Tag Archives: Cyber Security

Hackers release files indicating NSA monitored global bank transfers

FILE PHOTO: Swift code bank logo is displayed on an iPhone 6s among Euro banknotes in this picture illustration January 26, 2016. REUTERS/Dado Ruvic/File Photo - RTS11WHG

By Clare Baldwin

(Reuters) – Hackers released documents and files on Friday that cybersecurity experts said indicated the U.S. National Security Agency had accessed the SWIFT interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks.

The release included computer code that could be adapted by criminals to break into SWIFT servers and monitor messaging activity, said Shane Shook, a cyber security consultant who has helped banks investigate breaches of their SWIFT systems.

The documents and files were released by a group calling themselves The Shadow Brokers. Some of the records bear NSA seals, but Reuters could not confirm their authenticity.

The NSA could not immediately be reached for comment.

Also published were many programs for attacking various versions of the Windows operating system, at least some of which still work, researchers said.

In a statement to Reuters, Microsoft <MSFT.O>, maker of Windows, said it had not been warned by any part of the U.S. government that such files existed or had been stolen.

“Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers,” the company said.

The absence of warning is significant because the NSA knew for months about the Shadow Brokers breach, officials previously told Reuters. Under a White House process established by former President Barack Obama’s staff, companies were usually warned about dangerous flaws.

Shook said criminal hackers could use the information released on Friday to hack into banks and steal money in operations mimicking a heist last year of $81 million from the Bangladesh central bank.

“The release of these capabilities could enable fraud like we saw at Bangladesh Bank,” Shook said.

The SWIFT messaging system is used by banks to transfer trillions of dollars each day. Belgium-based SWIFT downplayed the risk of attacks employing the code released by hackers on Friday.

SWIFT said it regularly releases security updates and instructs client banks on how to handle known threats.

“We mandate that all customers apply the security updates within specified times,” SWIFT said in a statement.

SWIFT said it had no evidence that the main SWIFT network had ever been accessed without authorization.

It was possible that the local messaging systems of some SWIFT client banks had been breached, SWIFT said in a statement, which did not specifically mention the NSA.

When cyberthieves robbed the Bangladesh Bank last year, they compromised that bank’s local SWIFT network to order money transfers from its account at the New York Federal Reserve.

The documents released by the Shadow Brokers on Friday indicate that the NSA may have accessed the SWIFT network through service bureaus. SWIFT service bureaus are companies that provide an access point to the SWIFT system for the network’s smaller clients and may send or receive messages regarding money transfers on their behalf.

“If you hack the service bureau, it means that you also have access to all of their clients, all of the banks,” said Matt Suiche, founder of the United Arab Emirates-based cybersecurity firm Comae Technologies, who has studied the Shadow Broker releases and believes the group has access to NSA files.

The documents posted by the Shadow Brokers include Excel files listing computers on a service bureau network, user names, passwords and other data, Suiche said.

“That’s information you can only get if you compromise the system,” he said.

ATTEMPT TO MONITOR FLOW OF MONEY

Cris Thomas, a prominent security researcher with the cybersecurity firm Tenable, said the documents and files released by the Shadow Brokers show “the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor, if not disrupt, financial transactions to terrorists groups”.

Since the early 1990s, interrupting the flow of money from Saudi Arabia, the United Arab Emirates and elsewhere to al Qaeda, the Taliban, and other militant Islamic groups in Afghanistan, Pakistan and other countries has been a major objective of U.S. and allied intelligence agencies.

Mustafa Al-Bassam, a computer science researcher at University College London, said on Twitter that the Shadow Brokers documents show that the “NSA hacked a bunch of banks, oil and investment companies in Palestine, UAE, Kuwait, Qatar, Yemen, more.”

He added that NSA “completely hacked” EastNets, one of two SWIFT service bureaus named in the documents that were released by the Shadow Brokers.

Reuters could not independently confirm that EastNets had been hacked.

EastNets, based in Dubai, denied it had been hacked in a statement, calling the assertion “totally false and unfounded.”

EastNets ran a “complete check of its servers and found no hacker compromise or any vulnerabilities,” according to a statement from EastNets’ chief executive and founder, Hazem Mulhim.

In 2013, documents released by former NSA contractor Edward Snowden said the NSA had been able to monitor SWIFT messages.

The agency monitored the system to spot payments intended to finance crimes, according to the documents released by Snowden.

Reuters could not confirm whether the documents released Friday by the Shadow Brokers, if authentic, were related to NSA monitoring of SWIFT transfers since 2013.

Some of the documents released by the Shadow Brokers were dated 2013, but others were not dated.

The documents released by the hackers did not clearly indicate whether the NSA had actually used all the techniques cited for monitoring SWIFT messages.

(Additional reporting by Tom Bergin in London; Dustin Volz and John Walcott in Washington; Joseph Menn in San Franciso; and Jim Finkle in Buffalo, New York.; Editing by Brian Thevenot and Cynthia Osterman)

China draft cyber law mandates security assessment for outbound data

BEIJING (Reuters) – China’s top cyber authority on Tuesday released a draft law that would require firms exporting data to undergo an annual security assessment, in the latest of several recent safeguards against threats such as hacking and terrorism.

Any business transferring data of over 1000 gigabytes or affecting over 500,000 users will be assessed on its security measures and on the potential of the data to harm national interests, showed the draft from the Cyberspace Administration of China (CAC).

The law would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.

The proposed law, which focuses on personal information security, comes just a day after state media reported government rewards of $1,500 to $73,000 for citizens who report suspected spies.

It is also an extension of legislation passed in November formalizing a range of controls over firms that handle data in industries the government deems critical to national interests.

Business groups have criticized the November law, which is effective from June, calling rules “vague” and claiming they unfairly target foreign companies with stringent requirements.

Chinese officials denied that the November law targets foreign firms.

Under the rules released on Tuesday, sensitive geographic data such as information on marine environments would also be subject to scrutiny. Destination countries and the likelihood of oversees tampering would also be factored in to any assessments.

The draft is open for public comment until May 11.

(Reporting by Cate Cadell; Editing by Christopher Cushing)

U.S. trade group hacked with Chinese software ahead of Xi summit

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017.REUTERS/Kacper Pempel/Illustration/File Photo

By Joseph Menn

SAN FRANCISCO (Reuters) – A sophisticated hacking group that pursues Chinese government interests broke into the website of a private U.S. trade group ahead of Thursday’s summit between U.S. President Donald Trump and Chinese President Xi Jinping, according to researchers.

The hackers left a malicious link on web pages where members of the National Foreign Trade Council (NFTC) register for upcoming meetings, according to researchers at Fidelis Cybersecurity and a person familiar with the trade group.

The nonprofit NFTC is a prominent advocate on international trade policy, with corporate members including Wal-Mart Stores Inc <WMT.N>, Johnson & Johnson <JNJ.N>, Amazon.com Inc <AMZN.O>, Ford Motor Co <F.N> and Microsoft Corp <MSFT.O>.

The malicious link deployed a spying tool called Scanbox, which would have recorded the type and versions of software running on the computers of those exposed to it, said Fidelis researcher John Bambenek. Such reconnaissance is typically followed by new attacks using known flaws in the detected software, especially older versions.

Scanbox has only been used by groups associated with the Chinese government, Fidelis said, and was recently seen on a political site aimed at Uyghurs, an ethnic minority under close government scrutiny in China.

The breach was detected about five weeks ago by a NFTC director who is a customer of Fidelis, the security company said. Both the Federal Bureau of Investigation and the NFTC were notified and the malicious link removed, and Fidelis said it had no evidence of NFTC members being infected.

The FBI and the NFTC declined to comment. A spokesman for the Chinese foreign ministry did not respond to a request for comment.

Bambenek said he believed the attack was classic espionage related to international trade talks, rather than a violation of a 2015 agreement between former U.S. President Barack Obama and Xi to end spying for commercial motives.

The summit starting on Thursday is the first meeting between Xi and Trump, who blamed China on the campaign trail for the loss of many U.S. jobs and vowed to confront the country’s leaders on the matters of trade and currency manipulation.

“I think it’s traditional espionage that happens ahead of any summit,” said Bambenek. “They would like to know what we, the Americans, really care about and use that for leverage.”

Other security firms agreed that wholesale theft of U.S. intellectual property has not returned.

Instead, FireEye Inc <FEYE.O> and BAE Systems Plc <BAES.L> said that the hacking group identified by Fidelis, called APT10, has recently attacked government and commercial targets in Europe.

FireEye researcher John Hultquist said heavy industries in Nordic countries have been hacked more often as Beijing switches priorities.

“They are certainly taking those resources and pushing them to other places where they can still get away with this behavior,” Hultquist said.

(Reporting by Joseph Menn in San Francisco; Addtional reporting by Dustin Volz in Washington; Editing by Bill Rigby)

German military can use ‘offensive measures’ against cyber attacks: minister

German Defence Minister Ursula von der Leyen in Berlin, Germany, March 22, 2017. REUTERS/Fabrizio Bensch

BERLIN (Reuters) – The German military has the authority to respond with “offensive measures” if its computer networks are attacked, German Defence Minister Ursula von der Leyen said on Wednesday, amid growing concerns among German lawmakers about control of such actions.

Von der Leyen, speaking at the opening ceremony for Germany’s new cyber command in Bonn, gave no details of what kind of retaliation she had in mind.

“If the German military’s networks are attacked, then we can defend ourselves. As soon as an attack endangers the functional and operational readiness of combat forces, we can respond with offensive measures,” she said.

She added that the German military could be called in to help in the event of cyber attacks on other governmental institutions. During foreign missions, its actions would be governed and bounded by the underlying parliamentary mandate.

Any legal questions would be addressed by the military in close cooperation with other government agencies, she added.

The new Bonn-based command has an initial staff of 260 that will grow to around 13,500 in July.

Von der Leyen’s decision to sanction offensive cyber actions in principle has caused some concerns among German lawmakers, including Agnieszka Brugger, a member of the pro-environment Greens and member of the defense committee.

Military ombudsman Hans-Peter Bartels, who fields complaints from soldiers for parliament, told the Neue Osnabrueckner Zeitung newspaper on Wednesday that every offensive measure required explicit approval by the parliament since Germany’s military is a so-called “parliamentary army”.

German officials told reporters earlier this week that the government was scrambling to respond to serious and growing cyber threats, but civilian officials said they lacked the legal framework to retaliate with cyber attacks of their own.

However, von der Leyen made clear on Wednesday that she was convinced the authorities were clear in the military realm.

Deputy Defence Minister Katrin Suder told reporters on Monday that existing laws applied, even in cyberspace.

Von der Leyen said Berlin was increasing expenditure to keep up with technical innovations.

Germany’s current military budget included 1.6 billion euros for information technology-related items, ranging from new radios and hardware to service contracts, and spending was slated to increase significantly in 2018, she said.

The military also spent around 1 billion euros a year on personnel.

(Reporting by Andrea Shalal; Editing by Stephen Powell)

UK and Swedish watchdogs warn of international cyber attack

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

STOCKHOLM (Reuters) – A large-scale cyber attack from a group targeting organizations in Japan, the United States, Sweden and many other European countries through IT services providers has been uncovered, the Swedish computer security watchdog said on Wednesday.

The cyber attack, uncovered through a collaboration by Britain’s National Cyber Security Centre, PwC and cyber security firm BAE Systems, targeted managed service providers to gain access to their customers’ internal networks since at least May 2016 and potentially as early as 2014.

The exact scale of the attack, named Cloud Hopper from an organization called APT10, is not known but is believed to involve huge amounts of data, Sweden’s Civil Contingencies Agency said in a statement. The agency did not say whether the cyber attacks were still happening.

“The high level of digitalization in Sweden, along with the amount of services outsourced to managed service providers, means that there is great risk that several Swedish organizations are affected by the attacks,” the watchdog said.

The agency said those behind the attacks had used significant resources to identify their targets and sent sophisticated phishing e-mails to infect computers.

It also said Swedish IP addresses had been used to coordinate the incursions and retrieve stolen data and that APT10 specifically targeted IT, communications, healthcare, energy and research sectors.

(Reporting by Johan Ahlander; Editing by Niklas Pollard and Stephen Powell)

McDonald’s Canada says 95,000 affected in careers website hack

A Canadian flag waves beside McDonalds fast food restaurant in Toronto, May 1, 2014. REUTERS/Mark Blinch

(Reuters) – McDonald’s Corp’s <MCD.N> Canadian unit said on Friday personal information of about 95,000 restaurant job applicants was compromised in a cyber attack on its careers website.

The information included names, addresses, email addresses, phone numbers and employment backgrounds of candidates who applied online for jobs at McDonald’s Canada restaurants between March 2014 and March 2017.

The careers website was shut down after McDonald’s learned of the attack, and will remain closed until an ongoing investigation is complete, the unit said.

The company said it currently had no evidence that the information taken had been misused.

McDonald’s Canada said its job application forms do not ask for sensitive personal information such as social insurance numbers, banking or health information.

McDonald’s said earlier this month its official Twitter handle was compromised after a tweet sent from the account slammed U.S. President Donald Trump.

(Reporting by Vishaka George and Anya George Tharakan in Bengaluru; Editing by Sai Sachin Ravikumar)

German military to unveil new cyber command as threats grow

BERLIN (Reuters) – Germany’s military will launch a cyber command next week as part of an effort to beef up online defenses at a time when German spy agencies are warning of increasing cyber attacks by Russia.

The German military remains a high-value target for hackers, with some 284,000 complex and professional would-be attacks registered in the first nine weeks of 2017, a ministry spokesman said. No damage had been reported thus far, he added.

Cyber attacks on militaries are rising worldwide, with many now creating separate commands to tackle the issue.

NATO, which says it has seen a five-fold increase in suspicious events on its networks in the past three years, agreed last June to designate cyber as an official operational domain of warfare, along with air, land and sea.

The new German command will based in Bonn with an initial staff of 260, growing to around 13,500 in July when the military’s current strategic reconnaissance command and centers for operational communication and geo-information are folded in.

By 2021, the command is due to have a total of 14,500 positions, including 1,500 civilian jobs.

“The expansion of cyber capabilities is an essential contribution to the government’s overall security posture, and offers additional opportunities for preventing conflicts and dealing with crises to include hybrid threats,” the ministry spokesman said.

Defence Minister Ursula von der Leyen will name Lieutenant General Ludwig Leinhos to head the new Cyber and Information Space Command – the sixth major wing of the military in addition to the navy, army, air force, medical service and joint forces.

Chancellor Angela Merkel this month said protecting German infrastructure from potential cyber attacks was a top priority.

In December, Germany’s domestic and foreign intelligence agencies cited increasing Russian cyber attacks against political parties, as well as propaganda and disinformation campaigns aimed at destabilizing German society.

Russia denies engaging in such attacks.

(Reporting by Andrea Shalal; editing by Mark Heinrich)

Bangladesh Bank heist was ‘state-sponsored’: U.S. official

Lamont Siller, the legal attache at the U.S. embassy in the Philippines speaks during a cyber security forum in Manila, Philippines March 29, 2017. REUTERS/Karen Lema

MANILA (Reuters) – The heist of $81 million from the Bangladesh central bank’s account at the New York Federal Reserve last year was “state-sponsored,” an FBI officer in the Philippines, who has been involved in the investigations, said on Wednesday.

Lamont Siller, the legal attache at the U.S. embassy, did not elaborate but his comments in a speech in Manila are a strong signal that authorities in the United States are close to naming who carried out one of the world’s biggest cyber heists.

Last week, officials in Washington, speaking on condition of anonymity, blamed North Korea.

“We all know the Bangladesh Bank heist, this is just one example of a state-sponsored attack that was done on the banking sector,” Siller told a cyber security forum.

An official briefed on the probe told Reuters in Washington last week that the FBI believes North Korea was responsible for the heist. The official did not give details.

The Wall Street Journal reported U.S. prosecutors were building potential cases that would accuse North Korea of directing the heist, and would charge alleged Chinese middlemen.

The FBI has been leading an international investigation into the February 2016 heist, in which hackers breached Bangladesh Bank’s systems and used the SWIFT messaging network to order the transfer of nearly $1 billion from its account at the New York Fed.

The U.S. central bank rejected most of the requests but filled some of them, resulting in $81 million being transferred to bank accounts in the Philippines. The money was quickly withdrawn and later disappeared in the huge casino industry in the country.

There have been no arrests in the case.

A Chinese casino owner in the Philippines told that Senate inquiry he took millions of dollars from two Chinese high-rollers in February. He said the two men were responsible for transferring the stolen money from Dhaka to Manila.

Philippine investigators have filed criminal charges against several individuals and a remittance company for money laundering in connection with the heist at the country’s Department of Justice (DOJ).

None of these cases have yet been filed in court, however.

Siller said the FBI was working closely with the Philippines government “to ensure those responsible for the attack do not go unpunished.”

“So for us in the FBI, it is never over. We are going to bring these individuals to justice so that we can show others, that you maybe be able to muster such attacks, even state-sponsored, but you will not get away with it in the end.”

(Reporting by Karen Lema; Editing by Raju Gopalakrishnan)

German parliament foiled cyber attack by hackers via Israeli website

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files

BERLIN (Reuters) – The German parliament was the target of fresh cyber attacks in January that attempted to piggy-back on an Israeli newspaper site to target politicians in Germany, Berlin’s cyber security watchdog said on Wednesday.

Cyber defenses installed after a 2015 hack of the parliament helped avert the attempted breaches, the Federal Office for Information Security (BSI) said in a statement.

The hackers appeared to use advertising running on the Jerusalem Post website to redirect users to a malicious site, it said.

The BSI looked into unusual activity on the parliament’s network early this year and has just completed a detailed analysis of the incident, which was first reported by the Sueddeutsche Zeitung newspaper on Wednesday.

At least 10 German lawmakers from all parliamentary groups were affected by the attempted hack, the Munich daily reported.

“The technical analysis is complete. The website of the Jerusalem Post was manipulated and had been linked to a malicious third party site,” the agency said in a statement.

“BSI found no malware or infections as part of its analysis of the Bundestag networks.”

The Jerusalem Post confirmed details of the attack with Reuters, but said no malware came from its own site and that it was fully protected against such attacks in the future.

“The Jerusalem Post website was attacked in January by foreign hackers,” the publisher said in a statement. “We immediately took action and together with Israeli cyber authorities successfully neutralized the threat.

Hackers can use infected banner advertisements to attack otherwise safe or secure sites. So-called “malvertising” appeared to be served up to the site via an unidentified third-party advertising network.

There was no suggestion from the German agency of any wrongdoing by the Jerusalem Post.

“SPEAR-PHISHING”

Security expert Graham Cluley said such “spear-phishing” attacks via malicious ads is highly unusual, but possible.

In this instance, the Jerusalem Post site could have served up German language ads to visitors with German internet addresses. However, he said it was unlikely this could be used to target specific politicians in Berlin.

This latest attack comes amid growing concern in Germany about cyber security and reports that Russia is working to destabilize the German government and could seek to interfere in the upcoming Sept. 24 national elections.

The Bundestag lost 16 gigabytes of data to Russian hackers in 2015, after which it revamped its software system with the help of the BSI and private contractors.

“The BSI believes that the defenses of the German Bundestag detected and prevented links to the website. The attack was therefore averted,” BSI President Arne Schoenbohm said in a statement.

A source familiar with the incident said it did not appear to be linked to APT28, a Russian hacking group also known as “Fancy Bear” that was blamed for the 2015 Bundestag hack and the 2016 hack of the U.S. Democratic National Committee.

(Reporting by Andrea Shalal in Berlin, Eric Auchard in London and Luke Baker in Jerusalem; Editing by Tom Heneghan)

London attack a ‘wake-up’ call for tech firms to put house in order: police

Police on horseback patrol near Westminster Bridge in London, Britain, March 29, 2017. REUTERS/Peter Nicholls

By Michael Holden

LONDON (Reuters) – The London attack which left four people dead was a “wake up call” for technology firms to get their house in order over extremist material being circulated on the internet, the acting head of London’s police force said on Wednesday.

The comments from Craig Mackey, acting Commissioner of the Metropolitan Police, come after calls from politicians for tech firms, mainly based in the United States, to cooperate more with the authorities.

“I think these sorts of incidents and the others we’ve seen in Europe are probably a bit of a wake-up call for the industry in terms of trying to understand what it means to put your own house in order,” Mackey told the London Assembly’s Police and Crime Committee.

“If you are going to have ethical statement and talk about operating in an ethical way, it actually has to mean something. That is the sort of thing that obviously politicians and others will push now.”

The British government and a series of well-known British brands such as Marks and Spencer Group Plc had already suspended digital advertising with Alphabet Inc’s before the attack because ads were appearing alongside videos on its YouTube platform with homophobic or anti-Semitic messages.

They have since been joined by U.S. wireless carriers Verizon Communications Inc and AT&T Inc. The action has prompted Google to apologize and review its advertising practices.

London police already have a specialist unit which aims to remove extremist material but Mackey said “the internet was never designed to be policed as such”.

British officials have also demanded tech firms do more to allow police access to smartphone communications after reports that Khalid Masood had used encrypted messaging via WhatsApp before he drove a rented car into pedestrians on Westminster Bridge and stabbed to death a police officer by parliament.

“We work hard with the industry to highlight the challenges of these very secure applications,” Mackey said. “It’s a challenge when you are dealing with companies that are global by their very nature because they don’t always operate under the same legal framework as us.”

Regarding the police’s ongoing inquiry into last week’s attack, Mackey said detectives still believed Masood had acted alone. So far 12 people have been arrested, with two still in police custody.

Mackey also said there had been a “slight uplift” in hate crimes directed at Muslims but not on the scale seen after previous similar incidents.

(Editing by Stephen Addison)