospitals to turn away patients and forced local emergency dispatch systems to move to manual operations.

Ransomware typically corrupts data and does not steal it. The city of Atlanta has said it does not believe private residents’ information is in the hands of hackers, but they do not know for sure.

City officials have declined to discuss the extent of damage beyond disclosed outages that have shut down some services at municipal offices, including courts and the water department.

Nearly 6 million people live in the Atlanta metropolitan area. The Georgia city itself is home to more than 450,000 people, according to the latest data from the U.S. Census Bureau.

City officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded $51,000 worth of bitcoin to provide digital keys to unlock scrambled files.

“Everything on my hard drive is gone,” City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.

City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.

Noble discovered the disarray on March 22 when she turned on her computer to discover that files could not be opened after being encrypted by a powerful computer virus known as SamSam that renamed them with gibberish.

“I said, ‘This is wrong,'” she recalled.

City officials then quickly entered her office and told her to shut down the computer before warning the rest of the building.

Noble is working on a personal laptop and using her smartphone to search for details of current projects mentioned in emails stored on that device.

Not all computers were compromised. Ten of 18 machines in the auditing office were not affected, Noble said.

OLD-SCHOOL ANALOG

Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters. He declined to discuss the contents of the affected files.

“Our data management teams are working diligently to restore normal operations and functionalities to these systems and hope to be back online in the very near future,” he said. By the weekend, he added, officers were returning to digital police reports.

Meanwhile, some city employees complained they have been left in the dark, unsure when it is safe to turn on their computers.

“We don’t know anything,” said one frustrated employee as she left for a lunch break on Friday.

FEEBLE

Like City Hall, whose 1930 neo-Gothic structure is attached to a massive modern wing, the city’s computer system is a combination of old and new.

“One of the reasons why municipalities are vulnerable is we just have so many different systems,” Noble said.

The city published results from a recent cyber-security audit in January, and had started implementing its recommendations before the ransomware virus hit. The audit called for better record-keeping and hiring more technology workers.

Councilman Shook said he is worried about how much the recovery will cost the city, but that he supports funding a cyber-security overhaul to counter future attacks.

For now his staff are temporarily sharing one aging laptop.

“Things are very slow,” he said. “It was a very surreal experience to be shut down like that.”

Mayor Keisha Lance Bottoms, who took office in January, has declined to say if the city paid the ransom ahead of a March 28 deadline mentioned in an extortion note whose image was released by a local television station.

Shook, who chairs the city council’s finance subcommittee, said he did not know whether the city is negotiating with the hackers, but that it appears no ransom has been paid to date.

The Federal Bureau of Investigation, which is helping Atlanta respond, typically discourages ransomware victims from paying up.

FBI officials could not immediately be reached for comment. A Department of Homeland Security spokesman confirmed the agency is helping Atlanta respond to the attack, but declined to comment further.

Hackers typically walk away when ransoms are not paid, said Mark Weatherford, a former senior DHS cyber official.

Weatherford, who previously served as California’s chief information security officer, said the situation might have been resolved with little pain if the city had quickly made that payment.

“The longer it goes, the worse it gets,” he said. “This could turn out to be really bad if they never get their data back.”

(Reporting by Laila Kearney; additional reporting by Jim Finkle; editing by Daniel Bases and Jonathan Oatis)

U.S. blames Russia for crippling 2017 ‘NotPetya’ cyber attack

A man poses inside a server room at an IT company in this June 19, 2017 illustration photo. REUTERS/Athit Perawongmetha/Illustration

By Dustin Volz

WASHINGTON (Reuters) – The United States on Thursday publicly blamed Russia for carrying out the so-called NotPetya cyber attack last year that crippled government and business computers in Ukraine before spreading around the world.

The statement by the White House came hours after the British government attributed the attack to Russia, a conclusion already reached and made public by many private sector cyber security experts.

The attack in June of 2017 “spread worldwide, causing billions of dollars in damage across Europe, Asia and the Americas,” White House Press Secretary Sarah Sanders said in a statement.

“It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict,” Sanders added. “This was also a reckless and indiscriminate cyber attack that will be met with international consequences.”

Earlier on Thursday Russia denied an accusation by the British government that it was behind the attack, saying it was part of a “Russophobic” campaign that it said was being waged by some Western countries.

(Reporting by Dustin Volz; Editing by Susan Heavey and Bill Rigby)

Thousands of FedEx customer records exposed by unsecured server

FILE PHOTO: A FedEx Office logo is pictured in Times Square in the Manhattan borough of New York, NY, U.S., April 2, 2017. REUTERS/Carlo Allegri/File Photo

By Eric M. Johnson

(Reuters) – Global package delivery company FedEx Corp <FDX.N> said on Thursday it has secured some of the customer identification records that were visible earlier this month on an unsecured server, and so far has found no evidence that private data was “misappropriated.”

The server stored more than 119,000 scanned documents from U.S. and international citizens, such as passports, driving licenses, and security identification, according to a report from security research firm Kromtech.

Kromtech said its researchers found the unsecured server on Feb. 5 and it was closed to public access on Wednesday.

The data was stored on a Amazon S3 storage server and collected by a company FedEx acquired in 2014, Bongo International, which calculated international shipping prices and provided other services. FedEx later discontinued the service.

“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” FedEx spokesman Jim McCluskey said in a statement.

“We have found no indication that any information has been misappropriated and will continue our investigation,” McCluskey said.

McCluskey declined to elaborate on what portion of the records were secure, or whether FedEx had notified authorities. The incident affected a tiny portion of FedEx customers globally.

The exposure appears far less disruptive than a cyber attack last year on Fedex’s Dutch TNT Express unit, which slashed $300 million from its quarterly profit.

The Memphis, Tennessee-based company joined a string of companies that reported big drops in earnings because of the NotPetya virus, which hit on June 29, crippling Ukraine businesses before spreading worldwide to shut down shipping ports, factories and corporate offices.

(Reporting by Eric M. Johnson in SeattleEditing by Jonathan Oatis)

U.S. Energy Department forming cyber protection unit for power grids

Former Texas Governor Rick Perry, U.S. President-elect Donald Trump's pick to lead the Department of Energy, meets with Senate Majority Leader Mitch McConnell (R-KY) on Capitol Hill in Washington, U.S. January 4, 2017. REUTERS/Jonathan Ernst

WASHINGTON (Reuters) – The U.S. Department of Energy (DOE) said on Wednesday it is establishing an office to protect the nation’s power grid and other infrastructure against cyber attacks and natural disasters.

President Donald Trump’s budget proposal unveiled this week included $96 million in funding for the Office of Cybersecurity, Energy Security, and Emergency Response.

Energy Secretary Rick Perry said the DOE “plays a vital role in protecting our nation’s energy infrastructure from cyber threats, physical attack and natural disaster, and as secretary, I have no higher priority.”

Last July, the DOE helped U.S. firms defend against a hacking campaign that targeted power companies including at least one nuclear plant. The agency said that the attacks did not have an impact on electricity generation or the grid, and that any impact appeared to be limited to administrative and business networks.

The previous month, the U.S. Department of Homeland Security and the Federal Bureau of Investigation had issued an alert to industrial companies, warning that for months hackers had targeted nuclear reactors and other power industry infrastructure, using tainted emails to harvest credentials and gain access to networks.

In some cases hackers succeeded in compromising the networks of their targets, but the report did not identify specific victims.

Nuclear power experts, such as Dave Lochbaum at the Union of Concerned Scientists nonprofit group, have said reactors have a certain amount of immunity from cyber attacks because their operation systems are separate from digital business networks. But over time it would not be impossible for hackers to potentially do harm, he said.

(Reporting by Timothy Gardner; Editing by Jeffrey Benkoe)

More Russian cyber attacks on elections ‘likely’: U.S. intelligence chief

Federal Bureau of Investigation (FBI) Director Christopher Wray; Central Intelligence Agency (CIA) Director Mike Pompeo; and Director of National Intelligence (DNI) Dan Coats testify before a Senate Intelligence Committee hearing on "World Wide Threats" on Capitol Hill in Washington, U.S., February 13, 2018. REUTERS/Leah Millis

WASHINGTON (Reuters) – U.S. Director of National Intelligence Dan Coats said on Tuesday that Russia, as well as other foreign entities, were “likely” to pursue more cyber attacks on U.S. and European elections.

“Persistent and disruptive cyber operations will continue against the United States and our European allies using elections as opportunities to undermine democracy,” Coats said at an annual Senate Intelligence Committee hearing on worldwide threats.

(Reporting by Patricia Zengerle and Doina Chiacu; Editing by Bernadette Baum)

‘Olympic Destroyer’ malware targeted Pyeongchang Games: firms

Performers appear during the opening ceremonies at the 2018 Winter Olympics at the Pyeongchang Olympic Stadium in Pyeongchang, South Korea February 9, 2018. REUTERS/Christof Stache/File Photo

By Jim Finkle

(Reuters) – Several U.S. cyber security firms said on Monday that they had uncovered a computer virus dubbed “Olympic Destroyer” that was likely used in an attack on Friday’s opening ceremony of the Pyeongchang Winter Games.

Games Organizers confirmed the attack on Sunday, saying that it affected internet and television services but did not compromise critical operations. Organizers did not say who was behind the attack or provide detailed discussion of the malware, though a spokesman said that all issues had been resolved as of Saturday.

Researchers with cyber security firms Cisco Systems Inc, CrowdStrike and FireEye Inc said in blog posts and statements to Reuters on Monday that they had analyzed computer code they believed was used in Friday’s attack.

All three security companies said the Olympic Destroyer malware was designed to knock computers offline by deleting critical system files, which would render the machines useless.

The three firms said they did not know who was behind the attack.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” Cisco said in its blog.

The attack took the Olympics website offline, which meant that some people could not print out tickets and WiFi used by reporters covering the games did not work during the opening ceremony, according to Cisco.

The attack did not affect the performance of drones, which were initially scheduled to be included in the opening ceremony, but later pulled from the program, organizers said in a statement.

The drone light show was canceled because there were too many spectators standing in the area where it was supposed to take place, the statement said.

(Reporting by Jim Finkle in Toronto; Editing by David Gregorio, Andrew Hay and Cynthia Osterman)

U.S. blames North Korea for ‘WannaCry’ cyber attack

U.S. blames North Korea for 'WannaCry' cyber attack

(In 13th paragraph of Dec. 18 item, corrects to indicate that a separate attack was launched in June that affected FedEx computers)

By Dustin Volz

WASHINGTON (Reuters) – The Trump administration has publicly blamed North Korea for unleashing the so-called WannaCry cyber attack that crippled hospitals, banks and other companies across the globe earlier this year.

“The attack was widespread and cost billions, and North Korea is directly responsible,” Tom Bossert, homeland security adviser to President Donald Trump, wrote in a piece published on Monday night in the Wall Street Journal.

“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” Bossert wrote. “WannaCry was indiscriminately reckless.”

The White House was expected to follow up on Tuesday with a more formal statement blaming Pyongyang, according to a senior administration official.

The U.S. government has assessed with a “very high level of confidence” that a hacking entity known as Lazarus Group, which works on behalf of the North Korean government, carried out the WannaCry attack, said the official, who spoke on condition of anonymity to discuss details of the government’s investigation.

Lazarus Group is widely believed by security researchers and U.S. officials to have been responsible for the 2014 hack of Sony Pictures Entertainment that destroyed files, leaked corporate communications online and led to the departure of several top studio executives.

North Korean government representatives could not be immediately reached for comment. The country has repeatedly denied responsibility for WannaCry and called other allegations about cyber attacks a smear campaign.

Washington’s public condemnation does not include any indictments or name specific individuals, the administration official said, adding the shaming was designed to hold Pyongyang accountable for its actions and “erode and undercut their ability to launch attacks.”

The accusation comes as worries mount about North Korea’s hacking capabilities and its nuclear weapons program.

‘PATTERN OF MISBEHAVING’

Many security researchers, including the cyber firm Symantec , as well as the British government, have already concluded that North Korea was likely behind the WannaCry attack, which quickly unfurled across the globe in May to infect more than 300,000 computers in 150 countries.

Considered unprecedented in scale at the time, WannaCry knocked British hospitals offline, forcing thousands of patients to reschedule appointments and disrupted infrastructure and businesses around the world.

The attack originally looked like a ransomware campaign, where hackers encrypt a targeted computer and demand payment to recover files. Some experts later concluded the ransom threat may have been a distraction intended to disguise a more destructive intent.

A separate but similar attack in June, known as NotPetya, hit Ukraine and other nations and caused an estimated $300 million in damages to international shipper FedEx.

Some researchers have said they believed WannaCry was deployed accidentally by North Korea as hackers were developing the code. The senior administration official declined to comment about whether U.S. intelligence was able to discern if the attack was deliberate.

“What we see is a continued pattern of North Korea misbehaving, whether destructive cyber attacks, hacking for financial gain, or targeting infrastructure around the globe,” the official said.

WannaCry was made possible by a flaw in Microsoft’s Windows software, which was discovered by the U.S. National Security Agency and then used by the NSA to build a hacking tool for its own use.

In a devastating NSA security breach, that hacking tool and others were published online by the Shadow Brokers, a mysterious group that regularly posts cryptic taunts toward the U.S. government.

The fact that WannaCry was made possible by the NSA led to sharp criticism from Microsoft President Brad Smith and others who believe the NSA should disclose vulnerabilities it finds so that they can be fixed, rather then hoarding that knowledge to carry out attacks.

Smith said WannaCry provided “yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”

U.S. officials have pushed back on those assertions, saying the administration discloses most computer flaws that government agencies detect.

Last month, the White House published its rules for deciding whether to disclose cyber security flaws or keep them secret as part of an effort to be more transparent about the inter-agency process involved in weighing disclosure.

(Reporting by Dustin Volz; Editing by Jonathan Weber and Peter Cooney)

Hackers halt plant operations in watershed cyber attack

Hackers halt plant operations in watershed cyber attack

By Jim Finkle

(Reuters) – Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.

FireEye Inc <FEYE.O> disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE <SCHN.PA>.

Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.

FireEye and Schneider declined to identify the victim, industry or location of the attack. Cyber-security company Dragos said the hackers targeted an organization in the Middle East, while a second firm, CyberX, said it believe the victim was in Saudi Arabia.

It marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on breaking into utilities, factories and other types of critical infrastructure, cyber experts said.

Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.

Safety systems “could be fooled to indicate that everything is okay,” even as hackers damage a plant, said Galina Antova, co-founder of cyber-security firm Claroty.

“This is a watershed,” said Sergio Caltagirone, head of threat intelligence with Dragos. “Others will eventually catch up and try to copy this kind of attack.”

In the incident, hackers used sophisticated malware to take remote control of a workstation running a Schneider Electric Triconex safety shutdown system, then sought to reprogram controllers used to identify safety issues. Some controllers entered a fail safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said.

FireEye believes the attacker’s actions inadvertently caused the shutdown while probing the system to learn how it worked, said Dan Scali, who led FireEye’s investigation.

The attackers were likely conducting reconnaissance to learn how they could modify safety systems so they would not operate in the event that the hackers intended to launch an attack that disrupted or damaged the plant, he said.

PUBLIC WARNINGS

The U.S. government and private cyber-security firms have issued public warnings over the past few years about attempts by hackers from nations including Iran, North Korea and Russia and others to attack companies that run critical infrastructure plants in what they say are primarily reconnaissance operations.

CyberX Vice President Phil Neray said his firm found evidence that the malware was deployed in Saudi Arabia, which could suggest that Iran may be behind the attack.

Security researchers widely believe that Iran was responsible for a series of attacks on Saudi Arabian networks in 2012 and 2017 using a virus known as Shamoon.

Schneider provided Reuters with a customer security alert, dated Wednesday, which said it was working with the U.S. Department of Homeland Security to investigate the attack.

“While evidence suggests this was an isolated incident and not due to a vulnerability in the Triconex system or its program code, we continue to investigate whether there are additional attack vectors,” the alert said.

Department of Homeland Security spokesman Scott McConnell said the agency was looking into the matter “to assess the potential impact on critical infrastructure.”

The malware, which FireEye has dubbed Triton, is only the third type of computer virus discovered to date that is capable of disrupting industrial processes.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

The second, known as Crash Override or Industroyer, was discovered last year by researchers who said it was likely used in a December 2016 attack that cut power in Ukraine.

(Reporting by Jim Finkle in Toronto; Editing by Susan Thomas)

UK shipping firm Clarkson reports cyber attack

UK shipping firm Clarkson reports cyber attack

(Reuters) – British shipping services provider Clarkson Plc <CKN.L> on Wednesday said it was the victim of a cyber security hack and warned that the person or persons behind the attack may release some data shortly.

The company’s disclosure, while a relatively rare event in Britain, follows a series of high-profile hacks in corporate America.

Clarkson is one of the world’s main shipbrokers, sourcing vessels for the world’s largest producers and traders of natural resources. It also has a research operation which collects and analyses data on merchant shipping and offshore markets.

The London-headquartered company said it had been working with the police on the incident but did not provide any details about the scale or type of data stolen.

“As soon as it was discovered, Clarksons took immediate steps to respond to and manage the incident,” the company said.

“Our initial investigations have shown the unauthorized access was gained via a single and isolated user account which has now been disabled.”

The company said it is in the process of contacting potentially affected clients and individuals directly, and that it has been working with data security specialists to probe further.

(Reporting by Rahul B in Bengaluru; Editing by Maju Samuel and Patrick Graham)

Millions of insecure gadgets exposed in European cities: report

Millions of insecure gadgets exposed in European cities: report

LONDON (Reuters) – A year after a wave of denial-of-service attacks knocked out major websites around the world, millions of unsecured printers, network gear and webcams remain undefended against attack across major European cities, a report published on Tuesday said.

Computer security company Trend Micro <4704.T> said that Berlin has more than 2.8 million insecure devices, followed closely by London with more than 2.5 million exposed gadgets. Among the top 10 capitals, Rome was lowest with nearly 300,000 visible unsecured devices, the researchers said.

The study was based on calculating the number of exposed devices in major European cities using Shodan, a search engine that helps to identify internet-linked equipment.

Trend Micro said that electronics users must take responsibility for managing their own internet-connected devices because of the failure by many gadget manufacturers to build in up-front security by default in their products.

The warning comes one year after a wave of attacks using so-called botnets of infected devices caused outages on popular websites and knocked 900,000 Deutsche Telekom <DTEGn.DE> users off the internet. (http://reut.rs/2BjdRII)

Computer experts say the failure to patch millions of insecure devices after last year’s Mirai denial-of-service attacks means it is only a question of time before further broad-based outages occur.

Research company Gartner recently forecast that there would be 8.4 billion connected products or devices in 2017, up 31 percent from 2016, and expects the number to triple by 2020. (https://goo.gl/thR54Q)

(Reporting by Jamillah Knowles; Editing by Eric Auchard and David Goodman)