Tag Archives: Cyber Attack

NotPetya hackers likely behind BadRabbit attack: researchers

NotPetya hackers likely behind BadRabbit attack: researchers

By Jack Stubbs

MOSCOW (Reuters) – Technical indicators suggest a cyber attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analyzed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbit virus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the U.S. National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favor of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

(Additional reporting by Eric Auchard; Editing by Jim Finkle/Mark Heinrich)

U.S. warns public about attacks on energy, industrial firms

U.S. warns public about attacks on energy, industrial firms

By Jim Finkle

(Reuters) – The U.S government issued a rare public warning about hacking campaigns targeting energy and industrial firms, the latest evidence that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed via email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Homeland Security and FBI representatives could not be reached for comment on Saturday morning.

Robert Lee, an expert in securing industrial networks, said the report describes activities from two or three groups that have stolen user credentials and spied on organizations in the United States and other nations, but not launched destructive attacks.

“This is very aggressive activity,” said Lee, chief executive of cyber-security firm Dragos.

He said the report appears to describe groups working in the interests of the Russian government, though he declined to elaborate.  Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

Government agencies and energy firms previously declined to identify any of the victims in the attacks described in June’s confidential report.

(Reporting by Jim Finkle in Toronto; Editing by Nick Zieminski)

Ukraine says cyber attack may strike in next few days

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

KIEV (Reuters) – The government of Ukraine, which was victim of a major cyber attack earlier this year, told businesses on Friday to make sure their networks were protected because of intelligence suggesting that another attack may be in the works.

Ukraine’s state security service SBU and the state-run Computer Emergency Response Team (CERT) said the attack could take place Oct. 13-17 when Ukraine celebrates Defender of Ukraine Day.

Ukraine, which believes Russia is behind regular attacks on its computer systems, is trying to roll out a national strategy to keep state institutions and major companies safe. Moscow denies that it is behind cyber attacks on its neighbor.

The security agencies said that a new attack may be similar to the NotPetya computer virus which struck on June 27 taking down computers in Ukrainian government agencies and businesses before spreading rapidly through corporate networks of multinationals with operations or suppliers in eastern Europe.

 

(Reporting by Pavel Polityuk; editing by Peter Graff)

 

SWIFT says hackers still targeting bank messaging system

FILE PHOTO : The Swift bank logo is pictured in this photo illustration taken April 26, 2016. REUTERS/Carlo Allegri/File Photo

By Jim Finkle

TORONTO (Reuters) – Hackers continue to target the SWIFT bank messaging system, though security controls instituted after last year’s $81 million heist at Bangladesh’s central bank have helped thwart many of those attempts, a senior SWIFT official told Reuters.

“Attempts continue,” said Stephen Gilderdale, head of SWIFT’s Customer Security Programme, in a phone interview. “That is what we expected. We didn’t expect the adversaries to suddenly disappear.”

The disclosure underscores that banks remain at risk of cyber attacks targeting computers used to access SWIFT almost two years after the February 2016 theft from a Bangladesh Bank account at the Federal Reserve Bank of New York.

Gilderdale declined to say how many hacks had been attempted this year, what percentage were successful, how much money had been stolen or whether they were growing or slowing down.

On Monday, two people were arrested in Sri Lanka for suspected money laundering from a Taiwanese bank whose computer system was hacked to enable illicit transactions abroad. Police acted after the state-owned Bank of Ceylon reported a suspicious transfer.

SWIFT, a Belgium-based co-operative owned by its user banks, has declined comment on the case, saying it does not discuss individual entities.

Gilderdale said that some security measures instituted in the wake of the Bangladesh Bank heist had thwarted attempts.

As an example, he said that SWIFT had stopped some heists thanks to an update to its software that automatically sends alerts when hackers tamper with data on bank computers used to access the messaging network.

SWIFT shares technical information about cyber attacks and other details on how hackers target banks on a private portal open to its members.

Gilderdale was speaking ahead of the organization’s annual Sibos global user conference, which starts on Monday in Toronto.

At the conference, SWIFT will release details of a plan to start offering security data in “machine digestible” formats that banks can use to automate efforts to discover and remediate cyber attacks, he said.

SWIFT will also unveil plans to start sharing that data with outside security vendors so they can incorporate the information into their products, he said.

(Reporting by Jim Finkle, Editing by Rosalba O’Brien)

Equifax takes down web page after reports of new hack

The logo and trading information for Credit reporting company Equifax Inc. are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., September 26, 2017. REUTERS/Lucas Jackson

By John McCrank

NEW YORK (Reuters) – Equifax Inc said on Thursday it has taken one of its customer help web pages offline as its security team looks into reports of another potential cyber breach at the credit reporting company, which recently disclosed a hack that compromised the sensitive information of 145.5 million people.

The move came after an independent security analyst on Wednesday found part of Equifax’s website was under the control of attackers trying to trick visitors into installing fraudulent Adobe Flash updates that could infect computers with malware, the technology news website Ars Technica reported.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax spokesman Wyatt Jefferies said in an email. “Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

The Atlanta-based company, which has faced seething criticism from consumers, regulators and lawmakers over its handling of the earlier breach, said it would provide more information as it becomes available.

Equifax disclosed on Sept. 7 that its systems had been breached between mid-May and late July. In the fallout, the company has parted ways with its chief executive, chief information officer and chief security officer.

The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.

As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.

(Reporting by John McCrank; Editing by Bill Rigby)

Joint Strike Fighter plans stolen in Australia cyber attack

Two Lockheed Martin Corp F-35 stealth fighter jets fly to the Avalon Airshow in Victoria, Australia, March 3, 2017. Australian Defence Force/Handout via REUTERS

By Tom Westbrook

SYDNEY (Reuters) – A hacker stole non-classified information about Australia’s Joint Strike Fighter program and other military hardware last year after breaching the network of a defense contractor, the defense industry minister said on Thursday.

About 30 gigabytes of data was stolen in the cyber attack, including details of the Joint Strike Fighter warplane and P-8 Poseidon surveillance plane, according to a presentation on the hack by a government official.

“Fortunately the data that has been taken is commercial data, not military data … it’s not classified information,” Defence Industry Minister Christopher Pyne told Australian Broadcasting Corporation (ABC) Radio.

“I don’t know who did it.”

In a presentation to a conference in Sydney, an official from the Australian Signals Directorate (ASD) intelligence agency said technical information on smart bombs, the Joint Strike Fighter, the Poseidon maritime patrol aircraft and several naval vessels was stolen.

“The compromise was extensive and extreme,” said the official, Mitchell Clarke, in an audio recording made by a ZDNet journalist and broadcast by the ABC.

Clarke said the attacker accessed the small contractor’s systems for five months in 2016, and the “methodical, slow and deliberate,” choice of target suggested a nation-state actor could be behind the raid.

Australia has agreed to buy 72 Lockheed Martin Corp Joint Strike Fighter planes.

A spokesman for the Australian Cyber Security Centre (ACSC), a government agency, said the government would not release further details about the cyber attack.

The ACSC said in a report on Monday that it responded to 734 cyber attacks on “systems of national interest” for the year ended June 30, and the defense industry was a major target.

The attack on the defense contractor was carried out by a “malicious cyber adversary”, it said.

In 2016 the agency said it responded to 1,095 cyber attacks over an 18-month period, including an intrusion from a foreign intelligence service on the weather bureau.

(Reporting by Tom Westbrook; Editing by Stephen Coates)

North Korea hackers stole South Korea-U.S. military plans to wipe out North Korea leadership: lawmaker

The North Korea flag flutters next to concertina wire at the North Korean embassy in Kuala Lumpur, Malaysia March 9, 2017. REUTERS/Edgar Su

By Christine Kim

SEOUL (Reuters) – North Korean hackers stole a large amount of classified military documents, including South Korea-U.S. wartime operational plans to wipe out the North Korean leadership, a South Korean ruling party lawmaker said on Wednesday.

Democratic Party representative Rhee Cheol-hee said 235 gigabytes of military documents were taken from the Defense Integrated Data Center in September last year, citing information from unidentified South Korean defense officials.

An investigative team inside the defense ministry announced in May the hack had been carried out by North Korea, but did not disclose what kind of information had been taken.

Pyongyang has denied responsibility in its state media for the cyber attacks, criticizing Seoul for “fabricating” claims about online attacks.

Separately on Wednesday, cyber security firm FireEye said in a statement North Korea-affiliated agents were detected attempting to phish U.S. electric companies through emails sent in mid-September, although those attempts did not lead to a disruption in the power supply.

It did not specify when the attempts had been detected or clarify which companies had been affected.

Rhee, currently a member of the National Assembly’s committee for national defense, said about 80 percent of the hacked data had not yet been identified, but that none of the information was expected to have compromised the South Korean military because it was not top classified intelligence.

Some of the hacked data addressed how to identify movements of members of the North Korean leadership, how to seal off their hiding locations, and attack from the air before eliminating them.

Rhee said the North could not have taken the entire operation plans from the database because they had not been uploaded in full.

These plans had likely not been classified properly but defense ministry officials told Rhee the hacked documents were not of top importance, he said.

“Whatever the North Koreans took, we just need to fix the plans,” Rhee later told Reuters by telephone. “I disclosed this because the military hasn’t been doing that fast enough.”

SIMPLE MISTAKE

Rhee said on radio the hack had been made possible by “a simple mistake” after a connector jack linking the military’s intranet to the internet had not been eliminated after maintenance work had been done on the system.

The South Korean Defense Ministry’s official stance is that they cannot confirm anything the lawmaker said about the hacked content due to the sensitivity of the matter.

In Washington, the Pentagon said it was aware of the media reports but would not comment on the potential breach.

“Although I will not comment on intelligence matters or specific incidents related to cyber intrusion, I can assure you that we are confident in the security of our operations plans and our ability to deal with any threat from North Korea,” Pentagon spokesman Colonel Robert Manning told reporters.

FireEye said the phishing attack on the electric companies detected was “early-stage reconnaissance” and did not indicate North Korea was about to stage an “imminent, disruptive” cyber attack. The North has been suspected of carrying out similar cyber attacks on South Korean electric utilities, in addition to other government and financial institutions.

Those attempts were likely aimed at creating a means of “deterring potential war or sowing disorder during a time of armed conflict”, FireEye said.

“North Korea linked hackers are among the most prolific nation-state threats, targeting not only the U.S. and South Korea but the global financial system and nations worldwide,” its statement said.

“Their motivations vary from economic enrichment to traditional espionage to sabotage, but all share the hallmark of an ascendant cyber power willing to violate international norms with little regard for potential blowback,” it said.

(Reporting by Christine Kim in SEOUL and Ishita Chigilli Palli in Bengaluru; Additional reporting by Idrees Ali in Washington; Editing by James Dalgleish, Michael Perry and Paul Tait)

Israeli spies found Russians using Kaspersky software for hacks: media

The logo of the anti-virus firm Kaspersky Lab is seen at its headquarters in Moscow, Russia September 15, 2017. REUTERS/Sergei Karpukhin

WASHINGTON (Reuters) – Israeli intelligence officials spying on Russian government hackers found they were using Kaspersky Lab antivirus software that is also used by 400 million people globally, including U.S. government agencies, according to media reports on Tuesday.

The Israeli officials who had hacked into Kaspersky’s network over two years ago then warned their U.S. counterparts of the Russian intrusion, said The New York Times, which first reported the story. http://nyti.ms/2yev8Vj

That led to a decision in Washington only last month to order Kaspersky software removed from government computers.

The Washington Post also reported on Tuesday that the Israeli spies had also found in Kaspersky’s network hacking tools that could only have come from the U.S. National Security Agency. http://wapo.st/2i2clXa

After an investigation, the NSA found that those tools were in possession of the Russian government, the Post said.

And late last month, the U.S. National Intelligence Council completed a classified report that it shared with NATO allies concluding that Russia’s FSB intelligence service had “probable access” to Kaspersky customer databases and source code, the Post reported.

That access, it concluded, could help enable cyber attacks against U.S. government, commercial and industrial control networks, the Post reported.

The New York Times said the Russian operation, according to multiple people briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, which had Kaspersky antivirus software installed on it.

It is not yet publicly known what other U.S. secrets the Russian hackers may have discovered by turning the Kaspersky software into a sort of Google search for sensitive information, the Times said.

The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules, the Times said.

The newspaper said the National Security Agency and the White House declined to comment, as did the Israeli Embassy, while the Russian Embassy did not respond to requests for comment.

The Russian embassy in Washington last month called the ban on Kaspersky Lab software “regrettable” and said it delayed the prospects of restoring bilateral ties.

Kaspersky Lab denied to the Times any knowledge of, or involvement in, the Russian hacking. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said in a statement on Tuesday.

Eugene Kaspersky, the company’s co-founder and chief executive, has repeatedly denied charges his company conducts espionage on behalf of the Russian government.

Kaspersky spokeswoman Sarah Kitsos told the Washington Post on Tuesday that “as a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.” She said the company “does not possess any knowledge” of Israel’s hack, the Post said.

U.S. intelligence agencies have concluded that Russian President Vladimir Putin ordered a multipronged digital influence operation last year in an attempt to help Donald Trump win the White House, a charge Moscow denies.

(Reporting by Eric Walsh; editing by Grant McCool)

Exclusive: SEC’s corporate filing system vulnerable to denial of service attacks – memo

FILE PHOTO: The seal of the U.S. Securities and Exchange Commission hangs on the wall at SEC headquarters in Washington, DC, U.S. on June 24, 2011. REUTERS/Jonathan Ernst/File Photo

By Sarah N. Lynch and Jim Finkle

(Reuters) – The U.S. Securities and Exchange Commission (SEC), Wall Street’s top regulator, has discovered a vulnerability in its corporate filing database that could cause the system to collapse, according to an internal document seen by Reuters.

The SEC’s September 22 memo reveals that its EDGAR database, containing financial reports from U.S. public companies and mutual funds, could be at risk of “denial of service” attacks, a type of cyber intrusion that floods a network, overwhelming it and forcing it to close.

The discovery came when the SEC was testing EDGAR’s ability to absorb monthly and annual financial filings that will be required under new rules adopted last year for the $18 trillion mutual fund industry.

The memo shows that even an unintentional error by a company, and not just hackers with malicious intentions, could bring the system down. Even the submission of a large “invalid” form could overwhelm the system’s memory.

The defect comes after the SEC’s admission last month that hackers breached the EDGAR database in 2016.

The discovery will likely add to concerns about the vulnerability of the SEC’s network and whether the agency has been adequately addressing cyber threats.

The mutual fund industry has long had concerns that market-sensitive data required in the new rules could be exploited if it got into the wrong hands.

The industry has since redoubled its calls for SEC Chairman Jay Clayton to delay the data-reporting rules, set to go into effect in June next year, until it is reassured the information will be secure.

“Clearly, the SEC should postpone implementation of its data reporting rule until the security of those systems is thoroughly tested and assessed by independent third parties,” said Mike McNamee, chief public communications officer of The Investment Company Institute (ICI), whose members manage $20 trillion worth of assets in the United States.

“We are confident Chairman Clayton will live up to his pledge that the SEC will take whatever steps are necessary to ensure the security of its systems and the data it collects.”

An SEC spokesman declined to comment.

The rules adopted last year requiring asset managers to file monthly and annual reports about their portfolio holdings were designed to protect them in the event of a market crisis by showing the SEC and investors that they have enough liquidity to cover a rush of redemptions.

During a Congressional hearing on Wednesday, Clayton testified that the agency was considering whether to delay the rules in light of the cyber concerns. He did not, however, mention anything about the denial of service attack vulnerability.

VIRTUAL VOMIT

EDGAR is the repository for corporate America, housing millions of filings ranging from quarterly earnings to statements on acquisitions.

It is a virtual treasure trove for cyber criminals who could trade on any information gleaned before it is publicly released.

In the hack disclosed last month involving EDGAR, the SEC has said it now believes the criminals may have stolen non-public data for illicit trading.

The vulnerability revealed in the September memo shows that even an invalid form could jam up EDGAR.

The system did not immediately reject the form, the memo says. Rather, “it was being validated for hours before failing due to an invalid form type.”

That conclusion could spell trouble for the SEC’s EDGAR database because it means that if hackers wanted to, they could “basically take down the whole EDGAR system” by submitting a malicious data file, said one cyber security expert with experience securing networks of financial regulators who reviewed the letter for Reuters.

“The system would consume the data and essentially throw up on itself,” the person added.

(Reporting by Sarah N. Lynch in Washington and Jim Finkle in Toronto; Editing by Carmel Crimmins)

German companies see threefold rise in cyber attacks, study finds

A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, U.S. on July 29, 2017. REUTERS/Steve Marcus

BERLIN (Reuters) – The number of German companies targeted by cyber attacks in the past three years has tripled compared with the three years to 2015 and the figure is growing steadily, a study showed on Thursday.

From the 450 German companies surveyed by the audit and consulting company EY, 44 percent said they had been spied on. But Bodo Meseke, an expert at EY, said many companies did not notice attacks.

The study found that 67 percent of managers at larger enterprises – those with a turnover of more than one billion euros ($1.17 billion) – expect a significant increase in the number of attacks on their businesses.

Managers see the biggest danger coming from Russia, followed by China, and the United States.

“Recently, the threat increased rapidly again and it comes from different sides. In addition to intelligence services and (business) competitors, organized crime is increasingly becoming an adversary,” Meseke said.

A separate study by the Allensbach polling institute for Deloitte also published on Thursday showed that 27 percent of executives in medium and large companies said their businesses were exposed to IT attacks every day.

Four years ago, 12 percent suffered daily attacks.

The Allensbach study, based on interviews with politicians and companies, found that 97 percent of respondents saw a large-scale hacker attack to be “at least” or “very” probable.

Three-quarters of those questioned perceive a major cyber attack risk that would target infrastructure facilities such as electricity grids or hospitals and just as many contamination by computer viruses.

(Reporting By Riham Alkousaa, editing by David Evans)