Banks reinforce cyber defenses after global attack

Cables and computers are seen inside a data centre at an office in the heart of the financial district in London, Britain May 15, 2017. REUTERS/Dylan Martinez

By John O’Donnell and Alexander Winning

FRANKFURT/MOSCOW (Reuters) – Banks have tightened their security systems and increased their surveillance after the global cyber assault on individuals and organizations worldwide.

Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, the “ransomware” attack launched on Friday has infected tens of thousands of computers in 104 countries, putting the financial industry on high alert.

It halted the production lines of a European carmaker and delayed surgical operations in Britain’s National Health Service.

Many suspected infections were of Russian computers. Russia’s central bank said it had recorded harmful software being sent en masse to Russian banks but that the attacks had been unsuccessful.

Sberbank, the country’s biggest lender, said viruses had not got into its systems. The bank said it was nonetheless “on high alert”.

Russia is more vulnerable to attack because organizations there often use outdated technology as an economic slowdown squeezes spending.

Many banks in Europe said they had stepped up efforts to prevent attackers getting through.

One person helping coordinate banks’ response said they were setting up back-up systems for data and introducing security upgrades.

“The banks’ greatest fear is copycat attacks,” said Keith Gross, who chairs the European Banking Federation’s cybersecurity working group. “So they are updating like a wild thing.”

ON GUARD

Germany’s savings banks, the largest and most powerful financial group in the country, received reminders from the group’s information technology company to install updates.

One large British bank said they had drafted people in to work over the weekend, having been subject to a similar attack earlier this year.

A European investment bank said it was accelerating the process of “patching” software following the incident.

Spanish banks La Caixa, Bankinter and Sabadell said they had all taken measures.

“We weren’t attacked but we took preventative measures about the cyber-attack over the whole weekend. There is an emergency committee that is reporting constantly and we have conference calls every eight hours. We can’t drop our guard”, said a Sabadell spokesman.

Banks generally have more robust cyber defenses than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements.

But aging technology and banks’ attractiveness to hackers means they are often targets.

Last year 2.5 million pounds ($3.23 million) was taken from small British lender Tesco Bank. The identity of the culprits remains unknown.

Other UK banks including HSBC and Royal Bank of Scotland have suffered cyber attacks in the past two years that have brought their online services down.

A survey of cyber security and risk experts released last Friday by insurer AIG found the financial services industry had been identified as the most likely to experience a systemic attack.

In the United Kingdom on Monday, the government’s National Cyber Security Centre said it was distributing advice to raise awareness of the threat, including to the financial industry.

Across the globe, regulators took similar steps.

The Hong Kong Securities and Futures Commission issued a circular warning groups to be on alert and take action such as security updates and offline backups.

It instructed firms to “take immediate actions to critically review and assess the effectiveness of their cybersecurity controls”.

India’s IndusInd Bank said on Monday the attack had affected a few systems, but those had been quarantined over the weekend and it had moved quickly to patch its systems.

For the most part, however, banks remained insulated from the cyber attack.

“In the NHS, the technology they are using it out of date,” said Paul Edon of cyber security group Tripwire. “Banks have six to eight levels of defense.”

(Additional reporting by Andres Gonzales, Euan Rocha in Mumbai and Michelle Price in Hong Kong; Writing by John O’Donnell; Editing by Andrew Roche)

Researchers say global cyber attack similar to North Korean hacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Ju-min Park and Dustin Volz

SEOUL/WASHINGTON (Reuters) – Cybersecurity researchers have found evidence they say could link North Korea with the WannaCry cyber attack that has infected more than 300,000 computers worldwide, as global authorities scrambled to prevent hackers from spreading new versions of the virus.

A researcher from South Korea’s Hauri Labs said on Tuesday their own findings matched those of Symantec <SYMC.O> and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.

Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.

The attacks, which slowed on Monday, are among the fastest-spreading extortion campaigns on record.

In China, foreign ministry spokeswoman Hua Chunying said she had no information to share, when asked about the origin of the attack and whether North Korea might be connected.

Several Asian countries have been affected by the malware, although the impact has not been as widespread as some had feared.

In Malaysia, cybersecurity firm LE Global Services said it identified 12 cases so far, including a large government-linked corporation, a government-linked investment firm and an insurance company. It did not name any of the entities.

“We may not see the real picture yet, as companies are not mandated to disclose security breaches to authorities in Malaysia,” said LE Global CEO Fong Choong Fook.

“The real situation may be serious. In one of the cases, the attack was traced back to early April.”

Vietnam’s state media said on Tuesday more than 200 computers had been affected.

Taiwan Power Co. <TAIWP.UL> said that nearly 800 of its computers were affected, although these were used for administration, not for systems involved in electricity generation.

EXPERTS URGE CAUTION

FireEye Inc <FEYE.O>, another large cyber security firm, said it was also investigating, but it was cautious about drawing a link to North Korea.

“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller said.

U.S. and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cyber security firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

An official at South Korea’s Korea Internet & Security Agency said on Tuesday the agency was sharing information with intelligence officials on recent cases reported for damages but was not in position to investigate the source of the attack.

The official declined to comment on intelligence-related matters.

A South Korean police official that handles investigations into hacking and cyber breaches said he was aware of reports on the North Korean link, but said police were not investigating yet.

Victims haven’t requested investigations but they want their systems to be restored, the official said.

North Korea has denied being behind the Sony and banking attacks. North Korean officials were not immediately available for comment and its state media has been quiet about the matter.

Hauri researcher Choi said the code bore similarities with those allegedly used by North Korean hackers in the Sony and bank heists. He said based on his conversations with North Korean hackers, the reclusive state had been developing and testing ransomware programs since August.

In one case, alleged hackers from North Korea demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall, Choi added.

The North Korean mission to the United Nations was not immediately available for comment on Monday.

While the attacks have raised concerns for cyber authorities and end-users worldwide, they have helped cybersecurity stocks as investors bet governments and corporations will spend more to upgrade their defenses.

Cisco Systems <CSCO.O> closed up 2.3 percent on Monday and was the second-biggest gainer in the Dow Jones Industrial Average.

(Additional reporting by Jess Macy Yu in Taipei, My Pham in Hanoi, Michael Martina in Beijing and Liz Lee in Kuala Lumpur; Writing by Jeremy Wagstaff in Singapore; Editing by Sam Holmes, Michael Perry and Mike Collett-White)