Sony hackers linked to breaches in 4 other countries, report finds

SAN FRANCISCO (Reuters) – The perpetrators of the 2014 cyber attack on Sony Pictures Entertainment were not activists or disgruntled employees, and likely had attacked other targets in China, India, Japan and Taiwan, according to a coalition of security companies that jointly investigated the Sony case for more than a year.

The coalition, organized by security analytics company Novetta, concluded in a report released on Wednesday that the hackers were government-backed but it stopped short of endorsing the official U.S. view that North Korea was to blame.

The Obama administration has tied the attack on Sony Corp’s film studio to its release of “The Interview,” a comedy that depicted the fictional assassination of North Korean leader Kim Jong Un.

Novetta said the breach “was not the work of insiders or hacktivists.”

“This is very much supportive of the theory that this is nation-state,” Novetta Chief Executive Peter LaMontagne told Reuters. “This group was more active, going farther back, and had greater capabilities and reach than we thought.”

Novetta worked with the largest U.S. security software vendor Symantec Corp, top Russian security firm Kaspersky Lab and at least 10 other institutions on the investigation, a rare collaboration involving so many companies.

They determined that the unidentified hackers had been at work since at least 2009, five years before the Sony breach. The hackers were able to achieve many of their goals despite modest skills because of the inherent difficulty in establishing an inclusive cyber security defense, the Novetta group said.

LaMontagne said the report was the first to tie the Sony hack to breaches at South Korean facilities including a power plant. The FBI and others had previously said the Sony attackers reused code that had been used in destructive attacks on South Korean targets in 2013.

The Novetta group said the hackers were likely also responsible for denial-of-service attacks that disrupted U.S. and South Korean websites on July 24, 2009. The group said it found overlaps in code, tactics and infrastructure between the attacks.

Symantec researcher Val Saengphaibul said his company connected the hackers to attacks late last year, suggesting the exposure of the Sony breach and the threat of retaliation by the United States had not silenced the gang.

The coalition of security companies distributed technical indicators to help others determine if they had been targeted by the same hackers, which Novetta dubbed the Lazarus Group.

(Reporting by Joseph Menn; Editing by Tiffany Wu)

California hospital makes rare admission of hack, ransom payment

LOS ANGELES/BOSTON (Reuters) – While it was not the first hacked organization to acquiesce to attackers’ demands, the California hospital that paid $17,000 in ransom to hackers to regain control of its computer system was unusual in one notable way: It went public with the news.

Hollywood Presbyterian Medical Center relented to the demands, President Allen Stefanek said, because he believed it was the “quickest and most efficient way” to free the Los Angeles hospital’s network, which was paralyzed for about 10 days.

That announcement sparked fears Thursday among hospitals and security experts that it would embolden hackers to launch more “ransomware” attacks and calls in California for tougher laws.

“It’s no different than if they took all the patients and held them in one room at gunpoint,” said California State Senator Robert Hertzberg, who on Thursday introduced legislation to make a ransomware attack equivalent to extortion and punishable by up to four years in prison.

Usually embarrassment and a desire to discourage hackers keep attacked companies quiet. Hollywood Presbyterian did not say why it made the disclosure, but its hand may have been forced by spreading rumors a week after the hack. Stefanek confirmed the cyber attack after at least one doctor appeared to have told local media.

In addition, he disputed media reports the 434-bed hospital had faced a ransom demand of $3.4 million, far more than the amount paid in the hard-to-trace cyber-currency bitcoin.

In a ransomware attack, hackers infect PCs with malicious software that encrypts valuable files so they are inaccessible, then offer to unlock the data only if the victim pays a ransom.

The hack at Hollywood Presbyterian forced doctors to use pen and paper in an age of computerization. News reports said its fax lines were jammed because normal e-mail communication was unavailable, and some emergency patients had to be diverted to other hospitals.

Investigators said administrators were so alarmed that they may have paid ransom first and called police later.

Medical facilities in the area plan to consult cyber security experts on how to protect themselves, the Hospital Association of Southern California said. “Hospitals are certainly now aware of ransomware more than they ever were before, and this has become a very real threat,” said spokeswoman Jennifer Bayer.

Some experts said ransomware encryption can be so hard to crack that victims feel they have little choice but to pay if they want their systems back. The hackers’ success could also prompt other hospitals to make quick payments to avoid the disruption and bad publicity Hollywood Presbyterian faced.

“Our number one fear is that this now pretty much opens the door for other people to pay,” said Bob Shaker, a manager at cyber security firm Symantec Corp.

‘CAT AND MOUSE’

He knew of at least 20 other attacks on healthcare facilities in the past year and hundreds more in other industries that had been kept secret.

Some of those put patients at risk and affected infusion pumps that deliver chemotherapy drugs, risking patient overdoses, he said.

Because hackers hide their identities and demand payment in bitcoin, authorities may have to work harder to find them than if they used old-fashioned methods.

But cyber-crime experts say that they can still be traced.

“The public nature of the network does give law enforcement an angle to help defeat them,” said Jonathan Levin, co-founder of Chainalysis, a New York company working with bitcoin users. “But it’s a game of cat and mouse.”

Ransomware is big business for cyber criminals and security professionals. Although ransoms typically are less than the hospital paid, $200 to $10,000, victims of a ransomware known as CryptoWall reported losses over $18 million from April 2014 to June 2015, the FBI said.

Ransomware attacks climbed sharply in 2014, when Symantec observed some 8.8 million cases, more than double the previous year. IBM said that last year more than half of all customer calls reporting cyber attacks involved ransomware.

(Editing by Sharon Bernstein and Cynthia Osterman)

Cyber attack snarls Los Angeles hospital’s patient database

LOS ANGELES (Reuters) – The FBI is investigating a cyber attack that has crippled the electronic database at Hollywood Presbyterian Medical Center for days, forcing doctors at the Los Angeles hospital to rely on telephones and fax machines to relay patient information.

The origin of the computer network intrusion was unknown but since it began late last week has bogged down communications between physicians and medical staff newly dependent on paper records and doctors’ notoriously messy handwriting, doctors and a Federal Bureau of Investigation spokeswoman said on Tuesday.

“It’s right there on paper, but it may not be legible,” Dr. Rangasamy Ramanathan, a neonatal-perinatal specialist affiliated with the 434-bed facility, said. “The only problem is doctors’ writing.”

Although the cyber attack has snarled the hospital’s patient database, doctors have managed to relay necessary medical records the old-fashioned way through phone lines and fax machines, Ramanathan said.

The FBI is seeking to pinpoint hackers responsible for the intrusion, FBI spokeswoman Ari Dekofsky said. She declined to release further details.

Allen Stefanek, the hospital’s president and CEO, told Los Angeles television station KNBC-TV the hospital declared an internal emergency on Friday, after encountering significant information technology problems due to the hack.

A spokeswoman for the hospital could not be reached for comment.

(Reporting by Alex Dobuzinskis; Editing by Lisa Shumaker)

U.S. planned major cyber attack on Iran if diplomacy failed, NYT reports

WASHINGTON (Reuters) – The United States had a plan for an extensive cyber attack on Iran in case diplomatic attempts to curtail its nuclear program failed, The New York Times reported on Tuesday, citing a forthcoming documentary and military and intelligence officials.

Code-named Nitro Zeus, the plan was aimed at crippling Iran’s air defenses, communications systems and key parts of its electrical power grid, but was put on hold after a nuclear deal was reached last year, the Times said.

The plan developed by the Pentagon was intended to assure President Barack Obama that he had alternatives to war if Iran moved against the United States or its regional allies, and at one point involved thousands of U.S. military and intelligence personnel, the report said. It also called for spending tens of millions of dollars and putting electronic devices in Iran’s computer networks, the Times said.

U.S. intelligence agencies at the same time developed a separate plan for a covert cyberattack to disable Iran’s Fordo nuclear enrichment site inside a mountain near the city of Qom, the report said.

The existence of Nitro Zeus was revealed during reporting on a documentary film called “Zero Days” to be shown on Wednesday at the Berlin Film Festival, the Times said. The film describes rising tensions between Iran and the West in the years before the nuclear agreement, the discovery of the Stuxnet cyberattack on the Natanz uranium enrichment plant, and debates in the Pentagon over the use of such tactics, the paper reported.

The Times said it conducted separate interviews to confirm the outlines of the program, but that the White House, the Department of Defense and the Office of the Director of National Intelligence all declined to comment, saying that they do not discuss planning for military contingencies.

There was no immediate response to a request by Reuters for comment from the Pentagon.

(Reporting by Eric Walsh; Editing by Chris Reese)

Ukraine sees Russian hand in cyber attacks on power grid

KIEV (Reuters) – Hackers used a Russian-based internet provider and made phone calls from inside Russia as part of a coordinated cyber attack on Ukraine’s power grid in December, Ukraine’s energy ministry said on Friday.

The incident was widely seen as the first known power outage caused by a cyber attack, and has prompted fears both within Ukraine and outside that other critical infrastructure could be vulnerable.

The ministry, saying it had completed an investigation into the incident, did not accuse the Russian government directly of involvement in the attack, which knocked out electricity supplies to tens of thousands of customers in central and western Ukraine and prompted Kiev to review its cyber defenses.

But the findings chime with the testimony of the U.S. intelligence chief to Congress this week, which named cyber attacks, including those targeting Washington’s interests in Ukraine, as the biggest threat to U.S. national security.

Relations between Kiev and Moscow soured after Russia annexed the Crimean peninsula in March 2014 and pro-Russian separatist violence erupted in Ukraine.

Hackers targeted three power distribution companies in December’s attack, and then flooded those companies’ call centers with fake calls to prevent genuine customers reporting the outage.

“According to one of the power companies, the connection by the attackers to its IT network occurred from a subnetwork … belonging to an (internet service) provider in the Russian Federation,” the ministry said in a statement.

Deputy Energy Minister Oleksander Svetelyk told Reuters hackers had prepared the attacks at least six months in advance, adding that his ministry had ordered tighter security procedures.

“The attack on our systems took at least six months to prepare – we have found evidence that they started collecting information (about our systems) no less than 6 months before the attack,” Svetelyk said by phone.

Researchers at Trend Micro, one of the world’s biggest security software firms, said this week that the software used to infect the Ukrainian utilities has also been found in the networks of a large Ukrainian mining company and a rail company.

The researchers said one possible explanation was that it was an attempt to destabilize Ukraine as a whole. It was also possible these were test probes to determine vulnerabilities that could be exploited later, they said.

(Writing by Matthias Williams; additional reporting by Eric Auchard; Editing by Ruth Pitchford)

U.S. intelligence chief warns of cyber, ‘homegrown’ security threats

WASHINGTON (Reuters) – Attacks by “homegrown” Islamist extremists are among the most imminent security threats facing the United States in 2016, along with dangers posed overseas by Islamic State and cyber security concerns, the top U.S. intelligence official said on Tuesday.

In his annual assessment of threats to the United States, Director of National Intelligence James Clapper warned that fast-moving cyber and technological advances “could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems.”

In prepared testimony before the Senate Armed Services and Intelligence Committees, Clapper outlined an array of other threats from Russia and North Korean nuclear ambitions to instability caused by the Syrian migrant crisis.

“In my 50 plus years in the intelligence business I cannot recall a more diverse array of crises and challenges than we face today,” Clapper said.

Islamic State poses the biggest danger among militant groups because of the territory it controls in Iraq and Syria, and is determined to launch attacks on U.S. soil, Clapper said. It also has demonstrated “unprecedented online proficiencies,” he said.

While the United States “will almost certainly remain at least a rhetorically important enemy” for many foreign militant groups, “homegrown violent extremists … will probably continue to pose the most significant Sunni terrorist threat to the U.S. homeland in 2016,” he said, referring to Sunni Muslim jihadists.

“The perceived success” of attacks by such extremists in Europe and San Bernardino, California, “might motivate others to replicate opportunistic attacks with little or no warning,” Clapper said.

A married couple inspired by Islamist militants shot and killed 14 people in San Bernardino in December.

General Vincent Stewart, director of Defense Intelligence Agency, told the Senate Armed Services Committee that Islamic State aims to conduct more attacks in Europe during 2016 and has ambitions to attack inside the United States.

The group is taking advantage of the refugee flow from Syria’s civil war to hide militants among them and is adept at obtaining false documentation, Clapper said.

Al Qaeda affiliates, most notably the one in Yemen known as Al Qaeda in the Arabian Peninsula, have proven resilient and are positioned to make gains this year despite pressure from Western counterterrorism operations, Clapper said.

He cited threats from Russia’s increasingly assertive international policies, saying “We could be into another Cold War-like spiral.”

U.S. intelligence assesses that North Korea, which launched a satellite into orbit last weekend, is committed to developing a long-range nuclear armed missile that can reach the United States and has carried out some steps towards fielding a mobile intercontinental ballistic missile system, Clapper said.

He said North Korea has followed through on publicly stated plans to re-start a plutonium production reactor and could begin to assemble a plutonium stockpile within months.

CIA director John Brennan said one of North Korean leader Kim Jong Un’s objectives in conducting nuclear and missile tests is to advance efforts by North Korea to “market” such technology, presumably to other rogue regimes around the world.

(Writing by Doina Chiacu; Editing by Mohammad Zargham and Alistair Bell)

National Security Agency merging offensive, defensive hacking operations

WASHINGTON (Reuters) – The U.S. National Security Agency on Monday outlined a reorganization that will consolidate its spying and domestic cyber-security operations, despite recommendations by a presidential panel that the agency focus solely on espionage.

The NSA said the reorganization, known as “NSA21,” or NSA in the 21st century, will take two years to complete, well into the first term of whoever is elected president in November.

A review board appointed by President Barack Obama recommended in December 2013 that the NSA concentrate solely on foreign intelligence gathering. The board’s recommendations came as the United States was reeling from disclosures from former NSA contractor Edward Snowden about the collection of vast amounts of domestic and international communications data.

Under the board’s plan, a separate agency would have been housed within the Department of Defense with responsibility for enhancing the security of government networks and assisting corporate computer systems.

Ignoring that recommendation, the Obama administration will replace its separate spying and cyber-defense directorates with a unified organization responsible for both espionage and helping defend U.S. computer networks.

The “new structure will enable us to consolidate capabilities and talents to ensure that we’re using all of our resources to maximum effect to accomplish our mission,” NSA Director Mike Rogers said in a workforce address made publicly available on Monday.

Some technology specialists and privacy advocates have said the government agency responsible for building and exploiting flaws in computer software for spying purposes should not be the same one entrusted to warn companies about detected software weaknesses.

The presidential panel cited concerns about “potential conflicts of interest” between the NSA’s offensive and defensive objectives, in addition to the need to restore confidence with the U.S. technology industry to induce better cyber-security collaboration.

“I hope the NSA will explain its strategy for continuing to rebuild trust with the private sector,” Peter Swire, a professor of law at the Georgia Institute of Technology, who served on the five-member review group, said on Monday.

In November, the NSA told Reuters it informed U.S. technology firms more than 90 percent of the time about serious software flaws it found. The spy agency did not say how quickly it alerted those firms, leaving open the possibility it exploits software vulnerabilities before sharing details about them.

(Reporting by Dustin Volz; Editing by Peter Cooney)

Hackers attack 20 million accounts on Chinese shopping site

BEIJING (Reuters) – Hackers in China attempted to access over 20 million active accounts on Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service, according to a state media report posted on the Internet regulator’s website.

Analysts said the report from The Paper led to the price of Alibaba’s U.S.-listed shares falling as much as 3.7 percent in late Wednesday trade.

An Alibaba spokesman on Thursday said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.

Chinese companies are grappling a sharp rise in the number of cyber attacks, and cyber security experts say firms have a long way to go before defenses catch up to U.S. counterparts.

In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.

The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.

The hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police, the ministry website said. The hackers have since been caught, it said.

Alibaba’s systems discovered and blocked the vast majority of log-in attempts, according to the ministry website.

The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings, the newspaper said. The hackers also sold accounts to be used for fraud, it said.

Alibaba’s spokesman said the hackers rented the cloud computing service, but declined to comment on security measures designed to stop the system being used for the attack. He said they could have used any such service, and that the attack was not aided by any possible loopholes in Alibaba’s platform.

“Alibaba’s system was never breached,” the spokesman said.

The number of accounts, 20.59 million, represents about 1 out of every 20 annual active buyers on Alibaba’s China retail marketplaces.

(Reporting by Paul Carsten; Additional reporting by Beijing Newsroom; Editing by Christopher Cushing)

Hackers target HSBC, disrupt online banking for UK customers

Hackers targeted one of the world’s largest banks on Friday morning, preventing some of HSBC’s customers in the United Kingdom from being able to access their online accounts.

HSBC issued a statement saying it “successfully defended” against a denial-of-service attack, in which hackers try to prevent people from accessing a given site by overwhelming it with traffic.

The company said the attack targeted its Internet banking system for the United Kingdom, but no transactions were affected. However, some United Kingdom customers who tried to log into their accounts Friday were greeted by a message that said online banking was unavailable.

That message did not appear on the company’s website for online banking in the United States.

HSBC tweeted that its service was recovering, though it was still seeing some denial-of-service attacks some five hours after it initially reported the incident. The bank added it was “working closely with law enforcement authorities to pursue the criminals responsible.”

About 17 million United Kingdom residents are HSBC customers, the bank says. It apologized to all those inconvenienced by the outage, and encouraged them to visit a branch for urgent issues.

It was the second time this month that HSBC customers had an issue with online banking.

The company tweeted that “an internal technical issue” prevented some people from accessing their accounts on Jan. 4 and Jan. 5. In a video tweeted from the company’s account, an HSBC official said that was not caused by a cyber attack and that customers’ data was never at risk.

HSBC has about 6,100 offices in more than 70 countries and territories across the globe, according to its website.

U.S. utilities worry about cyber cover after Ukraine grid attack

(Reuters) – U.S. utilities are looking hard at their cyber vulnerabilities and whether they can get insurance to cover what could be a multi-billion dollar loss after hackers cut electric power to more than 80,000 Ukrainians last month.

The Dec. 23 incident in Ukraine was the first cyber attack to cause a power outage, and is one of just a handful of incidents in which computer hacking has caused physical effects on infrastructure rather than the loss or theft of electronic data.

A similar attack in the United States could cripple utilities and leave millions of people in the dark, costing the economy more than $200 billion, an insurance study estimated last year.

Security experts, insurance brokers, insurers and attorneys representing utilities told Reuters that the Ukraine attack has exposed long-standing ambiguity over which costs would be covered by insurance in various cyber attack scenarios.

“People in the insurance industry never did a great job clarifying the scope of coverage,” said Paul Ferrillo, an attorney with Weil, Gotshal & Manges who advises utilities.

Cyber insurance typically covers the cost of attacks involving stolen personal data. Some general property and liability policies may cover physical damage from cyber attacks, but insurers do not always provide clear answers about coverage for industrial firms, said Ben Beeson, a partner with broker Lockton Companies.

That has led to some unease among U.S. utilities.

“When you get these kind of headline-grabbing cyber incidents, there is obviously a flurry of interest,” said Dawn Simmons, an executive with Associated Energy and Gas Insurance Services, or AEGIS, a U.S. mutual insurer that provides coverage to its 300 or so members.

Getting a policy that includes cyber property damage is not cheap.

Sciemus Cyber Ltd, a specialty insurer at the Lloyd’s of London insurance market, charges energy utilities roughly $100,000 for $10 million in data breach insurance. The price balloons to as much as seven times that rate to add coverage for attacks that cause physical damage, said Sciemus Chief Executive Rick Welsh.

INDUSTRY WARNINGS

Security experts have warned for several years that a cyber attack could cause power outages due to the growing reliance on computer technology in plants that is accessible from the Internet.

In the Ukraine attack, hackers likely gained control of systems remotely, then switched breakers to cut power, according to an analysis by the Washington-based SANS Institute. Ukraine’s state security service blamed Russia for the attack, while U.S. cyber firm iSight Partners linked it to a Russian hacking group known as Sandworm Team.

Utilities are now trying to determine if they have insurance to cover these kinds of attacks, and if not, whether they need it, said Patrick Miller, founder of the Energy Sector Security Consortium, an industry group that shares information on cyber threats.

American Electric Power Company Inc, Duke Energy Corp, Nextera Energy Inc and PG&E Corp are among publicly-traded utility companies that have warned of their exposure to cyber risks in their most recent annual reports to securities regulators, and that their insurance coverage might not cover all expenses related to an attack.

Representatives with AEP, Duke and PG&E declined to disclose the limits of their insurance. Officials with Nextera could not be reached for comment.

The potential costs of an attack in the United States are huge. Last year Lloyd’s and the University of Cambridge released a 65-page study estimating that simultaneous malware attacks on 50 generators in the Northeastern United States could cut power to as many as 93 million people, resulting in at least $243 billion in economic damage and $21 billion to $71 billion in insurance claims.

The study called such a scenario improbable but “technologically possible.”

There are precedents, including the 2010 ‘Stuxnet’ attack that damaged centrifuges at an Iranian uranium enrichment facility and the 2012 ‘Shamoon’ campaign that crippled business operations at Saudi Aramco and RasGas by wiping drives on tens of thousands of PCs.

In late 2014, the German government reported that hackers had damaged an unnamed steel mill, the first attack that damaged industrial equipment. Details remain a mystery.

AMBIGUITY OVER COVERAGE

“It’s getting a little competitive just to get a carrier quoting your policy,” said Lynda Bennett, an attorney with Lowenstein Sandler, who helps businesses negotiate insurance. Some insurers have cut back on cyber coverage in response to the increase in the number and types of breaches, she added.

American International Group Inc, for example, will only write cyber policies over $5 million for a power utility after an in-depth review of its technology, including the supervisory control and data acquisition (SCADA) systems that remotely control grid operations.

“There are companies that we have walked away from providing coverage to because we had concerns about their controls,” said AIG executive Tracie Grella.

AIG and AEGIS declined to discuss pricing of policies. It seems likely they will find coverage more in demand after the Ukraine attack.

“A lot more companies will be asked by their stakeholders internally: Do we have coverage for this type of thing?” said Robert Wice, an executive with Beazley Plc, which offers cyber insurance. “Whether they actually start to buy more or not will depend on pricing.”

(Reporting by Jim Finkle; Additional reporting by Rory Carroll; Editing by Bill Rigby)