Trail in cyber heist suggests hackers were Chinese: senator

Bangladesh central bank

By Karen Lema

MANILA (Reuters) – A Philippine senator said on Wednesday that Chinese hackers were likely to have pulled off one of the world’s biggest cyber heists at the Bangladesh central bank, citing the network of Chinese people involved in the routing of the stolen funds through Manila.

Unidentified hackers infiltrated the computers at Bangladesh Bank in early February and tried to transfer a total of $951 million from its account at the Federal Reserve Bank of New York.

All but one of the 35 attempted transfers were to the Rizal Commercial Banking Corp (RCBC), confirming the Philippines’ centrality to the heist.

Most transfers were blocked, but a total of $81 million went to four accounts at a single RCBC branch in Manila. The stolen money was swiftly transferred to a foreign exchange broker and distributed to casinos and gambling agents in Manila.

“The hacking was done, chances are, by Chinese hackers,” Senator Ralph Recto told Reuters in a telephone interview. “Then they saw that, in the Philippines, RCBC particularly was vulnerable and sent the money over here.”

Beijing was quick to denounce the comments by Recto, vice chairman of the Senate Committee on Finance and a former head of the Philippines’ economic planning agency.

The suggestion that Chinese hackers were possibly involved was “complete nonsense” and “really irresponsible,” Chinese foreign ministry spokesman Lu Kang told reporters.

Recto said he couldn’t prove the hackers were Chinese, but was merely “connecting the dots” after a series of Senate hearings into the scandal.

At one hearing, a Chinese casino boss and junket operator called Kim Wong named two high-rolling gamblers from Beijing and Macau who he said had brought the stolen money into the Philippines. He displayed purported copies of their passports, showing they were mainland Chinese and Macau administrative region nationals respectively.

“BEST LEAD”

Wong, a native of Hong Kong who holds a Chinese passport, received almost $35 million of the stolen funds through his company and a foreign exchange broker.

The two Chinese named by Wong “are the best lead to determine who are the hackers,” said Recto. “Chances are… they must be Chinese.”

The whereabouts of the two high-rollers were unknown, Recto added, saying the Senate inquiry “may” seek help from the Chinese government to find them.

Recto also questioned the role of casino junket operators in the Philippines, saying many of them have links in Macau, the southern Chinese territory that is the world’s biggest casino hub. “There are junket operators who are from Macau, so it (the money) may find its way back to Macau,” he said.

A senior executive at a top junket operator in Macau told Reuters there was “no reason” to bring funds from the Philippines to Macau.

“This seems more like a political story in the Philippines,” he said, speaking anonymously because he was not authorized to talk to the media.

The U.S. State Department said in a report last month that the gaming industry was “a weak link” in the Philippines’ anti-money laundering regime.

Philrem, the foreign exchange agent, said it distributed the stolen $81 million to Bloomberry Resorts Corp, which owns and operates the upmarket Solaire casino in Manila; to Eastern Hawaii Leisure Company, which is owned by Wong; and to an ethnic Chinese man believed to be a junket operator in Manila.

Wong has returned $5.5 million to the Philippines’ anti-money laundering agency and has promised to hand over another $9.7 million. A portion of the money he received, he said, has already been spent on gambling chips for clients.

Solaire has told the Senate hearing that the $29 million that ended up with them was credited to an account of the Macau-based high-roller but it has managed to seize and confiscate $2.33 million in chips and cash.

(Writing by Andrew R.C. Marshall; Additional reporting by Farah Master in Hong Kong; Editing by Raju Gopalakrishnan)

U.S. to charge Iranians in cyber attacks, including New York dam

WASHINGTON (Reuters) – The Obama administration is expected to blame Iranian hackers as soon as Thursday for a coordinated campaign of cyber attacks in 2012 and 2013 on a suburban New York City dam and several other targets, sources familiar with the matter have told Reuters.

In one of the largest foreign cyber attack cases since 2014 when the United States charged five Chinese military hackers, the U.S. Justice Department has prepared an indictment against about a half-dozen Iranians, said four sources, who spoke on condition of anonymity due to the sensitivity of the matter.

The charges, related to unlawful access to computers and other alleged crimes, were expected to be announced publicly by U.S. officials as soon as Thursday morning at a news conference in Washington, the sources said.

The indictment was expected to directly link the hacking campaign to the Iranian government, one source said.

Though the breach of back-office computer systems at the Bowman Avenue Dam in Rye Brook, New York has been reported, it was only part of a hacking campaign that was broader than previously known, as the indictment will show, the sources said.

In the intrusion of the dam computers, the hackers did not gain operational control of the floodgates, and investigators believe they were attempting to test their capabilities.

The dam breach coincided roughly with attacks on U.S. financial institutions. Cyber security experts have said these, too, were perpetrated by Iranian hackers against Capital One, PNC Financial Services and SunTrust Bank. Prosecutors were considering including those breaches in the indictment, sources said.

The hackers who were expected to be named in the indictment all reside in Iran, one source said.

The Justice Department declined to comment.

The indictment would be the Obama administration’s latest step to confront foreign cyber attacks on the United States. President Barack Obama accused and publicly condemned North Korea over a 2014 hack on Sony Pictures and vowed to “respond proportionally.” No details were made public of any retaliation.

James Lewis, a cyber security expert with the Center for Strategic and International Studies think tank, said, “We need to make clear that there will be consequences for cyber-attacks and that the Wild West days are coming to an end.”

Two weeks ago, it was widely reported that U.S. prosecutors were preparing an indictment against Iranian hackers related solely to the dam attack.

The broader indictment would come at a time of reduced tensions between the United States and Iran after a landmark 2015 nuclear deal. At the same time, the Obama administration has shown a willingness to confront Tehran for bad behavior.

Charging the Iranian hackers would be the highest-profile move of its type by the Obama administration since the Justice Department in 2014 accused five members of China’s People’s Liberation Army with hacking several Pennsylvania-based companies in an alleged effort to steal trade secrets.

(Reporting by Dustin Volz in Washington and Nate Raymond in New York; additional reporting by Mark Hosenball in Washington and Jim Finkle in Boston; Editing by Kevin Drawbaugh and Jonathan Oatis)

Number of U.S. government ‘cyber incidents’ jumps in 2015

WASHINGTON (Reuters) – The U.S. government was hit by more than 77,000 “cyber incidents” like data thefts or other security breaches in fiscal year 2015, a 10 percent increase over the previous year, according to a White House audit.

Part of the uptick stems from federal agencies improving their ability to identify and detect incidents, the annual performance review from the Office and Management and Budget said.

The report, released on Friday, defines cyber incidents broadly as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.” Only a small number of the incidents would be considered as significant data breaches.

National security and intelligence officials have long warned that cyber attacks are among the most serious threats facing the United States. President Barack Obama asked Congress last month for $19 billion for cyber security funding across the government in his annual budget request, an increase of $5 billion over the previous year.

The government’s Office of Personnel Management was victim of a massive hack that began in 2014 and was detected last year. Some 22 million current and former federal employees and contractors in addition to family members had their Social Security numbers, birthdays, addresses and other personal data pilfered in the breach.

That event prompted the government to launch a 30-day “cyber security sprint” to boost cyber security within each federal agency by encouraging adoption of multiple-factor authentication and addressing other vulnerabilities.

“Despite unprecedented improvements in securing federal information resources … malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the report said.

(Reporting by Dustin Volz; Editing by Alistair Bell)

Chinese hackers behind U.S. ransomware attacks, security firms say

(Reuters) – Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said.

Ransomware, which involves encrypting a target’s computer files and then demanding payment to unlock them, has generally been considered the domain of run-of-the-mill cyber criminals.

But executives of the security firms have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.

“It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,” said Phil Burdette, who heads an incident response team at Dell SecureWorks.

Burdette said his team was called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.

The victims included a transportation company and a technology firm that had 30 percent of its machines captured.

Security firms Attack Research, InGuardians and G-C Partners, said they had separately investigated three other similar ransomware attacks since December.

Although they cannot be positive, the companies concluded that all were the work of a known advanced threat group from China, Attack Research Chief Executive Val Smith told Reuters.

The ransomware attacks have not previously been reported. None of the companies that were victims of the hackers agreed to be identified publicly.

Asked about the allegations, China’s Foreign Ministry said on Tuesday that if they were made with a “serious attitude” and reliable proof, China would treat the matter seriously.

But ministry spokesman Lu Kang said China did not have time to respond to what he called “rumors and speculation” about the country’s online activities.

The security companies investigating the advanced ransomware intrusions have various theories about what is behind them, but they do not have proof and they have not come to any firm conclusions.

Most of the theories flow from the possibility that the Chinese government has reduced its support for economic espionage, which it pledged to oppose in an agreement with the United States late last year. Some U.S. companies have reported a decline in Chinese hacking since the agreement.

Smith said some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.

It is also possible, Burdette said, that companies which had been penetrated for trade secrets or other reasons in the past were now being abandoned as China backs away, and that spies or their associates were taking as much as they could on the way out. In one of Dell’s cases, the means of access by the team spreading ransomware was established in 2013.

The cyber security experts could not completely rule out more prosaic explanations, such as the possibility that ordinary criminals had improved their skills and bought tools previously used only by governments.

Dell said that some of the malicious software had been associated by other security firms with a group dubbed Codoso, which has a record of years of attacks of interest to the Chinese government, including those on U.S. defense companies and sites that draw Chinese minorities.

PAYMENT IN BITCOIN

Ransomware has been around for years, spread by some of the same people that previously installed fake antivirus programs on home computers and badgered the victims into paying to remove imaginary threats.

In the past two years, better encryption techniques have often made it impossible for victims to regain access to their files without cooperation from the hackers. Many ransomware payments are made in the virtual currency Bitcoin and remain secret, but institutions including a Los Angeles hospital have gone public about ransomware attacks.

Ransomware operators generally set modest prices that many victims are willing to pay, and they usually do decrypt the files, which ensures that victims will post positively online about the transaction, making the next victims who research their predicament more willing to pay.

Security software companies have warned that because the aggregate payoffs for ransomware gangs are increasing, more criminals will shift to it from credit card theft and other complicated scams.

The involvement of more sophisticated hackers also promises to intensify the threat.

InGuardians CEO Jimmy Alderson said one of the cases his company investigated appeared to have been launched with online credentials stolen six months earlier in a suspected espionage hack of the sort typically called an Advanced Persistent Threat, or APT.

“The tactics of getting access to these networks are APT tactics, but instead of going further in to sit and listen stealthily, they are used for smash-and-grab,” Alderson said.

(Reporting by Joseph Menn in San Francisco; Additional reporting by Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Clarence Fernandez)

North Korea tried to hack South’s railway system, spy agency claims

SEOUL (Reuters) – North Korea has tried to hack into email accounts of South Korean railway workers in an attempt to attack the transport system’s control system, South Korea’s spy agency said on Tuesday.

South Korea has been on heightened alert against the threat of cyberattacks by North Korea after it conducted a nuclear test in January and a long-range rocket launch last month, triggering new U.N. sanctions.

South Korea had previously blamed the North for cyberattacks against its nuclear power operator. North Korea denied that.

South Korea’s National Intelligence Service (NIS) said in a statement it had interrupted the hacking attempt against the railway workers and closed off their email accounts.

The agency issued the statement after an emergency meeting with other government agencies on the threat of cyberattacks by the North.

The agency detected hacking attempts by the North against workers for two regional railway networks this year, the spy agency said.

“The move was a step to prepare for cyber terror against the railway transport control system,” the agency said.

It did not elaborate on what it thought North Korea’s specific objective was in hacking into the system. An agency official reached by telephone declined to comment.

North Korea has been working for years to develop the ability to disrupt or destroy computer systems that control public services such as telecommunications and other utilities, according to a defector from the North.

The United States accused North Korea of a cyberattack against Sony Pictures in 2014 that led to the studio cancelling the release of a comedy based on the fictional assassination of the country’s leader, Kim Jong Un.

North Korea denied the accusation.

In 2013, South Korea blamed the North for crippling cyber-attacks that froze the computer systems of its banks and broadcasters for days.

New fears of attacks on South Korea’s computer systems came as South Korean and U.S. troops conducted large-scale military exercises which North Korea denounced as “nuclear war moves” and threatened to respond with an all-out military offensive.

(Reporting by Jack Kim and Ju-min Park; Editing by Robert Birsel)

Mac ransomware caught before large number of computers infected

(Reuters) – The first known ransomware attack on Apple Inc’s Mac computers, which was discovered over the weekend, was downloaded more than 6,000 times before the threat was contained, according to a developer whose product was tainted with the malicious software.

Hackers infected Macs with the “KeRanger” ransomware through a tainted copy of Transmission, a popular program for transferring data through the BitTorrent peer-to-peer file sharing network.

So-called ransomware is a type of malicious software that restricts access to a computer system in some way and demands the user pay a ransom to the malware operators to remove the restriction.

KeRanger, which locks data on Macs so users cannot access it, was downloaded about 6,500 times before Apple and developers were able to thwart the threat, said John Clay, a representative for the open-source Transmission project.

That is small compared to the number of ransomware attacks on computers running Microsoft Corp’s Windows operating system. Cyber security firm Symantec Corp observed some 8.8 million attacks in 2014 alone.

Still, cyber security experts said they expect to see more attacks on Macs as the KeRanger hackers and other groups look for new ways to infect Mac computers.

“It’s a small number but these things always start small and ramp up huge,” said Fidelis Cybersecurity threat systems manager John Bambenek. “There’s a lot of Mac users out there and a lot of money to be made.”

Symantec, which sells anti-virus software for Macs, warned on its blog that “Mac users should not be complacent.” The post offered tips on protecting against ransomware.

The Transmission project provided few details about how the attack was launched.

“The normal disk image (was) replaced by the compromised one” after the project’s main server was hacked, said Clay.

He added that “security on the server has since been increased” and that the group was in “frequent contact” with Apple as well as Palo Alto Networks, which discovered the ransomware on Friday and immediately notified Apple and Transmission.

An Apple representative said the company quickly took steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.

Transmission responded by removing the malicious 2.90 version of its software from its website. On Sunday, it released version 2.92, which its website says automatically removes the ransomware from infected Macs.

Forbes earlier reported on the number of KeRanger downloads, citing Clay.

(Reporting by Jim Finkle; Editing by Cynthia Osterman and Bill Rigby)

Apple users targeted in first known Mac ransomware campaign

BOSTON (Reuters) – Apple Inc customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc told Reuters on Sunday.

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s Windows operating system.

Palo Alto Threat Intelligence Director Ryan Olson said the “KeRanger” malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Olson said in a telephone interview.

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. The representative declined to provide other details.

Transmission responded by removing the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs.

The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

After encryption is completed, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Olson, the Palo Alto threat intelligence director, said that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Representatives with Transmission could not be reached for comment.

(Editing by Jeffrey Benkoe and Sandra Maler)

Hackers could ‘Mousejack’ wireless mice, keyboards to access computers

A cyber security company says it has discovered a design flaw in scores of wireless keyboards and mice that hackers could exploit to access computers as if they were their own devices.

Bastille Networks announced the discovery in a news release last week, claiming a hacker armed with a $15 piece of hardware and a few lines of code could gain full control of a computer by exploiting a loophole in the way wireless keyboards and mice communicate with the devices.

The company says the majority of mice and keyboards that use wireless dongles, as opposed to Bluetooth technology, are vulnerable. The dongles are plugged into USB ports on the computer, and clicks, mouse movements and keystrokes are transmitted to them through radio signals.

However, Bastille says hackers within 100 meters of the vulnerable dongles could “Mousejack” a computer by taking advantage of those connections, allowing the hackers to send their own clicks, mouse movements and keystrokes to the computers as if they were sitting in front of it.

That could allow them to view sensitive data or insert malicious code, the company said.

Bastille claims billions of devices are vulnerable, and computers running Windows, Macintosh and Linux software were all at risk. But one manufacturer downplayed the risk of a breach.

“Bastille Security identified the vulnerability in a controlled, experimental environment,” Logitech said on its message board. “The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack.”

“What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise,” Marc Newlin, the Bastille engineer responsible for discovering the security flaw, said in a statement.

Bastille supplied a list of vulnerable mice and keyboards on its website, and manufacturers like Logitech and Lenovo have already issued firmware patches they say address the security flaw.

But Bastille noted that patches might not be available for every dongle, and device owners will need to check with manufacturers to see if there is a fix available. In the interim, it recommends using a wired mouse or possibly replacing a vulnerable device with one known to be secure.

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)

U.S. waging cyber war on Islamic State, commandos active

WASHINGTON (Reuters) – The United States is waging cyber attacks against Islamic State in Syria and Iraq, and its newly deployed commandos are also carrying out secret missions on the ground, Pentagon leaders said on Monday, in the latest signs of quietly expanding U.S. activity.

U.S. Defense Secretary Ash Carter said the cyber attacks, particularly in Syria, were designed to prevent Islamic State from commanding its forces, and Washington was looking to accelerate the cyber war against the Sunni militant group.

“The methods we’re using are new. Some of them will be surprising,” Carter told a Pentagon news conference.

General Joseph Dunford, chairman of the U.S. military’s Joint Chiefs of Staff, said the cyber attacks were helping lay the groundwork for an eventual offensive operation to recapture the city of Mosul in Iraq from Islamic State.

Carter and Dunford, the Pentagon’s top civilian and uniformed officials, both suggested the attacks were aimed at overloading the militants’ networks. They declined to delve into specifics.

“We don’t want the enemy to know when, where and how we’re conducting cyber operations. We don’t want them to have information that will allow them to adapt over time,” Dunford said.

Dunford suggested Islamic State might not know why its computer networks were proving unreliable.

“They’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age. And frankly, we don’t want them to know the difference.”

U.S. COMMANDOS

The United States disclosed in January that a new, roughly 200-strong U.S. continent of special operations forces was “in place” in Iraq, poised to carry out raids against Islamic State and other secret missions, both in Iraq and in Syria.

Carter disclosed on Monday that the so-called “expeditionary targeting force,” or ETF, was already operating on the ground.

“The ETF is in position, it is having an effect and operating, and I expect it to be a very effective part of our acceleration campaign,” he said, without elaborating.

Its deployment represents increased U.S. military activity on the ground against Islamic State, exposing American forces to greater risk – something President Barack Obama has done only sparingly.

The force follows another deployment last year of up to 50 U.S. special operations troops in Syria to coordinate on the ground with U.S.-backed forces battling Islamic State.

The U.S. military disclosed last week that those U.S. forces helped opposition forces recapture the strategic Syrian town of al-Shadadi from Islamic State.

The Pentagon said recapturing the town helped sever links between Mosul in Iraq and Raqqa in Syria, the two major power centers in Islamic State’s self-declared caliphate.

More knowledge about the group’s operations is expected to be discovered, Carter said.

“As our partners take control of Shadadi, I believe we will learn a great deal more about ISIL’s criminal networks, its criminal enterprise and what it does to sustain them,” Carter said, using an acronym for the group.

(Reporting by Phil Stewart and David Alexander; Editing by Susan Heavey and Richard Chang)