Kansas nuclear operator is victim in hacking spree: Bloomberg

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

By Jim Finkle

(Reuters) – Hackers recently breached a Kansas nuclear power operator as part of a campaign that breached at least a dozen U.S. power firms, Bloomberg News reported on Thursday, citing current and former U.S. officials who were not named.

The Wolf Creek nuclear facility in Kansas was breached in the attack, according to Bloomberg.

A representative with the Wolf Creek Nuclear Operating Corp declined to say if the plant was hacked, but said it continued to operate safely.

“There has been absolutely no operational impact to Wolf Creek. The reason that is true is because the operational computer systems are completely separate from the corporate network,” company spokeswoman Jenny Hageman said in an email to Reuters.

The report identified the first known victims of a hacking campaign targeting the power sector that was first reported by Reuters on June 30. The attacks were described in a confidential June 28 U.S government alert to industrial firms, warning them of a hacking campaign targeting the nuclear, power and critical infrastructure sectors.

The U.S. Department of Homeland Security and Federal Bureau of Investigation said that hackers had succeeded in compromising networks of some targets, but did not name victims. The government also released a 30-page bulletin with advice on how firms could bolster security to defend against the attacks.

The alert said that hackers have been observed using tainted emails to harvest credentials to gain access to networks of their targets.

“Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,” the report said.

Homeland Security and the FBI issued a statement to Reuters late on Thursday saying that the alert was part of an ongoing effort to advise industry of cyber threats.

“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” the agencies said.

A nuclear industry spokesman told Reuters on Saturday that hackers have never gained access to a nuclear plant.

The Homeland Security technical bulletin included details of code used in a hacking tool that suggest the hackers sought to use the password of a Wolf Creek employee to access the network.

Hageman declined to say if hackers had gained access to that employee’s account. The employee could not be reached for comment.

(Reporting by Jim Finkle in Toronto; Additional reporting by Dustin Volz in Washington; Editing by Bernard Orr)

Private not state hackers likely to have targeted UK parliament: sources

FILE PHOTO - The Union Flag flies near the Houses of Parliament in London, Britain, June 7, 2017. REUTERS/Clodagh Kilcoyne/File Photo

LONDON (Reuters) – A cyber attack on email accounts of British lawmakers last month is likely to have been by amateur or private hackers rather than state-sponsored, European government sources said.

The private email accounts of up to 90 of the 650 members of Britain’s House of Commons were targeted in late June, with some news reports suggesting that the attack was carried out by a foreign government, such as Russia.

However, cyber security experts had found that the hackers only managed to access accounts of lawmakers who used primitive and easily discovered passwords, the sources, who are familiar with the investigations into the attacks, said.

It remains unclear who did carry out the attack, they added.

Investigators hope the hack will convince politicians and other public figures to use more sophisticated passwords for their email and other online activities.

British authorities are not commenting publicly on the progress of investigations, but an official cautioned after the hack was discovered that “cyber threats to the UK come from criminals, terrorists, hacktivists as well as nation states.”

(Reporting by Mark Hosenball; Editing by Alexander Smith)

Ukraine software firm says computers compromised after cyber attack

FILE PHOTO - A projection of cyber code on a hooded man is pictured in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

KIEV (Reuters) – The Ukrainian software firm at the center of a cyber attack that spread around the world last week said on Wednesday that computers which use its accounting software are compromised by a so-called “backdoor” installed by hackers during the attack.

The backdoor has been installed in every computer that wasn’t offline during the cyber attack, said Olesya Bilousova, the chief executive of Intellect Service, which developed M.E.Doc, Ukraine’s most popular accounting software.

Last week’s cyber attack spread from Ukraine and knocked out thousands of computers, disrupting shipping and shut down a chocolate factory in Australia as it reached dozens of countries around the world.

Ukrainian politicians were quick to blame Russia for a state-sponsored hack, which Moscow denied, while Ukranian cyber police and some experts say the attack was likely a smokescreen for the hackers to install new malware.

The Ukrainian police have seized M.E.Doc’s servers and taken them offline. On Wednesday morning they advised every computer using M.E.Doc software to be switched off. M.E.Doc is installed in around 1 million computers in Ukraine, Bilousova said.

“… the fact is that this backdoor needs to be closed. There was a hacking of servers,” Bilousova told reporters.

“As of today, every computer which is on the same local network as our product is a threat. We need to pay the most attention to those computers which weren’t affected (by the attack). The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.”

(Reporting by Jack Stubbs; writing by Matthias Williams; Editing by Toby Chopra)

Police seize servers of Ukrainian software firm after cyber attack

A view shows a laptop display (R) showing part of a code, which is the component of Petya malware computer virus according to representatives of Ukrainian cyber security firm ISSP, with an employee working nearby at the firm's office in Kiev, Ukraine July 4, 2017. REUTERS/Valentyn Ogirenko

By Jack Stubbs and Pavel Polityuk

KIEV (Reuters) – Ukrainian police on Tuesday seized the servers of an accounting software firm suspected of spreading a malware virus which crippled computer systems at major companies around the world last week, a senior police official said.

The head of Ukraine’s Cyber Police, Serhiy Demedyuk, told Reuters the servers of M.E.Doc – Ukraine’s most popular accounting software – had been seized as part of an investigation into the attack.

Though they are still trying to establish who was behind last week’s attack, Ukrainian intelligence officials and security firms have said some of the initial infections were spread via a malicious update issued by M.E.Doc, charges the company’s owners deny.

The owners were not immediately available for comment on Tuesday.

Premium Service, which says it is an official dealer of M.E.Doc’s software, wrote a post on M.E.Doc’s Facebook page saying masked men were searching M.E.Doc’s offices and that the software firm’s servers and services were down.

Premium Service could not be reached for further comment.

Cyber Police spokeswoman Yulia Kvitko said investigative actions were continuing at M.E.Doc’s offices, adding that further comment would be made on Wednesday.

The police move came after cyber security investigators unearthed further evidence on Tuesday that the attack had been planned months in advance by highly-skilled hackers, who they said had inserted a vulnerability into the M.E.Doc progamme.

Ukraine also took steps on Tuesday to extend its state tax deadline by one month to help businesses hit by the malware assault.

Researchers at Slovakian security software firm ESET said they had found a “backdoor” written into some of M.E.Doc’s software updates, likely with access to the company’s source code, which allowed hackers to enter companies’ systems undetected.

“VERY STEALTHY AND CUNNING”

“We identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules,” ESET senior malware researcher Anton Cherepanov said in a technical note. “It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.”

“This was a thoroughly well-planned and well-executed operation,” he said.

ESET said at least three M.E.Doc updates had been issued with the “backdoor vulnerability”, and the first one was sent to clients on April 14, more than two months before the attack.

ESET said the hackers likely had access to M.E.Doc’s source code since the beginning of the year, and the detailed preparation before the attack was testament to the advanced nature of their operation.

Oleg Derevianko, board chairman at Ukrainian cyber security firm ISSP, said an update issued by M.E.Doc in April delivered a virus to the company’s clients which instructed computers to download 350 megabytes of data from an unknown source on the internet.

The virus then exported 35 megabytes of company data to the hackers, he told Reuters in an interview at his office in Kiev.

“With this 35 megabytes you can exfiltrate anything – emails from all of the banks, user accounts, passwords, anything.”

Little known outside Ukrainian accounting circles, M.E.Doc is used by around 80 percent of companies in Ukraine. The software allows its 400,000 clients to send and collaborate on financial documents between internal departments, as well as file them with the Ukrainian state tax service.

Ukraine’s government said on Tuesday it would submit a draft law to parliament for the country’s tax deadline to be extended to July 15, and waive fines for companies who missed the previous June 13 cutoff because of the attack.

“We had program failures in connection to the cyber attack, which meant that businesses were unable to submit account reports on time,” Prime Minister Volodymyr Groysman told a cabinet meeting.

Separately, Ukraine’s security service, the SBU, said it had discussed cyber defense with NATO officials and had received equipment from the alliance to better combat future cyber attacks. Ukraine is not in NATO but is seeking closer ties.

On Saturday Ukrainian intelligence officials accused Russian security services of being behind the attack, and cyber security researchers linked it to a suspected Russian group who attacked the Ukrainian power grid in December 2016.

A Kremlin spokesman dismissed charges of Russian involvement as “unfounded blanket accusations”.

Derevianko said the hacker’s activity in April and reported access to M.E.Doc’s source code showed Ukraine’s computer networks had already been compromised and that the intruders were still operating inside them.

“It definitely tells us about the advanced capabilities of the adversaries,” he said. “I don’t think any additional evidence is needed to attribute this to a nation-state attack.”

(Additional reporting by Natalia Zinets; Writing by Jack Stubbs; Editing by Gareth Jones and Matthias Williams)

U.N. survey finds cybersecurity gaps everywhere except Singapore

FILE PHOTO - A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Tom Miles

GENEVA (Reuters) – Singapore has a near-perfect approach to cybersecurity, but many other rich countries have holes in their defenses and some poorer countries are showing them how it should be done, a U.N. survey showed on Wednesday.

Wealth breeds cybercrime, but it does not automatically generate cybersecurity, so governments need to make sure they are prepared, the survey by the U.N. International Telecommunication Union (ITU) said.

“There is still an evident gap between countries in terms of awareness, understanding, knowledge and finally capacity to deploy the proper strategies, capabilities and programmes,” the survey said.

The United States came second in the ITU’s Global Cybersecurity Index, but many of the other highly rated countries were small or developing economies.

The rest of the top 10 were Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France and Canada. Russia ranked 11th. India was 25th, one place ahead of Germany, and China was 34th.

The ranking was based on countries’ legal, technical and organizational institutions, their educational and research capabilities, and their cooperation in information-sharing networks.

“Cybersecurity is an ecosystem where laws, organizations, skills, cooperation and technical implementation need to be in harmony to be most effective,” the survey said.

“The degree of interconnectivity of networks implies that anything and everything can be exposed, and everything from national critical infrastructure to our basic human rights can be compromised.”

The crucial first step was to adopt a national security strategy, but 50 percent of countries have none, the survey said.

Among the countries that ranked higher than their economic development was 57th-placed North Korea, which was let down by its “cooperation” score but still ranked three spots ahead of much-richer Spain.

The smallest rich countries also scored badly – Andorra, Liechtenstein, Monaco and San Marino were all well down the second half of the table. The Vatican ranked 186th out of 195 countries in the survey.

But no country did worse than Equatorial Guinea, which scored zero.

(Reporting by Tom Miles)

Family firm in Ukraine says it was not responsible for cyber attack

Sergei Linnik, general director of Ukrainian software development firm Intellect Service, and his daughter Olesya pose for a picture at the company’s offices in Kiev, Ukraine July 3, 2017. REUTERS/Pavel Polityuk

By Jack Stubbs and Pavel Polityuk

KIEV (Reuters) – Ukrainian company Intellect Service was not responsible for last week’s international cyber attack that brought down the computer systems of several major companies, the father and daughter team told Reuters on Monday.

Cyber security investigators are still trying to establish who was behind the attack.

But Ukrainian officials and security firms including Microsoft <MSFT.O>, Cisco’s <CSCO.O> Talos and Symantec <SYMC.O> say they have confirmed that some of the initial infections occurred when malware was transmitted to users of a Ukrainian tax software program called M.E.Doc.

They say the virus, dubbed NotPetya by some experts, was primarily spread via an update issued by M.E.Doc, the accounting software developed by Olesya Linnik and her father Sergei at his company, Intellect Service.

In their first interview with foreign media since the attack, the Linniks said there was no evidence M.E.Doc, which is Ukraine’s most-popular accounting software, was used to spread the virus and they did not understand the charges against them.

“What has been established in these days, when no one slept and only worked? We studied and analysed our product for signs of hacking – it is not infected with a virus and everything is fine, it is safe,” said Olesya, managing partner at Intellect Service.

“The update package, which was sent out long before the virus was spread, we checked it 100 times and everything is fine.”

Little known outside Ukrainian accounting circles, M.E.Doc is an everyday part of life at around 80 percent of companies in Ukraine. The software allows its 400,000 clients to send and discuss financial documents between internal departments, as well as file them with the Ukrainian state tax service.

POLICE INVESTIGATING

Investigators have said M.E.Doc’s expansive reach is what made it a prime target for the unknown hackers, who were looking for a way to infect as many victims as possible.

“These malware families were spread using Ukrainian accounting software called M.E.Doc,” researchers at Slovakian security software firm ESET said in a blog post on Friday.

“M.E.Doc has an internal messaging and document exchange system so attackers could send spearphishing messages to victims.”

Ukrainian police said on Monday the Linniks could now face criminal charges if it is confirmed they knew about the infection but took no action.

“We have issues with the company’s leadership, because they knew there was a virus in their software but didn’t do anything … if this is confirmed, we will bring charges,” Serhiy Demedyuk, the head of Ukraine’s cyber police, told Reuters in a text message.

Speaking before Demedyuk’s comments at the company’s modest offices on an industrial estate in Kiev, Sergei, Intellect Service’s general director, raised his voice in frustration.

“We built this business over 20 years. What is the point of us killing our own business?”

Olesya said the company was cooperating with investigators and the police were yet to reach any conclusions.

“The cyber police are currently bogged down in the investigation, we gave them the logs of all our servers and there are no traces that our servers spread this virus,” she said.

“M.E.Doc is a transportation product, it delivers documents. But is an email program guilty in the distribution of a virus? Hardly.”

(Writing by Jack Stubbs; Editing by Anna Willard)

Ukraine points finger at Russian security services in recent cyber attack

FILE PHOTO: A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko

By Pavel Polityuk

KIEV (Reuters) – Ukraine said on Saturday that Russian security services were involved in a recent cyber attack on the country, with the aim of destroying important data and spreading panic.

The SBU, Ukraine’s state security service, said the attack, which started in Ukraine and spread around the world on Tuesday, was by the same hackers who attacked the Ukrainian power grid in December 2016. Ukrainian politicians were quick to blame Russia for Tuesday’s attack, but a Kremlin spokesman dismissed “unfounded blanket accusations”.

Cyber security firms are trying to piece together who was behind the computer worm, dubbed NotPetya by some experts, which conked out computers, hit banks, disrupted shipping and shut down a chocolate factory in Australia.

The attack also hit major Russian firms, leading some cyber security researchers to suggest that Moscow was not behind it.

The malicious code in the virus encrypted data on computers, and demanded victims pay a $300 ransom, similar to the extortion tactic used in a global WannaCry ransomware attack in May. But Ukrainian officials and some security experts say the ransomware feature was likely a smokescreen.

Relations between Ukraine and Russia went into freefall after Moscow’s annexation of Crimea in 2014 and the subsequent outbreak of a Kremlin-backed separatist insurgency in eastern Ukraine that has killed more than 10,000 people.

Hacking Ukrainian state institutions is part of what Ukraine says is a “hybrid war” by Russia on Kiev. Russia denies sending troops or military equipment to eastern Ukraine.

“The available data, including those obtained in cooperation with international antivirus companies, give us reason to believe that the same hacking groups are involved in the attacks, which in December 2016 attacked the financial system, transport and energy facilities of Ukraine using TeleBots and BlackEnergy,” the SBU said.

“This testifies to the involvement of the special services of Russian Federation in this attack.”

The SBU in an earlier statement on Friday said it had seized equipment it said belonged to Russian agents in May and June to launch cyber attacks against Ukraine and other countries.

Referencing the $300 ransomware demand, the SBU said “the virus is cover for a large-scale attack on Ukraine. This is evidenced by a lack of a real mechanism for taking possession of the funds … enrichment was not the aim of the attack.”

“The main purpose of the virus was the destruction of important data, disrupting the work of public and private institutions in Ukraine and spreading panic among the people.”

A cyber attack in December on a Ukrainian state energy computer caused a power cut in the northern part of the capital Kiev.

The Russian foreign ministry and Federal Security Service did not immediately respond to requests for comment on the latest allegations.

Russian oil major Rosneft <ROSN.MM> was one of the first companies to reveal it had been compromised by the virus and sources told Reuters on Thursday computers at state gas giant Gazprom <GAZP.MM> had also been infected.

The SBU’s accusations chime with some of the findings of the cyber security firm ESET in Slovakia, which said in research published online on Friday that the Telebots group — which has links to BlackEnergy — was behind the attack.

“Collecting ransom money was never the top priority for the TeleBots group,” it said, suggesting Ukraine was the target but the virus spread globally as “affected companies in other countries had VPN connections to their branches, or to business partners, in Ukraine.”

“The TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine,” it said.

“Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities. That’s why the malware went out of control.”

(Additional reporting by Alexander Winning in Moscow and Jim Finkle in Toronto; writing by Matthias Williams; Editing by Jeremy Gaunt)

U.S. warns businesses of hacking campaign against nuclear, energy firms

Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC) located just outside Washington in Arlington, Virginia September 24, 2010. REUTERS/Hyungwon Kang/File Photo

By Jim Finkle

TORONTO (Reuters) – The U.S government warned industrial firms this week about a hacking campaign targeting the nuclear and energy sectors, the latest event to highlight the power industry’s vulnerability to cyber attacks.

Since at least May, hackers used tainted “phishing” emails to “harvest credentials” so they could gain access to networks of their targets, according to a joint report from the U.S. Department of Homeland Security and Federal Bureau of Investigation.

The report provided to the industrial firms was reviewed by Reuters on Friday. While disclosing attacks, and warning that in some cases hackers succeeded in compromising the networks of their targets, it did not identify any specific victims.

“Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,” the report said.

Homeland Security and FBI officials could not be reached for comment on the report, which was dated June 28.

The report was released during a week of heavy hacking activity.

A virus dubbed “NotPetya” attacked on Tuesday, spreading from initial infections in Ukraine to businesses around the globe. It encrypted data on infected machines, rendering them inoperable and disrupting activity at ports, law firms and factories.

On Tuesday the energy-industry news site E&E News reported that U.S. investigators were looking into cyber intrusions this year at multiple nuclear power generators.

Reuters has not confirmed details of the E&E News report, which said there was no evidence safety systems had been compromised at affected plants.

The activity described in the U.S. government report comes at a time when industrial firms are particularly anxious about threat that hackers pose to their operations.

Industrial firms, including power providers and other utilities, have been particularly worried about the potential for destructive cyber attacks since December 2016, when hackers cut electricity in Ukraine.

U.S. nuclear power generators PSEG <PEG.N>, SCANA Corp <SCG.N> and Entergy Corp <ETR.N> said they were not impacted by the recent cyber attacks. SCANA’s V.C. Summer nuclear plant in South Carolina shut down on Thursday due to a problem with a valve in the non-nuclear portion of the plant, a spokesman said.

Another nuclear power generator, Dominion Energy <D.N>, said it does not comment on cyber security.

Two cyber security firms said on June 12 that they had identified the malicious software used in the Ukraine attack, which they dubbed Industroyer, warning that it could be easily modified to attack utilities in the United States and Europe.

Industroyer is only the second piece of malware uncovered to date that is capable of disrupting industrial processes without the need for hackers to manually intervene.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

The U.S. government report said attackers conducted reconnaissance to gain information about the individuals whose computers they sought to infect so that they create “decoy documents” on topics of interest to their targets.

In an analysis, it described 11 files used in the attacks, including malware downloaders and tools that allow the hackers to take remote control of victim’s computers and travel across their networks.

Chevron Corp <CVX.N>, Exxon Mobil Corp <XOM.N> and ConocoPhillips <COP.N>, the three largest U.S. oil producers, declined to comment on their network security.

(Reporting by Jim Finkle; Additional reporting by Timothy Gardner in Washington and Ernest Scheyder in Houston; editing by Grant McCool and Tom Brown)

Global shipping feels fallout from Maersk cyber attack

The Maersk ship Adrian Maersk is seen as it departs from New York Harbor in New York City, U.S., June 27, 2017. REUTERS/Brendan McDermid

By Jonathan Saul

LONDON (Reuters) – Global shipping is still feeling the effects of a cyber attack that hit A.P. Moller-Maersk <MAERSKb.CO> two days ago, showing the scale of the damage a computer virus can unleash on the technology dependent and inter-connected industry.

About 90 percent of world trade is transported by sea, with ships and ports acting as the arteries of the global economy. Ports increasingly rely on communications systems to keep operations running smoothly, and any IT glitches can create major disruptions for complex logistic supply chains.

The cyber attack was among the biggest-ever disruptions to hit global shipping. Several port terminals run by a Maersk division, including in the United States, India, Spain, the Netherlands, were still struggling to revert to normal operations on Thursday after experiencing massive disruptions.

South Florida Container Terminal, for example, said dry cargo could not be delivered and no container would be received. Anil Diggikar, chairman of JNPT port, near the Indian commercial hub of Mumbai, told Reuters that he did not know “when exactly the terminal will be running smoothly”.

His uncertainty was echoed by Maersk itself, which told Reuters that a number of IT systems were still shut down and that it could not say when normal business operations would be resumed.

It said it was not able to comment on specific questions regarding the breach of its IT systems or the state of its cyber security as it had “all available hands focused on practical stuff and getting things back to normal”.

The impact of the attack on the company has reverberated across the industry given its position as the world’s biggest container shipping line and also operator of 76 ports via its APM Terminals division.

Container ships transport much of the world’s consumer goods and food, while dry bulk ships haul commodities including coal and grain and tankers carry vital oil and gas supplies.

“As Maersk is about 18 percent of all container trade, can you imagine the panic this must be causing in the logistic chain of all those cargo owners all over the world?” said Khalid Hashim, managing director of Precious Shipping <PSL.BK>, one of Thailand’s largest dry cargo ship owners.

“Right now none of them know where any of their cargoes (or)containers are. And this ‘black hole’ of lack of knowledge will continue till Maersk are able to bring back their systems on line.”

BACK TO BASICS

The computer virus, which researchers are calling GoldenEye or Petya, began its spread on Tuesday in Ukraine and affected companies in dozens of countries.

Maersk said the attack had caused outages at its computer systems across the world.

In an example of the turmoil that ensued, the unloading of vessels at the group’s Tacoma terminal was severely slowed on Tuesday and Wednesday, said Dean McGrath, president of the International Longshore and Warehouse Union Local 23 there.

The terminal is a key supply line for the delivery of domestic goods such as milk and groceries and construction materials to Anchorage, Alaska.

“They went back to basics and did everything on paper,” McGrath said.

Ong Choo Kiat, President of U-Ming Marine Transport <2606.TW>, Taiwan’s largest dry bulk ship owner, said the fact Maersk had been affected rang alarm bells for the whole shipping industry as the Danish company was regarded as a leader in IT technology.

“But they ended up one of the first few casualties. I therefore conclude that shipping is lacking behind the other industry in term of cyber security,” he said.

“How long would it takes to catch up? I don’t know. But recently all owners and operators are definitely more aware of the risk of cyber security and beginning to pay more attention to it.”

In a leading transport survey by international law firm Norton Rose Fulbright published this week, 87 percent of respondents from the shipping industry believed cyber attacks would increase over the next five years – a level that was higher than counterparts in the aviation, rail and logistics industries.

VULNERABLE

Apart from the reliance on computer systems, ships themselves are increasingly exposed to interference through electronic navigation devices such as the Global Positioning System (GPS) and lack the backup systems airliners have to prevent crashes, according to cyber security experts.

There were no indications that GPS and other electronic navigation aids were affected by this week’s attack, but security specialists say such systems are vulnerable to signal loss from deliberate jamming by hackers.

Last year, South Korea said hundreds of fishing vessels had returned early to port after its GPS signals were jammed by North Korea, which denied responsibility.

“The Maersk attack raises our awareness of the vulnerability of shipping and ports to technological failure,” said Professor David Last, a previous president of Britain’s Royal Institute of Navigation.

“When GPS fails, ships’ captains lose their principal means of navigation and much of their communications and computer links. They have to slow down and miss port schedules,” said Last, who is also a strategic advisor to the General Lighthouse Authorities of the UK and Ireland.

A number of countries including the UK and the United States are looking into deploying a radar based back up navigation system for ships called eLoran, but this will take time to develop.

David Nordell, head of strategy and policy for London-based think tank, the Centre for Strategic Cyberspace and Security Science, said the global shipping and port industries were vulnerable to cyber attack, because their operating technologies tend to be old.

“It’s certainly possible to imagine that two container ships, or, even worse, oil or gas tankers, could be hacked into colliding, resulting in loss of life and cargo, and perhaps total loss of the vessels,” Nordell said.

“Carried out in a strategically sensitive location such as the Malacca Straits or the Bosphorus, a collision like this could block shipping for enough time to cause serious dislocations to trade.”

SECRETIVE INDUSTRY

Cyber risks also pose challenges for insurance cover.

In a particularly secretive industry, information about the nature of cyber attacks is still scarce, which insurance and shipping officials say is an obstacle to mitigating the risk, which means there are gaps in insurance cover available.

“There has been a lot of non-reporting (of breaches) on ships, and we’re trying efforts where even if there could be anonymous reporting on a platform so we can start to get the information and the data,” said Andrew Kinsey, senior marine consultant at insurer Allianz Global Corporate & Specialty.

There is also a gap in provision, because most existing cyber or hull insurance policies – which insure the ship itself – will not cover the risk of a navigation system being jammed or physical damage to the ship caused by a hacking attack.

“The industry is just waking up to its vulnerability,” said Colin Gillespie, deputy director of loss prevention with ship insurer North.

“Perhaps it is time for insurers, reinsurers, ship operators and port operators to sit down together and consider these risks in detail. A collective response is needed – we are all under attack.”

(Additional reporting by Jacob Gronholt-Pedersen in Copenhagen, Keith Wallis and Carolyn Cohn in London, Euan Rocha in Mumbai, Miyoung Kim in Singapore, Alexander Cornwell in Dubai, Michael Hirtzer in Chicago, Noor Zainab Hussain in Bangalore, Adam Jourdan and Shanghai newsroom; Editing by Pravin Char)

Ransomware virus hits computer servers across the globe

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko

By Jack Stubbs and Pavel Polityuk

MOSCOW/KIEV (Reuters) – A ransomware attack hit computers across the world on Tuesday, taking out servers at Russia’s biggest oil company, disrupting operations at Ukrainian banks, and shutting down computers at multinational shipping and advertising firms.

Cyber security experts said those behind the attack appeared to have exploited the same type of hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May before a British researcher created a kill-switch.

“It’s like WannaCry all over again,” said Mikko Hypponen, chief research officer with Helsinki-based cyber security firm F-Secure.

He said he expected the outbreak to spread in the Americas as workers turned on vulnerable machines, allowing the virus to attack. “This could hit the U.S.A. pretty bad,” he said.

The U.S. Department of Homeland Security said it was monitoring reports of cyber attacks around the world and coordinating with other countries.

The first reports of organizations being hit emerged from Russia and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.

Within hours, the attack had gone global.

Danish shipping giant A.P. Moller-Maersk, which handles one out of seven containers shipped globally, said the attack had caused outages at its computer systems across the world on Tuesday, including at its terminal in Los Angeles.

Pharmaceutical company Merck & Co said its computer network had been affected by the global hack.

A Swiss government agency also reported computer systems were affected in India, though the country’s cyber security agency said it had yet to receive any reports of attacks.

“DON’T WASTE YOUR TIME”

After the Wannacry attack, organizations around the globe were advised to beef up IT security.

“Unfortunately, businesses are still not ready and currently more than 80 companies are affected,” said Nikolay Grebennikov, vice president for R&D at data protection firm Acronis.

One of the victims of Tuesday’s cyber attack, a Ukrainian media company, said its computers were blocked and it had a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.

“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the message said, according to a screenshot posted by Ukraine’s Channel 24.

The same message appeared on computers at Maersk offices in Rotterdam and at businesses affected in Norway.

Other companies that said they had been hit by a cyber attack included Russian oil producer Rosneft, French construction materials firm Saint Gobain and the world’s biggest advertising agency, WPP – though it was not clear if their problems were caused by the same virus.

“The building has come to a standstill. It’s fine, we’ve just had to switch everything off,” said one WPP employee who asked not to be named.

WANNACRY AGAIN

Cyber security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of hacking tool exploited by WannaCry, and to identify ways to stop the onslaught.

Experts said the latest ransomware attacks unfolding worldwide, dubbed GoldenEye, were a variant of an existing ransomware family called Petya.

It uses two layers of encryption which have frustrated efforts by researchers to break the code, according to Romanian security firm Bitdefender.

“There is no workaround to help victims retrieve the decryption keys from the computer,” the company said.

Russian security software maker Kaspersky Lab, however, said its preliminary findings suggested the virus was not a variant of Petya but a new ransomware not seen before.

Last’s month’s fast-spreading WannaCry ransomware attack was crippled after a 22-year-old British security researcher Marcus Hutchins created a so-called kill-switch that experts hailed as the decisive step in slowing the attack.

Any organization that heeded strongly worded warnings in recent months from Microsoft Corp to urgently install a security patch and take other steps appeared to be protected against the latest attacks.

Ukraine was particularly badly hit, with Prime Minister Volodymyr Groysman describing the attacks on his country as “unprecedented”.

An advisor to Ukraine’s interior minister said the virus got into computer systems via “phishing” emails written in Russian and Ukrainian designed to lure employees into opening them.

According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

Yevhen Dykhne, director of the Ukrainian capital’s Boryspil Airport, said it had been hit. “In connection with the irregular situation, some flight delays are possible,” Dykhne said in a post on Facebook. A Reuters reporter who visited the airport late on Tuesday said flights were operating as normal.

Ukrainian Deputy Prime Minister Pavlo Rozenko said the government’s computer network had gone down and the central bank said a operation at a number of banks and companies, including the state power distributor, had been disrupted by the attack.

“As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations,” the central bank said in a statement.

Russia’s Rosneft, one of the world’s biggest crude producers by volume, said its systems had suffered “serious consequences” from the attack. It said it avoided any impact on oil production by switching to backup systems.

The Russian central bank said there were isolated cases of lenders’ IT systems being infected by the cyber attack. One consumer lender, Home Credit, had to suspend client operations.

(Additional reporting by European bureaux and Jim Finkle in Toronto; writing by Christian Lowe; editing by David Clarke)