Cyber extortion demands surge as victims keep paying: Symantec

A man walks past a display of hexadecimal code in a file photo. REUTERS/Nigel Treblin

By Alastair Sharp

TORONTO (Reuters) – Hackers are demanding increasingly hefty ransoms to free computers paralyzed with viruses, as cyber criminals seek to maximize profits from large numbers of victims willing to pay up, according to cyber security firm Symantec Corp.

The average demand embedded in such malicious software, which is known as ransomware, more than tripled last year to $1,077 from $294, and the pricing has continued to rise in 2017, according to Symantec.

“The bad guys haven’t found the top end of what people will pay,” Symantec Director of Security Response Kevin Haley said in a telephone interview.

Symantec said 69 percent of ransomware infections in 2016 hit consumer computers, with the remainder targeting businesses and other organizations.

More than a third of consumer ransomware victims around the globe pay cyber criminals to regain access to their data, according to Symantec. In the United States, where such attacks are most prevalent, 64 percent pay.

“If six out of ten people will pay your ransom when it’s three hundred bucks, you’re thinking ‘What if I raise it to four hundred? What if I raise to five hundred?'” Haley said.

The surge in cyber extortion has been fueled partly by the sale of ransomware kits, which sell for $10 to $1,800 on underground markets and make it easy for wannabe cyber crooks to get in the business, according to Symantec.

One kit, known as Shark, lets users name their demand, which its creators collect from victims and pass on to attackers, minus a 20 percent commission.

Ransomware attacks have increased sharply over the past year, with criminals targeting hospitals, police departments and other providers of critical services in the United States and Europe.

In some cases, the attacks have interrupted critical public services.

U.S. and European hospitals have been forced to divert patients to other facilities when ransomware paralyzed computer systems.

Local police have been forced to manually dispatch calls, and San Francisco’s public transit system was unable to collect fares for a weekend during the busy Christmas shopping season.

(Reporting by Alastair Sharp; Editing by Steve Orlofsky; Editing by Jim Finkle and Steve Orlofsky)

Symantec attributes 40 cyber attacks to CIA-linked hacking tools

An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho

By Joseph Menn

SAN FRANCISCO (Reuters) – Past cyber attacks on scores of organizations around the world were conducted with top-secret hacking tools that were exposed recently by the Web publisher Wikileaks, the security researcher Symantec Corp said on Monday.

That means the attacks were likely conducted by the U.S. Central Intelligence Agency. The files posted by WikiLeaks appear to show internal CIA discussions of various tools for hacking into phones, computers and other electronic gear, along with programming code for some of them, and multiple people familiar with the matter have told Reuters that the documents came from the CIA or its contractors.

Symantec said it had connected at least 40 attacks in 16 countries to the tools obtained by WikiLeaks, though it followed company policy by not formally blaming the CIA.

The CIA has not confirmed the Wikileaks documents are genuine. But agency spokeswoman Heather Fritz Horniak said that any WikiLeaks disclosures aimed at damaging the intelligence community “not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm.

“It is important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so,” Horniak said.

She declined to comment on the specifics of Symantec’s research.

The CIA tools described by Wikileaks do not involve mass surveillance, and all of the targets were government entities or had legitimate national security value for other reasons, Symantec researcher Eric Chien said ahead of Monday’s publication.

In part because some of the targets are U.S. allies in Europe, “there are organizations in there that people would be surprised were targets,” Chien said.

Symantec said sectors targeted by operations employing the tools included financial, telecommunications, energy, aerospace, information technology, education, and natural resources.

Besides Europe, countries were hit in the Middle East, Asia, and Africa. One computer was infected in the United States in what was likely an accident – the infection was removed within hours. All the programs were used to open back doors, collect and remove copies of files, rather than to destroy anything.

The eavesdropping tools were created at least as far back as 2011 and possibly as long ago as 2007, Chien said. He said the WikiLeaks documents are so complete that they likely encompass the CIA’s entire hacking toolkit, including many taking advantage of previously unknown flaws.

The CIA is best-known for its human intelligence sources and analysis, not vast electronic operations. For that reason, being forced to build new tools is a setback but not a catastrophe.

It could lead to awkward conversations, however, as more allies realize the Americans were spying and confront them.

Separately, a group calling itself the Shadow Brokers on Saturday released another batch of pilfered National Security Agency hacking tools, along with a blog post criticizing President Donald Trump for attacking Syria and moving away from his conservative political base.

It is unclear who is behind the Shadow Brokers or how the group obtained the files.

(Additional reporting by Jonathan Weber and Anna Driver; Editing by Matthew Lewis and Mary Milliken)

German military can use ‘offensive measures’ against cyber attacks: minister

German Defence Minister Ursula von der Leyen in Berlin, Germany, March 22, 2017. REUTERS/Fabrizio Bensch

BERLIN (Reuters) – The German military has the authority to respond with “offensive measures” if its computer networks are attacked, German Defence Minister Ursula von der Leyen said on Wednesday, amid growing concerns among German lawmakers about control of such actions.

Von der Leyen, speaking at the opening ceremony for Germany’s new cyber command in Bonn, gave no details of what kind of retaliation she had in mind.

“If the German military’s networks are attacked, then we can defend ourselves. As soon as an attack endangers the functional and operational readiness of combat forces, we can respond with offensive measures,” she said.

She added that the German military could be called in to help in the event of cyber attacks on other governmental institutions. During foreign missions, its actions would be governed and bounded by the underlying parliamentary mandate.

Any legal questions would be addressed by the military in close cooperation with other government agencies, she added.

The new Bonn-based command has an initial staff of 260 that will grow to around 13,500 in July.

Von der Leyen’s decision to sanction offensive cyber actions in principle has caused some concerns among German lawmakers, including Agnieszka Brugger, a member of the pro-environment Greens and member of the defense committee.

Military ombudsman Hans-Peter Bartels, who fields complaints from soldiers for parliament, told the Neue Osnabrueckner Zeitung newspaper on Wednesday that every offensive measure required explicit approval by the parliament since Germany’s military is a so-called “parliamentary army”.

German officials told reporters earlier this week that the government was scrambling to respond to serious and growing cyber threats, but civilian officials said they lacked the legal framework to retaliate with cyber attacks of their own.

However, von der Leyen made clear on Wednesday that she was convinced the authorities were clear in the military realm.

Deputy Defence Minister Katrin Suder told reporters on Monday that existing laws applied, even in cyberspace.

Von der Leyen said Berlin was increasing expenditure to keep up with technical innovations.

Germany’s current military budget included 1.6 billion euros for information technology-related items, ranging from new radios and hardware to service contracts, and spending was slated to increase significantly in 2018, she said.

The military also spent around 1 billion euros a year on personnel.

(Reporting by Andrea Shalal; Editing by Stephen Powell)

German parliament foiled cyber attack by hackers via Israeli website

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

BERLIN (Reuters) – The German parliament was the target of fresh cyber attacks in January that attempted to piggy-back on an Israeli newspaper site to target politicians in Germany, Berlin’s cyber security watchdog said on Wednesday.

Cyber defenses installed after a 2015 hack of the parliament helped avert the attempted breaches, the Federal Office for Information Security (BSI) said in a statement.

The hackers appeared to use advertising running on the Jerusalem Post website to redirect users to a malicious site, it said.

The BSI looked into unusual activity on the parliament’s network early this year and has just completed a detailed analysis of the incident, which was first reported by the Sueddeutsche Zeitung newspaper on Wednesday.

At least 10 German lawmakers from all parliamentary groups were affected by the attempted hack, the Munich daily reported.

“The technical analysis is complete. The website of the Jerusalem Post was manipulated and had been linked to a malicious third party site,” the agency said in a statement.

“BSI found no malware or infections as part of its analysis of the Bundestag networks.”

The Jerusalem Post confirmed details of the attack with Reuters, but said no malware came from its own site and that it was fully protected against such attacks in the future.

“The Jerusalem Post website was attacked in January by foreign hackers,” the publisher said in a statement. “We immediately took action and together with Israeli cyber authorities successfully neutralized the threat.

Hackers can use infected banner advertisements to attack otherwise safe or secure sites. So-called “malvertising” appeared to be served up to the site via an unidentified third-party advertising network.

There was no suggestion from the German agency of any wrongdoing by the Jerusalem Post.

“SPEAR-PHISHING”

Security expert Graham Cluley said such “spear-phishing” attacks via malicious ads is highly unusual, but possible.

In this instance, the Jerusalem Post site could have served up German language ads to visitors with German internet addresses. However, he said it was unlikely this could be used to target specific politicians in Berlin.

This latest attack comes amid growing concern in Germany about cyber security and reports that Russia is working to destabilize the German government and could seek to interfere in the upcoming Sept. 24 national elections.

The Bundestag lost 16 gigabytes of data to Russian hackers in 2015, after which it revamped its software system with the help of the BSI and private contractors.

“The BSI believes that the defenses of the German Bundestag detected and prevented links to the website. The attack was therefore averted,” BSI President Arne Schoenbohm said in a statement.

A source familiar with the incident said it did not appear to be linked to APT28, a Russian hacking group also known as “Fancy Bear” that was blamed for the 2015 Bundestag hack and the 2016 hack of the U.S. Democratic National Committee.

(Reporting by Andrea Shalal in Berlin, Eric Auchard in London and Luke Baker in Jerusalem; Editing by Tom Heneghan)

NATO to spend 3 billion euros on satellite, cyber defenses

FILE PHOTO - A NATO flag flies at the Alliance's headquarters in Brussels, March 2, 2014. REUTERS/Yves Herman/File Photo

By Robin Emmott

BRUSSELS (Reuters) – NATO plans to spend 3 billion euros ($3.24 billion) to upgrade its satellite and computer technology over the next three years as the Western military alliance adapts to new threats, a senior official said.

Seeking to deter hackers, and other threats including Iranian missiles, the investments underscore NATO’s recognition that conflicts are increasingly fought on computer networks as well as in the air, on land and at sea.

A senior official at the NATO Communications and Information Agency said the plans include a 1.7-billion-euro investment in satellite communications to better support troops and ships deployed across the alliance, as well as aiding the use of Unmanned Aerial Vehicles (UAVs) or drones.

It was not immediately clear if NATO allies would fund a new military communications satellite to be launched into space or if an increase in broadband capacity could be gained from existing U.S. and other allied satellites.

Non-NATO member Japan launched its first military communications satellite in January.

The proposals, for which some funding must still be approved by NATO governments, also envisage spending about 800 million euros on the computer systems that help command air and missile defenses, said the official, who declined to be named.

Seventy-one million euros will go to improving the protection of NATO’s 32 main locations from cyber attacks.

NATO says it has seen a five-fold increase in suspicious events on its networks in the past three years, while Russian group APT28 is blamed by Western intelligence for the hacking of the U.S. Democratic Party during last year’s U.S. election.

NATO officials have told Reuters they suspect Russia sponsors attacks against their networks before major summits.

Another 180 million euros are to be spent to provide more secure mobile communications for alliance soldiers in the field.

NATO will present its needs in detail at a conference in Ottawa in April and then begin launching the bidding process.

It is likely to attract major Western defense contracts including Airbus Group, Raytheon and Lockheed Martin Corp, the official said, in part because “there cannot be content that does not come from NATO nations.”

NATO rules prohibit Russian or Chinese suppliers unless there is a specific need that allied companies cannot provide.

(Reporting by Robin Emmott; Editing by Janet Lawrence)

G20 to jointly fight bank sector hacking

A general view shows the G20 Finance Ministers and Central Bank Governors Meeting in Baden-Baden, Germany, March 17, 2017. REUTERS/Kai Pfaffenbach

By Balazs Koranyi

BADEN-BADEN, Germany (Reuters) – The world’s biggest economies will pledge to jointly fight cyber attacks on the global banking system, one of the biggest coordinated efforts yet to protect lenders since an $81 million heist of the Bangladesh central bank’s account last year.

Meeting in the German resort town of Baden-Baden, G20 finance chiefs will agree to fight attacks regardless of their origin and promise cross-border cooperation to maintain financial stability, according to a draft document seen by Reuters.

“We will promote the resilience of financial services and institutions in G20 jurisdictions against malicious use of information and communication technologies, including from countries outside the G20,” it said.

However, it dropped an earlier reference for enhanced security requirements for financial services.

Cyber crime became a top priority after an elaborate heist on the Bangladesh central bank’s account at the Federal Reserve Bank of New York last year, an unprecedented theft that exposed the vulnerabilities of the system.

The agreement, set to be finalised on Saturday, will come just days after the United States charged two intelligence agents from Russia, another G20 member, with masterminding the 2014 theft of 500 million Yahoo accounts.

The indictment was the first time U.S. authorities have criminally charged Russian spies for cyber offences including for computer fraud, economic espionage, theft of trade secrets, and wire fraud.

The charges came amid a swirl of controversies relating to alleged Kremlin-backed hacking of the 2016 U.S. presidential election and possible links between Russian figures and associates of U.S. President Donald Trump.

In the banking world, attacks through the global SWIFT bank transfer system have continued to increase with the network recording a “meaningful” number of attacks with about a fifth of them resulting in stolen funds since the Bangladesh heist, the firm said late last year.

In other highly publicized attacks, retailer Tesco Plc’s banking arm said 2.5 million pounds ($3 million) had been stolen from 9,000 customers last year while hackers also stole more than 2 billion rubles ($34 million) from correspondent accounts at the Russian central bank and from accounts in commercial banks.

The European Union is considering testing banks’ defenses against cyber attacks with concerns growing about the industry’s vulnerability to hacking.

(Editing by Julia Glover)

Global private companies confident, but unprepared for hacking threat: PwC

LONDON (Reuters) – The chief executives of some of the worlds’ leading private companies are confident about their firms’ prospects and plan to recruit more staff, but are ill-prepared for cyber attacks, according to a report by PwC on Thursday.

The “Undaunted, but underprepared?” report found 86 percent of CEOs were confident about their companies revenue prospects in 2017, an increase of 5 percent from last year.

That made it the first time in five years that private company bosses were more confident than public company CEOs.

The report, based on responses from 781 private company CEOs in 79 countries, also found that 41 percent of private company CEOs were not concerned about cyber threats and only 68 percent were concerned about the speed of technological change.

Stephanie Hyde, Global Entrepreneurial and Private Business Leader for PwC UK, said it was worrying that private company CEOs were less concerned about technology and cyber compared to their public counterparts, as they had less resources available to invest in addressing these issues.

“This may make them more vulnerable to cyber attacks, so in theory they should be more concerned about these threats not less,” she said.

“In our view, this is probably the single most worrying finding in our report, especially in light of growing evidence that hackers are now targeting smaller and private businesses, thinking they will not be so well protected.”

(Reporting by Michael Holden)

U.S. indicts Russian spies, hackers over massive Yahoo hack

Acting AAG for National Security Mary McCord speaks in front of a poster of a suspected Russian hacker during FBI National Security Division and the U.S. Attorney's Office for the Northern District of California joint news conference at the Justice Department in Washington, U.S., March 15, 2017. REUTERS/Yuri Gripas

By Dustin Volz

WASHINGTON (Reuters) – The U.S. government on Wednesday unsealed charges against two Russian spies and two criminal hackers for allegedly pilfering 500 million Yahoo user accounts in 2014.

The indictments, announced at a news conference in Washington, represent the first time the U.S. government has criminally charged Russian officials for cyber offenses.

The contents of at least 30 million accounts were accessed as part of a spam campaign and at least 18 people who used other internet service providers, such as Google, were also victimized, the government charged.

The officers of the FSB, Russia’s Federal Security Service, which is a successor to the KGB, were identified as Dmitry Dokuchaev and his superior, Igor Sushchin, the government said.

Both men are in Russia, it said.

Alexsey Belan, who is on the list of most-wanted cyber criminals, and Karim Baratov, who was born in Kazakhstan but has Canadian citizenship, were also named in the indictment.

The Justice Department said Baratov was arrested in Canada on Tuesday and his case is pending with Canadian authorities.

Belan was arrested in Europe in June 2013 but escaped to Russia before he could be extradited to the United States, according to the Justice Department.

“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters, is beyond the pale,” said Acting Assistant Attorney General Mary McCord.

McCord said the hacking campaign was waged by the FSB to collect intelligence but that the two hackers used the collected information as an opportunity to “line their pockets.”

The United States does not have an extradition treaty with Russia, but McCord said she was hopeful Russian authorities would cooperate in bringing criminals to justice. The United States often charges cyber criminals with the intent of deterring future state-sponsored activity.

The administration of former President Barack Obama brought similar charges against Chinese and Iranian hackers who have not been extradited.

The 47-count indictment includes conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identify theft.

The charges are not related to the hacking of Democratic Party emails during the 2016 U.S. presidential election. Intelligence agencies have said they were carried out by Russia to help the campaign of Republican candidate Donald Trump.

Yahoo said when it announced the then-unprecedented breach last September that it believed the attack was state-sponsored, and on Wednesday the company said the indictment “unequivocally shows” that to be the case.

Yahoo in December also announced a breach that occurred in 2013 affecting one billion accounts, though it has not linked that intrusion to the one in 2014.

The Russian hacking conspiracy, which began as early as 2014, allowed Belan to use his relationship with the Russian spy agency and access to Yahoo’s network to engage in financial crimes, according to the indictment.

The breaches were the latest in a series of setbacks for the Internet pioneer, which has fallen on hard times in recent years after being eclipsed by younger, fast-growing rivals including Alphabet Inc’s Google and Facebook Inc.

Yahoo’s disclosure of the years-old cyber invasions and its much-criticized slow response forced it to accept a discount of $350 million in what had been a $4.83 billion deal to sell its main assets to Verizon Communications Inc.

Shares of Yahoo were down 0.9 percent.

“We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cyber crime,” Chris Madsen, Yahoo’s assistant general counsel, said in a statement.

(Reporting by Dustin Volz and Joseph Menn; Additional reporting by Julia Edwards; Editing by Jeffrey Benkoe and James Dalgleish)

China warns against cyber ‘battlefield’ in internet strategy

A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. REUTERS/Edgar Su

BEIJING (Reuters) – The strengthening of cyber capabilities is an important part of China’s military modernization, the government said on Wednesday, warning that the internet should not become “a new battlefield”.

China, home to the largest number of internet users, has long called for greater cooperation among countries in developing and governing the internet, while reiterating the need to respect “cyber sovereignty”.

But Beijing, which operates the world’s most sophisticated online censorship mechanism known elsewhere as the “Great Firewall”, has also signaled that it wants to rectify “imbalances” in the way standards across cyberspace are set.

“The building of national defense cyberspace capabilities is an important part of China’s military modernization,” the Foreign Ministry and the Cyberspace Administration of China, the country’s internet regulator, said in a strategy paper on the ministry’s website.

China will help the military in its important role of “safeguarding national cyberspace sovereignty, security and development interests” and “hasten the building of cyberspace capabilities”, they said, but also called on countries to “guard against cyberspace becoming a new battlefield”.

Countries should not engage in internet activities that harm nations’ security, interfere in their internal affairs, and “should not engage in cyber hegemony”.

“Enhancing deterrence, pursing absolute security and engaging in a (cyber) arms race – this is a road to nowhere,” Long Zhao, the Foreign Ministry’s coordinator of cyberspace affairs, said at a briefing on the strategy.

“China is deeply worried by the increase of cyber attacks around the world,” Long said.

The United States has accused China’s government and military of cyber attacks on U.S. government computer systems. China denies the accusations and says it is a victim of hacking.

A cyber attack from China crashed the website of South Korea’s Lotte Duty Free on Thursday, a company official said, at a time when South Korean firms are reporting difficulties in China following the deployment of a U.S. missile defense system in South Korea that China objects to.

While China’s influence in global technology has grown, its ruling Communist Party led by President Xi Jinping has presided over broader and more vigorous efforts to control and censor the flow of information online.

The “Great Firewall” blocks many social media services, such as Twitter, Facebook, YouTube, Instagram, Snapchat and Google, along with sites run by human rights groups and those of some foreign media agencies.

Chinese officials say the country’s internet is thriving and controls are needed for security and stability.

(Reporting by Michael Martina and Catherine Cadell; Editing by Nick Macfie)

EU needs common approach on testing banks’ cyber-risks: Dombrovskis

European Commission Vice-President Valdis Dombrovskis addresses a news conference on the European Semester Winter Package in Brussels, Belgium February 22, 2017. REUTERS/Francois Lenoir

BRUSSELS (Reuters) – European Union countries should test bank defenses against cyber-attacks using a common set of requirements, a senior EU official said on Tuesday, as the bloc plans measures to boost the retail market for financial products.

Cyber attacks against banks have increased in numbers and sophistication in recent years, raising questions on lenders’ capacity to protect their customers.

Seeking to reassure savers and strengthen financial stability, several EU countries are conducting tests on banks’ security systems, but EU authorities warned national initiatives may be less effective and more costly than a common EU approach.

“We want to avoid a proliferation of testing obligations that operate in different countries,” the EU commission’s vice president Valdis Dombrovskis told a conference in Brussels.

“We believe tests that meet comparable standards should be recognized across borders,” he added. This could pave the way for common stress-tests carried out at EU level, as suggested by EU officials in past weeks.

The call for higher cyber-security comes as the Commission prepares a policy action plan on retail financial services, such as insurance, loans and payments, that will be released in the coming weeks.

Dombrovskis said the plan would encourage the use of remote identification schemes, such as e-signature and e-identification, to try to boost consumers’ access to financial services and lower costs.

It will also attempt to facilitate the take-up of new technologies in the financial sector, where emerging fintech companies are challenging traditional actors in a range of services, including payments and insurance.

“Our focus should be on removing barriers to market entry and keeping our legislation proportionate,” Dombrovskis said, noting that changes may create new risks that need to be addressed with greater sharing of information among financial firms and common testing of security systems.

(Reporting by Francesco Guarascio; Editing by Keith Weir)