Tag Archives: Hacking

Chinese economic cyber-espionage plummets in U.S.: experts

Hand in front of computer screen

By Joseph Menn and Jim Finkle

SAN FRANCISCO (Reuters) – The Chinese government appears to be abiding by its September pledge to stop supporting the hacking of American trade secrets to help companies there compete, private U.S. security executives and government advisors said on Monday.

FireEye Inc, the U.S. network security company best known for fighting sophisticated Chinese hacking, said in a report released late Monday that breaches attributed to China-based groups had plunged by 90 percent in the past two years. The most dramatic drop came during last summer’s run-up to the bilateral agreement, it added.

FireEye’s Mandiant unit in 2013 famously blamed a specific unit of China’s Peoples Liberation Army for a major campaign of economic espionage.

Kevin Mandia, the Mandiant founder who took over last week as FireEye chief executive, said in an interview that several factors seemed to be behind the shift. He cited embarrassment from Mandiant’s 2013 report and the following year’s indictment of five PLA officers from the same unit Mandiant uncovered.

Prosecutors said the victims included U.S. Steel, Alcoa Inc and Westinghouse Electric. Mandia also cited the threat just before the agreement that the United States could impose sanctions on Chinese officials and companies.

“They all contributed to a positive result,” Mandia said.

A senior Obama administration official said the government was not yet ready to proclaim that China was fully complying with the agreement but said the new report would factor into its monitoring. “We are still doing an assessment,” said the official, speaking on condition he not be named.

The official added that a just-concluded second round of talks with China on the finer points of the agreement had gone well. He noted that China had sent senior leaders even after the U.S. Secretary of Homeland Security pulled out because of the Orlando shootings.

China’s Foreign Ministry, the only government department to regularly answer questions from foreign reporters on the hacking issue, said China aimed to maintain dialogue on preventing and combating cyber-spying.

“We’ve expressed our principled position on many occasions,” ministry spokeswoman Hua Chunying told a daily news briefing on Tuesday. “We oppose and crack down on commercial cyber-espionage activities in all forms.”

FireEye said that Chinese intrusions into some U.S. firms have continued, with at least two hacked in 2016. But while the hackers installed “back doors” to enable future spying, FireEye said it had seen no evidence that data was stolen.

Both hacked companies had government contracts, said FireEye analyst Laura Galante, noting that it was plausible that the intrusions were stepping stones toward gathering information on government or military people or projects, which remain fair game under the September accord.

FireEye and other security companies said that as the Chinese government-backed hackers dropped wholesale theft of U.S. intellectual property, they increased spying on political and military targets in other countries and regions, including Russia, the Middle East, Japan and South Korea.

Another security firm, CrowdStrike, has observed more Chinese state-supported hackers spying outside of the United States over the past year, company Vice President Adam Meyers said in an interview.

Targets include Russian and Ukrainian military targets, Indian political groups and the Mongolian mining industry, Meyers said.

FireEye and CrowdStrike said they were confident that the attacks are being carried out either directly by the Chinese government or on its behalf by hired contractors.

Since late last year there has been a flurry of new espionage activity against Russian government agencies and technology firms, as well as other targets in India, Japan and South Korea, said Kurt Baumgartner, a researcher with Russian security software maker Kaspersky Lab.

He said those groups use tools and infrastructure that depend on Chinese-language characters.

One of those groups, known as Mirage or APT 15, appears to have ended a spree of attacks on the U.S. energy sector and is now focusing on government and diplomatic targets in Russia and former Soviet republics, Baumgartner said.

(Reporting by Joseph Menn in San Francisco and Jim Finkle in Boston; Additional reporting by; Megha Rajagopalan in Beijing; Editing by Jonathan Weber and Richard Chang)

Keyboard warriors: South Korea trains new frontline in decades-old war with North

Student training to be hacker

By Ju-min Park

SEOUL (Reuters) – In one college major at Seoul’s elite Korea University, the courses are known only by number, and students keep their identities a secret from outsiders.

The Cyber Defense curriculum, funded by the defense ministry, trains young keyboard warriors who get a free education in exchange for a seven-year commitment as officers in the army’s cyber warfare unit – and its ongoing conflict with North Korea.

North and South Korea remain in a technical state of war since the 1950-53 Korean War ended in an armed truce. Besides Pyongyang’s nuclear and rocket program, South Korea says the North has a strong cyber army which it has blamed for a series of attacks in the past three years.

The cyber defense program at the university in Seoul was founded in 2011, with the first students enrolled the following year.

One 21-year-old student, who allowed himself to be identified only by his surname Noh, said he had long been interested in computing and cyber security and was urged by his father to join the program. All South Korean males are required to serve in the military, usually for up to two years.

“It’s not a time burden but part of a process to build my career,” Noh said.

“Becoming a cyber warrior means devoting myself to serve my country,” he said in a war room packed with computers and wall-mounted flat screens at the school’s science library.

South Korea, a key U.S. ally, is one of the world’s most technologically advanced countries.

That makes its networks that control everything from electrical power grids to the banking system vulnerable against an enemy that has relatively primitive infrastructure and thus few targets against which the South can retaliate.

“In relative terms, it looks unfavorable because our country has more places to defend, while North Korea barely uses or provides internet,” said Noh.

Last year, South Korea estimated that the North’s “cyber army” had doubled in size over two years to 6,000 troops, and the South has been scrambling to ramp up its capability to meet what it considers to be a rising threat.

The United States and South Korea announced efforts to strengthen cooperation on cyber security, including “deepening military-to-military cyber cooperation,” the White House said during President Park Geun-hye’s visit to Washington in October.

In addition to the course at Korea University, the national police has been expanding its cyber defense capabilities, while the Ministry of Science, ICT and Future Planning started a one-year program in 2012 to train so-called “white hat” – or ethical – computer hackers.

NORTH’S CYBER OFFENSIVES

Still, the North appears to have notched up successes in the cyber war against both the South and the United States.

Last week, South Korean police said the North hacked into more than 140,000 computers at 160 South Korean companies and government agencies, planting malicious code under a long-term plan laying groundwork for a massive cyber attack against its rival.

In 2013, Seoul blamed the North for a cyber attack on banks and broadcasters that froze computer systems for over a week.

North Korea denied responsibility.

The U.S. Federal Bureau of Investigation has blamed Pyongyang for a 2014 cyber attack on Sony Pictures’ network as the company prepared to release “The Interview,” a comedy about a fictional plot to assassinate North Korean leader Kim Jong Un. The attack was followed by online leaks of unreleased movies and emails that caused embarrassment to executives and Hollywood personalities.

North Korea described the accusation as “groundless slander.”

South Korea’s university cyber defense program selects a maximum of 30 students each year, almost all of them men. On top of free tuition, the school provides 500,000 won ($427) per month support for each student for living expenses, according to Korea University Professor Jeong Ik-rae.

The course trains pupils in disciplines including hacking, mathematics, law and cryptography, with students staging mock hacking attacks or playing defense, using simulation programs donated by security firms, he said.

The admission to the selective program entails three days of interviews including physical examinations, attended by military officials along with the school’s professors, he said.

While North Korea’s cyber army outnumbers the South’s roughly 500-strong force, Jeong said a small group of talented and well-trained cadets can be groomed to beat the enemy.

Jeong, an information security expert who has taught in the cyber defense curriculum since 2012, said the school benchmarks itself on Israel’s elite Talpiot program, which trains gifted students in areas like technology and applied sciences as well as combat. After graduating, they focus on areas like cybersecurity and missile defense.

“It’s very important to have skills to respond when attacks happen – not only to defend,” Jeong said.

(Editing by Tony Munroe and Raju Gopalakrishnan)

Massive cyber attack could trigger NATO response: Stoltenberg

NATO Secretary-General Jens Stoltenberg

BERLIN (Reuters) – A major cyber attack could trigger a collective response by NATO, NATO Secretary General Jens Stoltenberg said in an interview published by Germany’s Bild newspaper on Thursday.

“A severe cyber attack may be classified as a case for the alliance. Then NATO can and must react,” the newspaper quoted Stoltenberg as saying. “How, that will depend on the severity of the attack.”

He spoke after a decision this week by NATO ministers to designate cyber as an official operational domain of warfare, along with air, sea, and land.

In 2014 the U.S.-led alliance assessed that cyber attacks could potentially trigger NATO’S mutual defense guarantee, or Article 5. That means NATO could potentially respond to a cyber attack with conventional weapons, although the response would be decided by consensus.

The NATO chief told Bild that the alliance needed to adjust to the increasingly complex series of threats it faces, which is why NATO members have agreed to defend against attacks in cyberspace just as they do against attacks launched against targets on land, in the air and at sea.

The United States and other NATO states have become increasingly vocal about cyber attacks launched from Russia, China and Iran, but officials say it remains hard to determine if such attacks stem from government bodies or private groups.

Recognizing cyber as an official domain of warfare will allow NATO to improve planning and better manage resources, training and personnel needs for cyber defense operations, said a NATO official, speaking on condition of anonymity.

The official stressed that NATO’s cyber activities would remain purely defensive. “We have no offensive cyber doctrine or offensive cyber capability. And there are no plans for NATO as a body to use such capabilities. NATO’s core cyber defense task is to defend NATO’s own networks,” said the official.

Individual members have already declared cyber an operational warfare domain, including the United States, which said in 2011 that it would respond to hostile attacks in cyberspace as it would to any other threat.

(Reporting by Andrea Shalal; Editing by Dan Grebler and Mark Heinrich)

Wendy’s says it finds more unusual card activity at restaurants

Wendy's

(Reuters) – U.S. burger chain operator Wendy’s Co <WEN.O> said it had discovered additional instances of unusual credit card activity at some of its franchise-operated restaurants, widening the scope of an earlier cyber attack on the company.

The company in January said it was investigating reports of unusual activity with payment cards used at some of its restaurants.

Wendy’s said it recently discovered a variant of a malware that was discovered and reported in May. The new malware was used to target a point-of-sales system that was earlier believed to be unaffected.

The company said the new variant of the malware had been disabled in cases where it was detected.

Wendy’s expects the number of franchise restaurants that will be impacted by the cybersecurity attacks is now “considerably higher” than the 300 restaurants already affected.

“To date, there has been no indication in the ongoing investigation that any company-operated restaurants were impacted by this activity,” Wendy’s said on Thursday.

The new discoveries are a result of the company’s continuing investigation into unusual credit card activity at its restaurants.

Large retailers such as Target Corp <TGT.N> and Home Depot Inc <HD.N> have been victims of security breaches in recent years.

(Reporting by Narottam Medhora in Bengaluru; Editing by Shounak Dasgupta)

Bangladeshi probe panel’s chief says SWIFT responsible for cyber theft

Bangladesh central bank

DHAKA (Reuters) – A Bangladesh government-appointed panel investigating the theft of $81 million from the country’s central bank has found that SWIFT, the international banking payments network, committed a number of mistakes in connecting up a local network, the panel head said on Sunday.

“We have shown that SWIFT made a number of errors that made it easy for the hackers,” Mohammed Farashuddin, a former governor of the Bangladeshi central bank, told reporters.

He said SWIFT, a cooperative owned by 3,000 financial institutions, could not escape responsibility as it had connected its network to the central bank’s new real time gross settlement (RTGS) system launched in October for domestic transactions.

“SWIFT is responsible for the heist of Bangladesh Bank as it approached the central bank for the installation of RTGS real time gross settlement,” Farashuddin said.

SWIFT has already rejected allegations made by Dhaka that it had been at fault, saying its financial messaging system remained secure and had not been breached by the hackers during the attack on Bangladesh Bank.

The hackers broke into the computer systems of the central bank in early February and issued instructions through the SWIFT network to transfer $951 million of its deposits held at the New York Federal Reserve Bank to accounts in the Philippines and Sri Lanka.

Most of the transactions were blocked but four went through amounting to $81 million, prompting allegations by Bangladeshi officials that both the Fed and SWIFT had failed to detect the fraud.

Bangladeshi police and a bank official said earlier this month that the central bank became more vulnerable to hackers when technicians from SWIFT connected the new bank transaction system to SWIFT messaging three months before the cyber theft.

The local Daily Star newspaper quoted Farashuddin as saying that SWIFT failed to implement 13 security measures in the installation of the system.

Farashuddin is due to submit his final report to the government in the next few days.

A spokeswoman for SWIFT said she had no immediate comment to make.

In a letter to users dated May 3, SWIFT told its bank customers that they were responsible for securing computers used to send messages over its network.

(Reporting by Serajul Qaudir; Writing by Sanjeev Miglani; Editing by Greg Mahlich)

FBI warns automakers, owners about vehicle hacking risks

WASHINGTON (Reuters) – The FBI and U.S. National Highway Traffic Safety Administration (NHTSA) issued a bulletin Thursday warning that motor vehicles are “increasingly vulnerable” to hacking.

“The FBI and NHTSA are warning the general public and manufacturers – of vehicles, vehicle components, and aftermarket devices – to maintain awareness of potential issues and cybersecurity threats related to connected vehicle technologies in modern vehicles,” the agencies said in the bulletin.

In July 2015, Fiat Chrysler Automobiles NV recalled 1.4 million U.S. vehicles to install software after a magazine report raised concerns about hacking, the first action of its kind for the auto industry.

Also last year, General Motors Co issued a security update for a smartphone app that could have allowed a hacker to take control of some functions of a plug-in hybrid electric Chevrolet Volt, like starting the engine and unlocking the doors.

In January 2015, BMW AG said it had fixed a security flaw that could have allowed up to 2.2 million vehicles to have doors remotely opened by hackers.

“While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk,” the FBI bulletin said Thursday.

NHTSA Administrator Mark Rosekind told reporters in July 2015 that automakers must move fast to address hacking issues.

The Fiat Chrysler recall came after Wired magazine reported hackers could remotely take control of some functions of a 2014 Jeep Cherokee, including steering, transmission and brakes. NHTSA has said there has never been a real-world example of a hacker taking control of a vehicle.

Two major U.S. auto trade associations — the Alliance of Automobile Manufacturers and Association of Global Automakers — late last year opened an Information Sharing and Analysis Center. The groups share cyber-threat information and potential vulnerabilities in vehicles.

The FBI bulletin Thursday warned that criminals could exploit online vehicle software updates by sending fake “e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software.”

(Reporting by David Shepardson; Editing by Kenneth Maxwell)

Apple opposes order to help unlock California shooter’s phone

WASHINGTON (Reuters) – Apple Inc opposed a court ruling on Tuesday that ordered it to help the FBI break into an iPhone recovered from a San Bernardino shooter, heightening a dispute between tech companies and law enforcement over the limits of encryption.

Chief Executive Tim Cook said the court’s demand threatened the security of Apple’s customers and had “implications far beyond the legal case at hand.”

Earlier on Tuesday, Judge Sheri Pym of U.S. District Court in Los Angeles said that Apple must provide “reasonable technical assistance” to investigators seeking to unlock the data on an iPhone 5C that had been owned by Syed Rizwan Farook.

That assistance includes disabling the phone’s auto-erase function, which activates after 10 consecutive unsuccessful passcode attempts, and helping investigators to submit passcode guesses electronically.

Federal prosecutors requested the court order to compel Apple to assist the investigation into the Dec. 2 shooting rampage by Farook and his wife, killing 14 and injuring 22 others. The two were killed in a shootout with police.

The FBI has been investigating the couple’s potential communications with Islamic State and other militant groups.

“Apple has the exclusive technical means which would assist the government in completing its search, but has declined to provide that assistance voluntarily,” prosecutors said.

U.S. government officials have warned that the expanded use of strong encryption is hindering national security and criminal investigations.

Technology experts and privacy advocates counter that forcing U.S. companies to weaken their encryption would make private data vulnerable to hackers, undermine the security of the Internet and give a competitive advantage to companies in other countries.

In a letter to customers posted on Apple’s website, Cook said the FBI wanted the company “to build a backdoor to the iPhone” by making a new version of the iPhone operating system that would circumvent several security features.

“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers – including tens of millions of American citizens – from sophisticated hackers and cybercriminals,” Cook said.

He said Apple was “challenging the FBI’s demands” and that it would be “in the best interest of everyone to step back and consider the implications.”

In a similar case last year, Apple told a federal judge in New York that it was “impossible” for the company to unlock its devices that run an operating system of iOS 8 or higher.

According to prosecutors, the phone belonging to Farook ran on iOS 9.

Prosecutors said Apple could still help investigators by disabling “non-encrypted barriers that Apple has coded into its operating system.”

Apple and Google both adopted strong default encryption in late 2014, amid growing digital privacy concerns spurred in part by the leaks from former National Security Agency contractor Edward Snowden.

Forensics expert Jonathan Zdziarski said on Tuesday that Apple might have to write custom code to comply with the order, presenting a novel question to the court about whether the government could order a private company to hack its own device.

Zdziarski said that, because the San Bernardino shooting was being investigated as a terrorism case, investigators would be able to work with the NSA and the CIA on cracking the phone.

Those U.S. intelligence agencies could likely break the iPhone’s encryption without Apple’s involvement, he said.

(Reporting by Dustin Volz; Additional reporting by Joseph Menn, Dan Levine and Shivam Srivastava; Editing by Cynthia Osterman, Lisa Shumaker and Robin Paxton)

Reports: U.S., British spies hacked Israeli air force

JERUSALEM (Reuters) – The United States and Britain have monitored secret sorties and communications by Israel’s air force in a hacking operation dating back to 1998, according to documents attributed to leaks by former U.S. spy agency contractor Edward Snowden.

Israel voiced disappointment at the disclosures, which were published on Friday in three media outlets and might further strain relations with Washington after years of feuding over strategies on Iran and the Palestinians.

Israel’s Yedioth Ahronoth daily said the U.S. National Security Agency, which specializes in electronic surveillance, and its British counterpart GCHQ spied on Israeli air force missions against the Palestinian enclave Gaza, Syria and Iran.

The spy operation, codenamed “Anarchist”, was run out of a Cyprus base and targeted other Middle East states too, it said. Its findings were mirrored by stories in Germany’s Der Spiegel news magazine and the online publication The Intercept, which lists Snowden confidant Glenn Greenwald among its associates.

“This access is indispensable for maintaining an understanding of Israeli military training and operations and thus an insight to possible future developments in the region,” The Intercept quoted a classified GCHQ report as saying in 2008.

That year, Israel went to war against Hamas guerrillas in Gaza and began issuing increasingly vocal threats to attack Iranian nuclear facilities if it deemed international diplomacy insufficient to deny its arch-foe the means of making a bomb.

Asked for comment, the United States and Britain said through spokespeople for their embassies in Israel that they do not publicly discuss intelligence matters.

NOT “DEEPEST KINGDOM OF SECRETS”

Israeli Energy Minister Yuval Steinitz, a member of Prime Minister Benjamin Netanyahu’s security cabinet, sought to play down the potential damage but said lessons would be learned.

“I do not think that this is the deepest kingdom of secrets, but it is certainly something that should not happen, which is unpleasant,” he told Israel’s Army Radio. “We will now have to look and consider changing the encryption, certainly.”

With the Netanyahu government and Obama administration at loggerheads over the U.S.-led nuclear agreement with Iran, there have been a series of high-profile media exposes in recent months alleging mutual espionage between the allies.

Israel insists that it ceased such missions since it ran U.S. Navy analyst Jonathan Pollard as an agent in the 1980s.

“We know that the Americans spy on the whole world, and also on us, also on their friends,” Steinitz said. “But still, it is disappointing, inter alia because, going back decades already, we have not spied nor collected intelligence nor hacked encryptions in the United States.”

The Intercept report included what it said were images of armed Israeli drones hacked from onboard cameras’ live feeds.

Israel neither confirms nor denies having armed drones, though one of its senior military officers was quoted as acknowledging their existence in a 2010 U.S. diplomatic cable that was previously disseminated by WikiLeaks.

Yedioth said that the hacking revelations could hurt Israeli drone sales to Germany should Berlin worry about the aircraft networks’ security. But Steinitz brushed off that possibility.

“Every country carries out its own encryption,” he said.

Germany said on January 12 it would lease Heron TP drones from state-owned Israel Aerospace Industries (IAI).

(Writing by Dan Williams; Editing by Mark Heinrich)

U.S. official sees more cyber attacks on industrial control systems

MIAMI (Reuters) – A U.S. government cyber security official warned that authorities have seen an increase in attacks that penetrate industrial control system networks over the past year, and said they are vulnerable because they are exposed to the Internet.

Industrial control systems are computers that control operations of industrial processes, from energy plants and steel mills to cookie factories and breweries.

“We see more and more that are gaining access to that control system layer,” said Marty Edwards, who runs the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.

ICS-CERT helps U.S. firms investigate suspected cyber attacks on industrial control systems as well as corporate networks.

Interest in critical infrastructure security has surged since late last month when Ukraine authorities blamed a power outage on a cyber attack from Russia, which would make it the first known power outage caused by a cyber attack.

Experts attending the S4 conference of some 300 critical infrastructure security specialists in Miami said the incident has caused U.S. firms to ask whether their systems are vulnerable to similar incidents.

Edwards said he believed the increase in attacks was mainly because more control systems are directly connected to the Internet.

“I am very dismayed at the accessibility of some of these networks… they are just hanging right off the tubes,” he said in an on-stage interview with conference organizer Dale Peterson.

Edwards did not say whether those attacks had caused any service disruptions or threatened public safety.

Sean McBride, a critical infrastructure analyst with iSight Partners who attended the talk, said the increase may reflect more publicity in recent years over risks over cyber attacks, which prompted operators to find more infections.

McBride said he could not say if the increase was troubling because he did not know the intent of the attackers.

Edwards and a DHS spokesman declined to elaborate on his comments.

ICS-CERT said in an alert this week that it had identified malware used in the attack in Ukraine as BlackEnergy 3, a variant of malware that the agency said in 2014 had infected some U.S. critical infrastructure operators.

A DHS official said on Tuesday that government investigators have not confirmed whether the BlackEnergy malware caused the Ukraine incident.

“At this time there is no definitive evidence linking the power outage in Ukraine with the presence of the malware,” said the official, who was not authorized to discuss the matter publicly.

Edwards did not discuss the Ukraine attack during his talk.

(Reporting by Jim Finkle in Miami; Editing by Leslie Adler)

Ukraine Power Outage Appears to be Work of Hackers

Some Ukrainians were without power for hours last month after hackers infiltrated the power grid and were able to turn off the lights, according to a report in The Washington Post.

An official with the cybersecurity company iSIGHT Partners told the newspaper that the Dec. 23 cyber attack appeared to be the first documented time that hackers successfully shut off power.

The official told The Washington Post that the group believed to be responsible for turning off the lights was Russian, and had at one point tried to attack targets in the United States and Europe. But another cyber security expert told the paper it could be difficult to determine the exact circumstances about the breach, including if the alleged hackers were even responsible.