Tag Archives: Cyber Attack

Global cyber attack slows but experts see risk of fresh strikes

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Eric Auchard

SINGAPORE/FRANKFURT (Reuters) – A global cyber attack described as unprecedented in scale forced a major European automaker to halt some production lines while hitting schools in China and hospitals in Indonesia on Saturday, though it appeared to die down a day after its launch.

Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, the cyber assault has infected tens of thousands of computers in nearly 100 countries, with Britain’s health system suffering the worst disruptions.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.

Once inside the targeted network, so-called ransomware made use of recently revealed spy tools to silently infect other out-of-date machines without any human intervention. This, security experts said, marked an unprecedented escalation in the risk of fresh attacks spreading in the coming days and weeks.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Researchers observed some victims paying via the digital currency bitcoin, though no one knows how much may have been transferred to extortionists because of the largely anonymous nature of such transactions.

Researchers with security software maker Avast said they had observed 126,534 ransomware infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

The hackers, who have not come forward to claim responsibility or otherwise been identified, took advantage of a worm, or self-spreading malware, by exploiting a piece of NSA spy code known as “Eternal Blue” that was released last month by a hackers group known as the Shadow Brokers, according to researchers with several private cyber security firms.

Renault said it had halted auto production at several sites including Sandouville in northwestern France and Renault-owned Dacia plants in Romania on Saturday to prevent the spread of ransomware in its systems.

Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business”, a spokesman for the Japanese carmaker said.German rail operator Deutsche Bahn [DBN.UL] said some electronic signs at stations announcing arrivals and departures were infected, with travelers posting pictures showing some bearing a message demanding a cash payment to restore access.

“UNPRECEDENTED” ATTACK EASES

Europol’s European Cybercrime Center said it was working closely with country investigators and private security firms to combat the threat and help victims. “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, and so limited the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The researcher in Britain widely credited with foiling the ransomware’s proliferation told Reuters he had not seen any such tweaks yet, “but they will (happen).”

Researchers said the worm deployed in the latest attack, or similar tools released by Shadow Brokers, are likely to be used for fresh assaults not just with ransomware but other malware to break into firms, seize control of networks and steal data.

Finance chiefs from the Group of Seven rich countries were to commit on Saturday to joining forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, though the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government. “Things could likely emerge on Monday” as staff return to work.

China’s information security watchdog said “a portion” of Windows systems users in the country were infected, according to a notice posted on the official Weibo page of the Beijing branch of the Public Security Bureau on Saturday. Xinhua state news agency said some secondary schools and universities were hit.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been hit.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also breached. “We are implementing remediation steps as quickly as possible,” a FedEx statement said.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by focusing on targets in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, he added.

MICROSOFT BOLSTERS WINDOWS DEFENCES

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

The attack targeted Windows computers that had not installed patches released by Microsoft in March, or older machines running software that Microsoft no longer supports and for which patches did not exist, including the 16-year-old Windows XP system, researchers said.

Microsoft said it pushed out automatic Windows updates to defend existing clients from WannaCry. It had issued a patch on March 14 to protect them from Eternal Blue. Late on Friday, Microsoft also released patches for a range of long discontinued software, including Windows XP and Windows Server 2003.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

POLITICALLY SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus. The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French run-off vote on May 7.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted by ransomware. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small- to mid-sized organizations. “Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; editing by Mark Heinrich)

UK government in dark over who behind cyber attack

FILE PHOTO: A National Health Service (NHS) sign is seen in the grounds of St Thomas' Hospital, in front of the Houses of Parliament in London June 7, 2011. REUTERS/Toby Melville/File Photo

LONDON (Reuters) – The British government does not yet know who was behind Friday’s global cyber attack that disrupted the country’s health system, interior minister Amber Rudd said on Saturday.

“We’re not able to tell you who’s behind the attack. That work is still ongoing,” she told BBC radio.

She said Britain’s National Cyber Security Center was working with the country’s health service to ensure the attack was contained, while the National Crime Agency was working with them to find out where it came from.

Rudd said the government did not know if the attack was directed by a foreign government.

On Friday, cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files. Nearly 100 countries were impacted.

Rudd said the attack was not specifically targeted at Britain’s health service.

“(The virus) feels random in terms of where it’s gone to and where it’s been opened,” she said.

Though 45 health service organizations in England and Scotland were affected by malicious software, no patient data has been accessed or transferred, said Rudd.

The minister said lessons had to be learned from the attack.

“There will be lessons to learn … Why is it certain regions are affected more than others? Is it to do with the software? Is it to do with better IT?”

Separately on Saturday, finance chiefs from the Group of Seven rich countries will commit to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Bari, Italy.

(Reporting by James Davey; Editing by Mark Potter)

Global cyber attack fuels concern about U.S. vulnerability disclosures

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Dustin Volz

WASHINGTON (Reuters) – A global cyber attack on Friday renewed concerns about whether the U.S. National Security Agency and other countries’ intelligence services too often hoard software vulnerabilities for offensive purposes, rather than quickly alerting technology companies to such flaws.

Hacking tools believed to belong to the NSA that were leaked online last month appear to be the root cause of a major cyber attack unfurling throughout Europe and beyond, security researchers said, stoking fears that the spy agency’s powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.

Some cyber security experts and privacy advocates said the massive attack reflected a flawed approach by the United States to dedicate more cyber resources to offense rather than defense, a practice they argued makes the internet less secure.

Across the U.S. federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters in March. (http://reut.rs/2o7qHqN)

“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.

The NSA did not respond to a request for comment.

Hospitals and doctors’ surgeries in parts of England on Friday were forced to turn away patients and cancel appointments after they were infected with the “ransomware”, which scrambled data on computers and demanded payments of $300 to $600 to restore access.

Security software maker Avast said it had observed more than 57,000 infections in 99 countries. Russia, Ukraine and Taiwan were the top targets, it said.

Private security firms identified the virus as a new variant of ‘WannaCry’ ransomware with the ability to automatically spread across large networks by exploiting a bug in Microsoft Corp’s Windows operating system.

Security experts said the ransomware used in the attacks leveraged a hacking tool found in a leak of documents in April by a group known as Shadow Brokers.

At the time, Microsoft acknowledged the vulnerabilities and said they had been patched in a series of earlier updates pushed to customers, the most recent of which had been rolled out only a month earlier in March. But the episode prompted concerns about whether the tools could be leveraged by hackers to attack unpatched systems.

In a statement, a Microsoft spokesman said on Friday its engineers had provided additional detection and protection services against the WannaCry malware and that it was working with customers to provide additional assistance. The spokesman reiterated that customers who have Windows Updates enabled and use the company’s free antivirus software are protected.

Shadow Brokers first emerged last year and began dumping tranches of documents that it said belonged to the NSA, though the files appeared at least a few years old.

Over time, western researchers have grown more confident that Russia may be behind Shadow Brokers and possibly other recent disclosures of sensitive information about cyber capabilities that have been pilfered from U.S. intelligence agencies.

Some researchers cast blame not on the NSA but on the hospitals and other customers that appeared to leave themselves open to attack.

“The main problem here is organizations taking more than eight weeks to patch once Microsoft released the update,” said Chris Wysopal, chief technology officer at the cyber firm Veracode. “Eight weeks is plenty of time for a criminal organization to develop a sophisticated attack on software and launch it on a wide scale.”

Former intelligence contractor Edward Snowden, who in 2013 leaked documents to journalists revealing the existence of broad U.S. surveillance programs, said on Twitter the NSA had built attack tools targeting U.S. software that “now threatens the lives of hospital patients.”

“Despite warnings, (NSA) built dangerous attack tools that could target Western software,” Snowden said. “Today we see the cost.”

(This version of the story has been refiled to correct spelling of hoard in first paragraph)

(Reporting by Dustin Volz; Editing by Lisa Shumaker)

Global cyber attack hits hospitals and companies, threat seen fading for now

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Costas Pitas

SINGAPORE/LONDON (Reuters) – A global cyber attack leveraging hacking tools believed to have been developed by the U.S. National Security Agency has infected tens of thousands of computers in nearly 100 countries, disrupting Britain’s health system and global shipper FedEx.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, limiting the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The British-based researcher who may have foiled the ransomware’s spread told Reuters he had not seen any such tweaks yet, “but they will.”

Finance chiefs from the Group of Seven rich countries will commit on Saturday to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, although the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government.

“Things could likely emerge on Monday.”

China’s official Xinhua news agency said some secondary schools and universities had been affected, without specifying how many or identifying them.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been affected.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur added.

MICROSOFT UPS DEFENSES

The U.S. Department of Homeland Security said it was sharing information with domestic and foreign partners and was ready to lend technical support.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm”, or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began the previous week when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus.The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

The British government did not know who was behind the attack but its National Crime Agency was working to find out, interior minister Amber Rudd said.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French one.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations.

“Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; Editing by Rob Birsel and Mike Collett-White)

Hackers exploit stolen U.S. spy agency tool to launch global cyberattack

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency hit international shipper FedEx, disrupted Britain’s health system and infected computers in nearly 100 countries on Friday.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Still, only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur said.

The U.S. Department of Homeland Security said late on Friday that it was aware of reports of the ransomware, was sharing information with domestic and foreign partners and was ready to lend technical support.

Telecommunications company Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“Once it gets in and starts moving across the infrastructure, there is no way to stop it,” said Adam Meyers, a researcher with cyber security firm CrowdStrike.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm,” or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft on Friday said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement. It said the company was working with its customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that kicked off a week earlier when hackers posted a huge trove of campaign documents tied to French candidate Emmanuel Macron just 1-1/2 days before a run-off vote in which he was elected as the new president of France.

On Wednesday, hackers disputed the websites of several French media companies and aerospace giant Airbus.Also, the hack happened four weeks before a British parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed an entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as the country’s biggest bank, Sberbank, said they were targeted. The interior ministry said on its website that around 1,000 computers had been infected but it had localized the virus.

The emergencies ministry told Russian news agencies it had repelled the cyberattacks while Sberbank said its cyber security systems had prevented viruses from entering its systems.

NEW BREED OF RANSOMWARE

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh; Writing by Mark Trevelyan and Jim Finkle; Editing by Ralph Boulton and Grant McCool)

British hospitals, Spanish firms among targets of huge cyberattack

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A huge cyberattack brought disruption to Britain’s health system on Friday and infected many Spanish companies with malicious software, and security researchers said a dozen other countries may be affected.

Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments. People in affected areas were being advised to seek medical care only in emergencies.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” said the Barts Health group, which manages major London hospitals. Routine appointments had been canceled and ambulances were being diverted to neighboring hospitals.

Telecommunications giant Telefonica was among the targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

Authorities in both countries said the attack was conducted using ‘ransomware’ – malicious software that infects machines, locks them up by encrypting data and demands a ransom to restore access. They identified the type of malware as ‘Wanna Cry’, also known as ‘Wanna Decryptor’.

A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement. Still, the news prompted security teams at large financial services firms and businesses around the world to review their plans for defending against ransomware attacks, according to executives with private cyber security firms.

A spokeswoman for Portugal Telecom said: “We were the target of an attack, like what is happening in all of Europe, a large scale-attack, but none of our services were affected.”

British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with preliminary evidence of infections from 14 countries so far, also including Russia, Indonesia and Ukraine.

PM BRIEFED

A spokesman for British Prime Minister Theresa May said she was being kept informed of the incident, which came less than four weeks before a parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

The full extent of Friday’s disruption in Britain remained unclear.

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital, the computer arm of the health service, said in a statement.

Britain’s National Cyber Security Centre, part of the GCHQ spy agency, said it was aware of a cyber incident and was working with NHS Digital and the police to investigate.

A reporter from the Health Service Journal said the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

It was not immediately clear how many Spanish organizations had been compromised by the attacks, if any critical services had been interrupted or whether victims had paid cyber criminals to regain access to their networks.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Kate Holton, Andy Bruce, Michael Holden and David Milliken; Editing by Mark Trevelyan and Ralph Boulton)

English hospitals say hit by suspected national cyber attack

FILE PHOTO: A National Health Service (NHS) sign is seen in the grounds of St Thomas' Hospital, in front of the Houses of Parliament in London June 7, 2011. REUTERS/Toby Melville/File Photo

By Costas Pitas and Alistair Smout

LONDON (Reuters) – Hospitals across England were being forced to divert emergency cases on Friday after suffering a suspected national cyber attack.

Among them was the Barts Health group which manages major central London hospitals including The Royal London and St Bartholomew’s.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” it said.

“We have activated our major incident plan to make sure we can maintain the safety and welfare of patients. Ambulances are being diverted to neighboring hospitals.”

Patients requiring emergency treatment across England were diverted away from the hospitals affected and the public was advised to only seek medical care for acute medical conditions.

Reuters was unable to independently verify whether the hospitals were the subject of a concerted cyber attack ahead of the June 8 election.

Britain’s National Crime Agency said it was aware of the reports of a cyber attack but made no further comment.

The National Health Service (NHS) said it was responding to the incidents.

“We are aware of a cyber security incident and we are working on a response,” said a spokesman for NHS Digital, a division of the NHS which handles information technology issues.

There was no immediate comment from the Health Ministry.

Earlier on Friday, Spain’s government warned that a large number of companies had been attacked by cyber criminals who infected computers with malicious software known as “ransomware” that locks up computers and demands ransoms to restore access.

(Additional reporting by Kate Holton, Andy Bruce, Michael Holden and David Milliken; Writing by Guy Faulconbridge; editing by Stephen Addison)

German cyber agency chides Yahoo for not helping hacking probe

A photo illustration shows a Yahoo logo on a smartphone in front of a displayed cyber code and keyboard on December 15, 2016. REUTERS/Dado Ruvic/Illustration

By Andrea Shalal

BERLIN (Reuters) – Germany’s federal cyber agency said on Thursday that Yahoo Inc <YHOO.O> had not cooperated with its investigation into a series of hacks that compromised more than one billion of the U.S. company’s email users between 2013 and 2016.

Yahoo’s Dublin-based Europe, Middle East and Africa unit “refused to give the BSI any information and referred all questions to the Irish Data Protection Commission, without, however, giving it the authority to provide information to the BSI,” Germany’s BSI computer security agency said.

A BSI spokesman said it decided to go public after Yahoo repeatedly failed to respond to efforts to look into the data breaches and garner lessons to prevent similar lapses. BSI also urged internationally active Internet service providers to work more closely with it when German customers were affected by cyber attacks and other computer security issues.

Yahoo did not respond to requests for comment, while Ireland’s data protection agency was not immediately available.

The BSI’s statement comes at a time of heightened German government concerns about Russian meddling in national elections in September, after cyber attacks on the French and U.S. presidential elections which have been linked to Russia.

The U.S. Justice Department in March charged two Russian intelligence agents and two hackers with masterminding the 2014 theft of 500 million Yahoo accounts, marking the first time the U.S. government had criminally charged Russian spies for cyber offences., while U.S. officials have charged Russian intelligence agents with involvement in at least one of the hacks that affected Yahoo.

Moscow has denied any involvement in hacking.

The BSI said it did not yet have any concrete information about the data breaches because of Yahoo’s lack of cooperation.

“Users should therefore be very careful about which services they want to use in the future and to whom they entrust their data,” BSI President Arne Schoenbohm said in a statement.

The BSI chief reiterated his recommendation that German consumers consider switching to other email service providers, adding that certifications such as those offered with C5-class cloud service security were valuable for customers.

C5 is a German government scheme to encourage cloud-based internet service providers to attest they use various safeguards against cyber attacks.

Late last year Yahoo, which has agreed to be acquired by U.S. telecoms giant Verizon <VZ.N> and is set to be merged with AOL to form a new business known as Oath, revealed a data breach dating back to 2013 of one billion user accounts.

The various disclosures led Verizon to cut the amount it was willing to pay for Yahoo by $350 million on its previously agreed $4.83 billion deal. Yahoo has said it expects the merger into Verizon to close in June.

BSI said an additional 32 million Yahoo users were affected by cyber breaches in 2015 and 2016. A spokesman for the agency said he was unaware of any additional breaches in 2017.

(Additional reporting by Eric Auchard in Frankfurt; editing by Alexander Smith)

Germany challenges Russia over alleged cyberattacks

Hans-Georg Maassen, Germany's head of the German Federal Office for the Protection of the Constitution (Bundesamt fuer Verfassungsschutz) addresses a news conference in Berlin, Germany, in this file photo dated June 28, 2016. REUTERS/Fabrizio Bensch

By Andrea Shalal

BERLIN (Reuters) – The head of Germany’s domestic intelligence agency accused Russian rivals of gathering large amounts of political data in cyber attacks and said it was up to the Kremlin to decide whether it wanted to put it to use ahead of Germany’s September elections.

Moscow denies it has in any way been involved in cyber attacks on the German political establishment.

Hans-Georg Maassen, president of the BfV agency, said “large amounts of data” were seized during a May 2015 cyber attack on the Bundestag, or lower house of parliament, which has previously been blamed on APT28, a Russian hacking group.

Maassen, speaking with reporters after a cyber conference in Potsdam, repeated his warning from last December in which he said Russia was increasing cyber attacks, propaganda and other efforts to destabilize German society.

Some cyber experts have drawn clear links between APT28 and the GRU Russian military intelligence organization.

Maassen said there had been subsequent attacks after the 2015 Bundestag hack that were directed at lawmakers, the Christian Democratic Union (CDU) of Chancellor Angela Merkel, and other party-affiliated institutions, but it was unclear if they had resulted in the loss of data.

Germany’s top cyber official last week confirmed attacks on two foundations affiliated with Germany’s ruling coalition parties that were first identified by security firm Trend Micro.

“We recognize this as a campaign being directed from Russia. Our counterpart is trying to generate information that can be used for disinformation or for influencing operations,” he said. “Whether they do it or not is a political decision … that I assume will be made in the Kremlin.”

Maassen said it appeared that Moscow had acted in a similar manner in the United States, making a “political decision” to use information gathered through cyber attacks to try to influence the U.S. presidential election.

Maassen told reporters that Germany was working hard to strengthen its cyber defenses, but also needed the legal framework for offensive operations.

Berlin was studying what legal changes were needed to allow authorities to purge stolen data from third-party servers, and to potentially destroy servers used to carry out cyber attacks.

“We believe it is necessary that we are in a position to be able to wipe out these servers if the providers and the owners of the servers are not ready to ensure that they are not used to carry out attacks,” Maassen said.

He said intelligence agencies knew which servers were used by various hacker groups, including APT10, APT28 and APT29.

The German government also remained deeply concerned about the possibility that German voters could be manipulated by fake news items, like the bogus January 2016 story about the rape of a 13-year Russian-German girl by migrants that sparked demonstrations by over 12,000 members of that community.

He said another attempt was made in January shortly after the Social Democrats named former European Parliament President Martin Schulz as their chancellor candidate, with a Russian website carrying a blatantly false story about Schulz’s father having run a Nazi concentration camp.

However that story did not receive as much attention.

Officials also remained concerned that real information seized during cyber attacks could be used to discredit politicians or affect the election, he said.

(Reporting by Andrea Shalal; Editing by Madeline Chambers)

GE fixing bug in software after warning about power grid hacks

FILE PHOTO: The logo of a General Electric (GE) facility is seen behind tree branches in Medford, Massachusetts, U.S., April 20, 2017. REUTERS/Brian Snyder/File Photo

By Jim Finkle

(Reuters) – General Electric Co <GE.N> said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility’s power systems after researchers found that hackers could shut down parts of an electric grid.

The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to “disconnect sectors of the power grid at will,” according to an abstract posted late last week on the Black Hat security conference website.

Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

Interest in grid security has intensified amid the increased use of cyber weapons by nation states, including two high-profile cyber attacks in Ukraine that authorities in Kiev have blamed on Russia.

Three New York University security experts are scheduled to discuss the issue at the Las Vegas Black Hat hacking conference in July. They could not be reached immediately for comment.

GE is not aware of any cases in which hackers exploited the bug to cause power outages, said GE spokeswoman Annette Busateri. The bug only involves older GE protection relays introduced in the 1990s “before current industry expectations for security,” she said.

“We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue,” she said.

GE has issued patches for five of six models affected by the vulnerability and will soon release a patch for the sixth model, Busateri said.

Michael Assante, former chief security officer with the North American Electric Reliability Corp, which regulates the North American grid, said the product was still widely deployed because the industry runs systems for decades before upgrading to new technologies.

“This is certainly a significant issue,” he said.

Hackers caused power to go out in 2015 and 2016 attacks in Ukraine by using other techniques to force breakers to open, Assante said.

(Reporting by Jim Finkle in Toronto; Editing by Chizu Nomiyama and Jeffrey Benkoe)