Mystery hacker steals data on 1,000 North Korean defectors in South

FILE PHOTO: A North Korean flag flutters on top of a 160-metre tower in North Korea's propaganda village of Gijungdong, in this picture taken from the Tae Sung freedom village near the Military Demarcation Line (MDL), inside the demilitarised zone separating the two Koreas, in Paju, South Korea, April 24, 2018. REUTERS/Kim Hong-Ji

By Hyonhee Shin

SEOUL (Reuters) – The personal information of nearly 1,000 North Koreans who defected to South Korea has been leaked after unknown hackers got access to a resettlement agency’s database, the South Korean Unification Ministry said on Friday.

The ministry said it discovered last week that the names, birth dates and addresses of 997 defectors had been stolen through a computer infected with malicious software at an agency called the Hana center, in the southern city of Gumi.

“The malware was planted through emails sent by an internal address,” a ministry official told reporters on condition of anonymity, due to the sensitivity of the issue, referring to a Hana center email account.

The Hana center is among 25 institutes the ministry runs around the country to help some 32,000 defectors adjust to life in the richer, democratic South by providing jobs, medical and legal support.

Defectors, most of whom risked their lives to flee poverty and political oppression, are a source of shame for North Korea. Its state media often denounces them as “human scum” and accuses South Korean spies of kidnapping some of them.

The ministry official declined to say if North Korea was believed to have been behind the hack, or what the motive might have been, saying a police investigation was under way to determine who did it.

North Korean hackers have in the past been accused of cyber attacks on South Korean state agencies and businesses.

North Korea stole classified documents from the South’s defense ministry and a shipbuilder last year, while a cryptocurrency exchange filed for bankruptcy following a cyber attack linked to the North.

North Korean state media has denied those cyber attacks.

The latest data breach comes at a delicate time for the two Koreas which have been rapidly improving their relations after years of confrontation.

The Unification Ministry said it was notifying the affected defectors and there were no reports of any negative impact of the data breach.

“We’re sorry this has happened and will make efforts to prevent it from recurring,” the ministry official said.

Several defectors, including one who became a South Korean television celebrity, have disappeared in recent years only to turn up later in North Korean state media, criticizing South Korea and the fate of defectors.

(Reporting by Hyonhee Shin; Editing by Robert Birsel)

U.S., allies to condemn China for economic espionage, charge hackers: source

FILE PHOTO: U.S. President Donald Trump takes part in a welcoming ceremony with China's President Xi Jinping at the Great Hall of the People in Beijing, China, November 9, 2017. REUTERS/Damir Sagolj/File Photo

WASHINGTON (Reuters) – The United States and about a dozen allies are expected on Thursday to condemn China for efforts to steal other countries’ trade secrets and technologies and to compromise government computers, according to a person familiar with the matter.

Australia, Britain, Canada, Japan, the Netherlands, New Zealand and Sweden are expected to be involved in the U.S. effort, according to the source, who spoke on condition of anonymity.

The U.S. Justice Department also is expected later on Thursday to unveil criminal charges against hackers affiliated with China’s main intelligence service for an alleged cyber-spying campaign targeting U.S. and other countries’ networks, according to the source.

The Washington Post first reported the coming action on Thursday.

The suspected hackers are expected to be charged with spying on some of the world’s largest companies by hacking into technology firms to which they outsource email, storage and other computing tasks. The attacks began as early as 2017.

Cloudhopper is considered a major cyber threat by private-sector cybersecurity researchers and government investigators because of the scale of the intrusions.

Over the past several years, as companies around the globe have sought to cut down information technology spending, they have increasingly relied on outside contractors to store and transfer their data.

When a managed service provider is hacked, it can unintentionally provide attackers access to secondary victims who are customers of that company and have their computer systems connected to them, according to experts.

The timing of the action may further escalate tensions between Washington and Beijing after the arrest of Meng Wanzhou, the chief financial officer of Chinese telecommunications giant Huawei Technologies, in Canada at the request of the United States.

The action also comes just weeks after the United States and China agreed to talks aimed at resolving an ongoing trade dispute that threatens global economic growth.

(Reporting by Diane Bartz, Lisa Lambert and Susan Heavey; Editing by Will Dunham)

British Airways says a further 185,000 payment cards possibly hit in cyber attack

FILE PHOTO - People queue with their luggage for the British Airways check-in desk at Gatwick Airport in southern England, Britain, May 28, 2017. REUTERS/Hannah McKay

(Reuters) – International Airlines Group said an investigation into the theft of customers’ data at its unit British Airways showed the hackers may have stolen personal information from an additional 185,000 payment cards.

BA said in September that around 380,000 card payments were compromised, with hackers obtaining names, street and email addresses, credit card numbers, expiry dates and security codes – sufficient information to steal from accounts.

On Thursday, British Airways revised that number down, saying that only 244,000 of those originally identified were affected, but said additional customers could have been affected.

On the whole, the total number of payment cards potentially affected stood at 429,000 as of Thursday.

The hackers obtained names, street and email addresses, credit card numbers, expiry dates and in some cases, security codes – sufficient information to steal from accounts.

(Reporting by Arathy S Nair in Bengaluru; Editing by Elaine Hardcastle)

Japan hit by another cryptocurrency heist, $60 million stolen

The silhouette of Japan's highest mountain Mount Fuji is seen beyond buildings in Tokyo in a file photo. REUTERS/Issei Kato

By Taiga Uranaka

TOKYO (Reuters) – Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.

Tech Bureau, which had already been slapped with two business improvement orders by regulators this year, said its Zaif exchange was hacked over a two-hour period on Sept. 14. It detected server problems on Sept. 17, confirmed the hack the following day, and notified authorities, the exchange said on Thursday.

Following the hack, Tech Bureau said it had agreed with JASDAQ-listed Fisco Ltd to receive a 5 billion yen ($44.59 million) investment in exchange for majority ownership. The proceeds from the investment would be used to replace the digital currencies stolen from client accounts.

However, Fisco said in a statement the 5 billion yen in “financial assistance” may change in value if the amount affected by the heist changes upon further investigation.

Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.

Japan’s crypto exchanges have been under close regulatory scrutiny after the theft of $530 million in digital coins at Tokyo-based cryptocurrency exchange Coincheck Inc. in January. Coincheck has since been acquired by Japanese online brokerage Monex Group Inc.

In the industry-wide check that followed the Coincheck theft, FSA said it found sloppy management at many exchanges, including the lack of proper safeguards for client assets and basic anti-money laundering measures.

In the Tech Bureau theft, virtual currencies worth about 6.7 billion yen ($59.67 million), including Bitcoin, Monacoin and Bitcoin Cash, were stolen from the exchange’s “hot wallet”. About 2.2 billion yen worth of the stolen currency was its own while the remaining 4.5 billion yen belonged to customers, it said.

Hot wallets are connected to the internet. Industry experts consider them to be more vulnerable to hacks than “cold wallets”, which are not connected to the internet.

The latest hack is likely to affect the FSA’s ongoing regulatory review of the industry. Other countries are also grappling with how to regulate crypto market.

Japan last year became the first country to regulate cryptocurrency exchanges, as it encourages technological innovation while ensuring consumer protection. Exchanges have to register with FSA and required reporting and other responsibilities.

FSA said last week more than 160 entities have expressed interest in entering the cryptocurrency exchange business but FSA has not issued any approval since December last year.

Toshihide Endo, FSA commissioner told Reuters in an interview last month that the agency is trying to strike a balance between safeguarding clients and technological innovation.

“We have no intention to curb (the crypto industry) excessively,” he said. “We would like to see it grow under appropriate regulation.”

($1 = 112.1400 yen)

(Additional reporting by Chang-Ran Kim and Takahiko Wada; Editing by Shri Navaratnam and Sam Holmes)

U.S. to indict North Koreans over WannaCry, Sony cyber attacks

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Christopher Bing

WASHINGTON (Reuters) – The U.S. Justice Department is poised to charge North Korean hackers over the 2017 global WannaCry ransomware attack and the 2014 cyber attack on Sony Corp, a U.S. official told Reuters on Thursday.

The charges, part of a strategy by the U.S. government to deter future cyber attacks by naming and shaming the alleged perpetrators, will also allege that the North Korean hackers broke into the central bank of Bangladesh in 2016, according to the official.

In 2014, U.S. officials said unnamed North Korean hackers were responsible for a major cyber intrusion into Sony, which resulted in leaked internal documents and data being destroyed.

The attacks came after Pyongyang sent a letter to the United Nations, demanding that Sony not move forward with a movie comedy that portrayed the U.S.-backed assassination of a character made to look like North Korean leader Kim Jong Un.

The FBI said at the time it had recovered evidence connecting North Korea to the attack and others in South Korea.

Last year, the WannaCry ransomware attack affected thousands of businesses across the globe through a computer virus that encrypted files on affected systems, including Britain’s National Health Service, where nonfunctional computer systems forced the cancellation of thousands of appointments.

(Reporting by Christopher Bing; Additional writing by Susan Heavey; Editing by Chizu Nomiyama and Jeffrey Benkoe)

FBI says foreign hackers have compromised home router devices

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration

By Sarah N. Lynch

WASHINGTON (Reuters) – The FBI warned on Friday that foreign cyber criminals had compromised “hundreds of thousands” of home and small office router devices around the world which direct traffic on the internet by forwarding data packets between computer networks.

In a public service announcement, the FBI it has discovered that the foreign cyber criminals used a VPNFilter malware that can collect peoples’ information, exploit their devices and also block network traffic.

The announcement did not provide any details about where the criminals might be based, or what their motivations could be.

“The size and scope of the infrastructure by VPNFilter malware is significant,” the FBI said, adding that it is capable of rendering peoples’ routers “inoperable.”

It said the malware is hard to detect, due to encryption and other tactics.

The FBI urged people to reboot their devices to temporarily disrupt the malware and help identify infected devices.

People should also consider disabling remote management settings, changing passwords to replace them with more secure ones and upgrading to the latest firmware.

(Reporting by Sarah N. Lynch; Editing by David Gregorio)

Cyber firms, Ukraine warn of planned Russian attack

Power lines are seen near the Trypillian thermal power plant in Kiev region, Ukraine November 23, 2017. REUTERS/Valentyn Ogirenko

By Jim Finkle and Pavel Polityuk

TORONTO/KIEV (Reuters) – Cisco Systems Inc warned on Wednesday that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malicious software – activity Ukraine said was preparation for a future Russian cyber attack.

Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack against Ukraine ahead of the Champions League soccer final, due to be held in Kiev on Saturday.

“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilizing the situation during the Champions League final,” it said in a statement after Cisco’s findings were released.

Russia has previously denied assertions by Ukraine, the United States, other nations and Western cyber-security firms that it is behind a massive global hacking program, which has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.

The Kremlin did not immediately respond to a request for comment submitted by Reuters on Wednesday.

Cisco said the new malware, dubbed VPNFilter, could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

“With a network like this you could do anything,” Williams told Reuters.

CONSTITUTION DAY ATTACK

The warning about the malware – which includes a module that targets industrial networks like ones that operate the electric grid – will be amplified by alerts from members of the Cyber Threat Alliance (CTA), a nonprofit group that promotes the fast exchange of data on new threats between rivals in the cyber security industry.

Members include Cisco, Check Point Software Technologies Ltd, Fortinet Inc, Palo Alto Networks Inc, Sophos Group PlcĀ  and Symantec Corp.

“We should be taking this pretty seriously,” CTA Chief Executive Officer Michael Daniel said in an interview.

The devices infected with VPNFilter are scattered across at least 54 countries, but Cisco determined the hackers are targeting Ukraine following a surge in infections in that country on May 8, Williams told Reuters.

Researchers decided to go public with what they know about the campaign because they feared the surge in Ukraine, which has the largest number of infections, meant Moscow is poised to launch an attack there next month, possibly around the time the country celebrates Constitution Day on June 28, Williams said.

Some of the biggest cyber attacks on Ukraine have been launched on holidays or the days leading up to them.

They include the June 2017 “NotPetya” attack that disabled computer systems in Ukraine before spreading around the globe, as well as hacks on the nation’s power grid in 2015 and 2016 that hit shortly before Christmas.

VPNFilter gives hackers remote access to infected machines, which they can use for spying, launching attacks on other computers or downloading additional types of malware, Williams said.

The researchers discovered one malware module that targets industrial computers, such as ones used in electric grids, other infrastructure and in factories. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.

The malware also includes an auto-destruct feature that hackers can use to delete the malware and other software on infected devices, making them inoperable, he said.

(Writing by Jim Finkle and Jack Stubbs; Editing by Mark Heinrich)

Hotel key cards, even invalid ones, help hackers break into rooms

F-Secure researcher Timo Hirvonen shows a device that is able to create a master key out of a single hotel key card in Helsinki, Finland April 19, 2018. Picture taken April 19, 2018. REUTERS/Attila

By Jussi Rosendahl and Attila Cser

HELSINKI (Reuters) – By getting hold of a widely used hotel key card, an attacker could create a master key to unlock any room in the building without leaving a trace, Finnish security researchers said in a study published on Wednesday, solving a 14-year-old mystery.

While the researchers have fixed the flaw together with Assa Abloy, the world’s largest lock manufacturer which owns the system in question, the case serves as a wake-up call for the lodging industry to a problem that went undetected for years.

Tomi Tuominen, 45, and Timo Hirvonen, 32, security consultants for Finnish data security company F-Secure, say they discovered the vulnerability about a year ago, and reported it to Assa.

“We found out that by using any key card to a hotel … you can create a master key that can enter any room in the hotel. It doesn’t even have to be a valid card, it can be an expired one,” Hirvonen said in an interview.

The researchers helped Assa fix the software for an update made available to hotel chains in February. Assa said some hotels have updated it but that it would take a couple more weeks to fully resolve the issue.

“I highly encourage the hotels to install those software fixes,” Hirvonen said. “But I think there is no immediate threat, since being able to develop this attack is going to take some time.”

Any fresh security risk remains low since the researchers’ tools and method will not be published, Assa noted.

The radio-frequency ID key card system in question, Vision by Vingcard, has been replaced by many hotels with new technology, but its current owner Assa Abloy estimated that the system is still being used in several hundred thousand hotel rooms worldwide.

Tuominen said the breakthrough was to figure out a weakness in how the locks are deployed and installed, together with a seemingly minor technical design flaw.

COLD CASE FILES

Sitting at F-Secure’s glass-and-steel-on-stilts headquarters by the Baltic Sea, the researchers show off a small hardware device which they have made able to write a master key out of the information of any card in the Vingcard system.

Clues date back to 2003 when a laptop disappeared from a computer security expert’s room at a high-class hotel in Berlin.

The thief left no traces in the room or within the electric lock system, hotel personnel said. The stolen laptop, which never turned up, belonged to a guest who had presented his research at a security conference.

Hearing of the theft at the conference, Tuominen and Hirvonen – then youthful computer guys in hacker-style black hoodies – asked themselves: Could one hack the locking system without leaving a trace?

For years, the two worked off and on to solve the mystery of the plastic cards, which guests often neglect to return. First it was purely a hobby, later a professional mission.

“These issues alone are not a problem, but once you combine those two things, it becomes exploitable,” Hirvonen said.

“I wouldn’t be surprised if other electronic lock systems have similar vulnerabilities. You cannot really know how secure the system is unless someone has really tried to break it.”

The researchers say they have no evidence whether the vulnerabities they found have been put to work by criminals.

Assa Abloy stresses that its newer offerings are based on different technologies, including a system that allows hotel guests to open door locks with their smartphones.

“The challenge of the security business is that it is a moving target. What is secure at a point of time, is not 20 years later,” Christophe Sut, an executive at Assa Abloy Hospitality, said in a phone interview.

The researchers asked for no money from Assa for their work or discovery, saying they were only driven by the challenge.

“Some people play football, some people go sailing, some do photography. This is our hobby,” Tuominen said.

(Reporting by Jussi Rosendahl and Attila Cser, editing by Eric Auchard and Adrian Croft)

Iran hit by global cyber attack that left U.S. flag on screens

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

DUBAI (Reuters) – Hackers have attacked networks in a number of countries including data centers in Iran where they left the image of a U.S. flag on screens along with a warning: “Don’t mess with our elections”, the Iranian IT ministry said on Saturday.

“The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country,” the Communication and Information Technology Ministry said in a statement carried by Iran’s official news agency IRNA.

The statement said the attack, which hit internet service providers and cut off web access for subscribers, was made possible by a vulnerability in routers from Cisco which had earlier issued a warning and provided a patch that some firms had failed to install over the Iranian new year holiday.

A blog published on Thursday by Nick Biasini, a threat researcher at Cisco’s Talos Security Intelligence and Research Group, said: “Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol…

“As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths.”

On Saturday evening, Cisco said those postings were a tool to help clients identify weaknesses and repel a cyber attack.

Iran’s IT Minister Mohammad Javad Azari-Jahromi posted a picture of a computer screen on Twitter with the image of the U.S. flag and the hackers’ message. He said it was not yet clear who had carried out the attack.

Azari-Jahromi said the attack mainly affected Europe, India and the United States, state television reported.

“Some 55,000 devices were affected in the United States and 14,000 in China, and Iran’s share of affected devices was 2 percent,” Azari-Jahromi was quoted as saying.

In a tweet, Azari-Jahromi said the state computer emergency response body MAHER had shown “weaknesses in providing information to (affected) companies” after the attack which was detected late on Friday in Iran.

Hadi Sajadi, deputy head of the state-run Information Technology Organisation of Iran, said the attack was neutralized within hours and no data was lost.

(Reporting by Dubai newsroom, additional reporting by Dustin Volz in Washington; editing by Ros Russell and G Crosse)

U.S. Energy Department forming cyber protection unit for power grids

Former Texas Governor Rick Perry, U.S. President-elect Donald Trump's pick to lead the Department of Energy, meets with Senate Majority Leader Mitch McConnell (R-KY) on Capitol Hill in Washington, U.S. January 4, 2017. REUTERS/Jonathan Ernst

WASHINGTON (Reuters) – The U.S. Department of Energy (DOE) said on Wednesday it is establishing an office to protect the nation’s power grid and other infrastructure against cyber attacks and natural disasters.

President Donald Trump’s budget proposal unveiled this week included $96 million in funding for the Office of Cybersecurity, Energy Security, and Emergency Response.

Energy Secretary Rick Perry said the DOE “plays a vital role in protecting our nation’s energy infrastructure from cyber threats, physical attack and natural disaster, and as secretary, I have no higher priority.”

Last July, the DOE helped U.S. firms defend against a hacking campaign that targeted power companies including at least one nuclear plant. The agency said that the attacks did not have an impact on electricity generation or the grid, and that any impact appeared to be limited to administrative and business networks.

The previous month, the U.S. Department of Homeland Security and the Federal Bureau of Investigation had issued an alert to industrial companies, warning that for months hackers had targeted nuclear reactors and other power industry infrastructure, using tainted emails to harvest credentials and gain access to networks.

In some cases hackers succeeded in compromising the networks of their targets, but the report did not identify specific victims.

Nuclear power experts, such as Dave Lochbaum at the Union of Concerned Scientists nonprofit group, have said reactors have a certain amount of immunity from cyber attacks because their operation systems are separate from digital business networks. But over time it would not be impossible for hackers to potentially do harm, he said.

(Reporting by Timothy Gardner; Editing by Jeffrey Benkoe)