Exclusive: Ukraine says Russia hackers laying groundwork for massive strike

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by cyber attacks, in Kiev, Ukraine June 27, 2017. Picture taken June 27, 2017. REUTERS/Valentyn Ogirenko

By Pavel Polityuk

KIEV (Reuters) – Hackers from Russia are infecting Ukrainian companies with malware to create so-called ‘back doors’ for a large coordinated attack, Ukraine’s cyber police chief told Reuters on Tuesday, almost a year after a strike on Ukraine spread around the world.

Affected companies range across various industries, such as banks or energy infrastructure. The pattern of the malware being rolled out suggests the people behind it want to activate it on a particular day, Serhiy Demedyuk said.

Demedyuk said his staff were cooperating with foreign agencies to track the hackers, without naming the agencies.

Police had identified viruses designed to hit Ukraine since the start of the year, including phishing emails sent from legitimate domains of state institutions whose systems were hacked, or a fake webpage mimicking that of a real state body.

They had intercepted hackers sending malware from different sources and broken into various components so as to remain undetected by antivirus software until activated as a single unit, Demedyuk said.

“Analysis of the malicious software that has already been identified and the targeting of attacks on Ukraine suggest that this is all being done for a specific day,” he said.

Relations between Ukraine and Russia plunged following Russia’s annexation of Crimea in 2014, and Kiev has accused Russia of orchestrating large-scale cyber attacks as part of a “hybrid war” against Ukraine, which Moscow repeatedly denies.

Some attacks coincided with major Ukrainian holidays and Demedyuk said another strike could be launched on Thursday — Constitution Day — or on Independence Day in August.

On June 27 last year, the country was hit by a massive strike known as “NotPetya”, which knocked out Ukrainian IT systems before spreading around the world. The United States and Britain joined Ukraine in blaming Russia for the attack.

Demedyuk said the scale of the latest detected preparations was the same as NotPetya.

“This is support on a government level – very expensive and very synchronized. Without the help of government bodies it would not be possible. We’re talking now about the Russian Federation,” he said.

“Everything we’re seeing, everything we’ve intercepted in this period: 99 percent of the traces come from Russia.”

The Kremlin did not immediately respond to a request for comment.

Ukraine is better prepared to withstand such attacks thanks to cooperation with foreign allies since the NotPetya strike, Demedyuk said. Ukraine has received support from the U.S., Britain and NATO among others to beef up its cyber defenses.

But Demedyuk said some Ukrainian companies had not bothered to clean their computers after NotPetya struck, leaving machines still infected by the virus and vulnerable to being used for another attack.

“We are sounding the alarm to remind people – come to your senses, check your equipment,” he said. “It’s better to be on the safe side than clean up a mess like last time.”

He also appealed to global companies who were hit by NotPetya, including U.S. and European firms in Ukraine, to share details of their investigations and steps to localize the hack.

“They have a huge amount of very interesting evidence, which they store themselves. We would like it if they weren’t scared and approached us.”

(Additional reporting by Margarita Popova in Moscow; writing by Matthias Williams; editing by Philippa Fletcher)

FBI says foreign hackers have compromised home router devices

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration

By Sarah N. Lynch

WASHINGTON (Reuters) – The FBI warned on Friday that foreign cyber criminals had compromised “hundreds of thousands” of home and small office router devices around the world which direct traffic on the internet by forwarding data packets between computer networks.

In a public service announcement, the FBI it has discovered that the foreign cyber criminals used a VPNFilter malware that can collect peoples’ information, exploit their devices and also block network traffic.

The announcement did not provide any details about where the criminals might be based, or what their motivations could be.

“The size and scope of the infrastructure by VPNFilter malware is significant,” the FBI said, adding that it is capable of rendering peoples’ routers “inoperable.”

It said the malware is hard to detect, due to encryption and other tactics.

The FBI urged people to reboot their devices to temporarily disrupt the malware and help identify infected devices.

People should also consider disabling remote management settings, changing passwords to replace them with more secure ones and upgrading to the latest firmware.

(Reporting by Sarah N. Lynch; Editing by David Gregorio)

Cyber firms, Ukraine warn of planned Russian attack

Power lines are seen near the Trypillian thermal power plant in Kiev region, Ukraine November 23, 2017. REUTERS/Valentyn Ogirenko

By Jim Finkle and Pavel Polityuk

TORONTO/KIEV (Reuters) – Cisco Systems Inc warned on Wednesday that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malicious software – activity Ukraine said was preparation for a future Russian cyber attack.

Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack against Ukraine ahead of the Champions League soccer final, due to be held in Kiev on Saturday.

“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilizing the situation during the Champions League final,” it said in a statement after Cisco’s findings were released.

Russia has previously denied assertions by Ukraine, the United States, other nations and Western cyber-security firms that it is behind a massive global hacking program, which has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.

The Kremlin did not immediately respond to a request for comment submitted by Reuters on Wednesday.

Cisco said the new malware, dubbed VPNFilter, could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

“With a network like this you could do anything,” Williams told Reuters.

CONSTITUTION DAY ATTACK

The warning about the malware – which includes a module that targets industrial networks like ones that operate the electric grid – will be amplified by alerts from members of the Cyber Threat Alliance (CTA), a nonprofit group that promotes the fast exchange of data on new threats between rivals in the cyber security industry.

Members include Cisco, Check Point Software Technologies Ltd, Fortinet Inc, Palo Alto Networks Inc, Sophos Group PlcĀ  and Symantec Corp.

“We should be taking this pretty seriously,” CTA Chief Executive Officer Michael Daniel said in an interview.

The devices infected with VPNFilter are scattered across at least 54 countries, but Cisco determined the hackers are targeting Ukraine following a surge in infections in that country on May 8, Williams told Reuters.

Researchers decided to go public with what they know about the campaign because they feared the surge in Ukraine, which has the largest number of infections, meant Moscow is poised to launch an attack there next month, possibly around the time the country celebrates Constitution Day on June 28, Williams said.

Some of the biggest cyber attacks on Ukraine have been launched on holidays or the days leading up to them.

They include the June 2017 “NotPetya” attack that disabled computer systems in Ukraine before spreading around the globe, as well as hacks on the nation’s power grid in 2015 and 2016 that hit shortly before Christmas.

VPNFilter gives hackers remote access to infected machines, which they can use for spying, launching attacks on other computers or downloading additional types of malware, Williams said.

The researchers discovered one malware module that targets industrial computers, such as ones used in electric grids, other infrastructure and in factories. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.

The malware also includes an auto-destruct feature that hackers can use to delete the malware and other software on infected devices, making them inoperable, he said.

(Writing by Jim Finkle and Jack Stubbs; Editing by Mark Heinrich)

‘Olympic Destroyer’ malware targeted Pyeongchang Games: firms

Performers appear during the opening ceremonies at the 2018 Winter Olympics at the Pyeongchang Olympic Stadium in Pyeongchang, South Korea February 9, 2018. REUTERS/Christof Stache/File Photo

By Jim Finkle

(Reuters) – Several U.S. cyber security firms said on Monday that they had uncovered a computer virus dubbed “Olympic Destroyer” that was likely used in an attack on Friday’s opening ceremony of the Pyeongchang Winter Games.

Games Organizers confirmed the attack on Sunday, saying that it affected internet and television services but did not compromise critical operations. Organizers did not say who was behind the attack or provide detailed discussion of the malware, though a spokesman said that all issues had been resolved as of Saturday.

Researchers with cyber security firms Cisco Systems Inc, CrowdStrike and FireEye Inc said in blog posts and statements to Reuters on Monday that they had analyzed computer code they believed was used in Friday’s attack.

All three security companies said the Olympic Destroyer malware was designed to knock computers offline by deleting critical system files, which would render the machines useless.

The three firms said they did not know who was behind the attack.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” Cisco said in its blog.

The attack took the Olympics website offline, which meant that some people could not print out tickets and WiFi used by reporters covering the games did not work during the opening ceremony, according to Cisco.

The attack did not affect the performance of drones, which were initially scheduled to be included in the opening ceremony, but later pulled from the program, organizers said in a statement.

The drone light show was canceled because there were too many spectators standing in the area where it was supposed to take place, the statement said.

(Reporting by Jim Finkle in Toronto; Editing by David Gregorio, Andrew Hay and Cynthia Osterman)

North Korean hackers behind attacks on cryptocurrency exchanges

A coin representing the bitcoin cryptocurrency is seen on computer circuit boards in this illustration picture

SEOUL (Reuters) – South Korea’s spy agency said North Korean hackers were behind attacks on cryptocurrency exchanges this year in which some 7.6 billion won ($6.99 million) worth of cryptocurrencies were stolen, a newspaper reported on Saturday.

The cyber attacks attributed to North Korean hackers also included the leaking of personal information from 36,000 accounts from the world’s busiest cryptocurrency exchange Bitthumb in June, South Korea’s Chosun Ilbo reported, citing the country’s National Intelligence Service (NIS).

Attacks also included the theft of cryptocurrencies from accounts at exchanges Yapizon, now called Youbit, and Coinis in April and September, it said.

The 7.6 billion won of stolen cryptocurrencies are now worth about 90 billion won ($82.7 million), Chosun Ilbo reported. It also cited the NIS as saying North Korean hackers had also demanded 6 billion won ($5.5 million) from Bitthumb in return for deleting the leaked personal information.

Another cyber attack on about 10 cryptocurrency exchanges by North Korean hackers in October, using emails containing malware, was thwarted by the Korea Internet Security Agency (KISA), the newspaper reported.

The NIS found that the malware used in hacking the exchanges was made with the same method as malware used in hacking Sony Pictures and the central bank of Bangladesh in 2014 and 2016 respectively, the Chosun Ilbo reported.

The NIS also said emails used in the attacks used North Korean internet addresses, according to the Chosun Ilbo.

The NIS declined to comment. Representatives for KISA, Bitthumb, Youbit and Coinis could not be reached for comment.

($1 = 1,087.9500 won)

(Reporting by Joyce Lee and Heekyong Yang; Editing by Paul Tait)

NotPetya hackers likely behind BadRabbit attack: researchers

NotPetya hackers likely behind BadRabbit attack: researchers

By Jack Stubbs

MOSCOW (Reuters) – Technical indicators suggest a cyber attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analyzed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbit virus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the U.S. National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favor of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

(Additional reporting by Eric Auchard; Editing by Jim Finkle/Mark Heinrich)

Researchers uncover flaw that makes Wi-Fi vulnerable to hacks

FILE PHOTO: A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

(Reuters) – Cyber security watchdogs and researchers are issuing warnings over risks associated with a widely used system for securing Wi-Fi communications after the discovery of a flaw that could allow hackers to read information thought to be encrypted, or infect websites with malware.

An alert from the U.S. Department of Homeland Security Computer Emergency Response Team on Monday said the flaw could be used within range of Wi-Fi using the WPA2 protocol to hijack private communications. It recommended installing vendor updates on affected products, such as routers provided by Cisco Systems Inc <CSCO.O> or Juniper Networks Inc <JNPR.N>.

Belgian researchers Mathy Vanhoef and Frank Piessens of Belgian university KU Leuven disclosed the bug in WPA2, which secures modern Wi-Fi systems used by vendors for wireless communications between mobile phones, laptops and other connected devices with Internet-connected routers or hot spots.

“If your device supports Wi-Fi, it is most likely affected,” they said on the www.krackattacks.com website, which they set up to provide technical information about the flaw and methods hackers might use to attack vulnerable devices.

It was not immediately clear how difficult it would be for hackers to exploit the bug, or if the vulnerability has previously been used to launch any attacks.

Finnish security firm F-Secure said experts have long been cautious about Wi-Fi’s ability to withstand security challenges of the 21st century.

“But the worst part of it is that it’s an issue with Wi-Fi protocols, which means it affects practically every single person in the world that uses Wi-Fi networks,” it said on its website.

Microsoft Corp <MSFT.O> said it had released a security update for Windows. Customers who applied the update, or had automatic updates enabled, would already be protected, it said in a statement emailed to Reuters.

CERT New Zealand and CERT India asked users to apply security updates. CERT NZ suggested using ethernet cables and to connect directly into the network, when possible.

“Given the complexity of updating smart devices such as mobile phones, CERT NZ also strongly recommends disabling Wi-Fi when it isn’t required,” it said in its advisory. (http://bit.ly/2gfho2b)

The Wi-Fi Alliance, an industry group that represents hundreds of Wi-Fi technology companies, said the issue “could be resolved through a straightforward software update”.

The group said in a statement it had advised members to release patches quickly and recommended that consumers quickly install those security updates.

(Reporting by Jim Finkle in Toronto and Dustin Volz in Washington; Additional reporting by Aradhana Aravindan in Singapore; Editing by Susan Thomas, Dan Grebler and Jacqueline Wong)

Police seize servers of Ukrainian software firm after cyber attack

A view shows a laptop display (R) showing part of a code, which is the component of Petya malware computer virus according to representatives of Ukrainian cyber security firm ISSP, with an employee working nearby at the firm's office in Kiev, Ukraine July 4, 2017. REUTERS/Valentyn Ogirenko

By Jack Stubbs and Pavel Polityuk

KIEV (Reuters) – Ukrainian police on Tuesday seized the servers of an accounting software firm suspected of spreading a malware virus which crippled computer systems at major companies around the world last week, a senior police official said.

The head of Ukraine’s Cyber Police, Serhiy Demedyuk, told Reuters the servers of M.E.Doc – Ukraine’s most popular accounting software – had been seized as part of an investigation into the attack.

Though they are still trying to establish who was behind last week’s attack, Ukrainian intelligence officials and security firms have said some of the initial infections were spread via a malicious update issued by M.E.Doc, charges the company’s owners deny.

The owners were not immediately available for comment on Tuesday.

Premium Service, which says it is an official dealer of M.E.Doc’s software, wrote a post on M.E.Doc’s Facebook page saying masked men were searching M.E.Doc’s offices and that the software firm’s servers and services were down.

Premium Service could not be reached for further comment.

Cyber Police spokeswoman Yulia Kvitko said investigative actions were continuing at M.E.Doc’s offices, adding that further comment would be made on Wednesday.

The police move came after cyber security investigators unearthed further evidence on Tuesday that the attack had been planned months in advance by highly-skilled hackers, who they said had inserted a vulnerability into the M.E.Doc progamme.

Ukraine also took steps on Tuesday to extend its state tax deadline by one month to help businesses hit by the malware assault.

Researchers at Slovakian security software firm ESET said they had found a “backdoor” written into some of M.E.Doc’s software updates, likely with access to the company’s source code, which allowed hackers to enter companies’ systems undetected.

“VERY STEALTHY AND CUNNING”

“We identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules,” ESET senior malware researcher Anton Cherepanov said in a technical note. “It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.”

“This was a thoroughly well-planned and well-executed operation,” he said.

ESET said at least three M.E.Doc updates had been issued with the “backdoor vulnerability”, and the first one was sent to clients on April 14, more than two months before the attack.

ESET said the hackers likely had access to M.E.Doc’s source code since the beginning of the year, and the detailed preparation before the attack was testament to the advanced nature of their operation.

Oleg Derevianko, board chairman at Ukrainian cyber security firm ISSP, said an update issued by M.E.Doc in April delivered a virus to the company’s clients which instructed computers to download 350 megabytes of data from an unknown source on the internet.

The virus then exported 35 megabytes of company data to the hackers, he told Reuters in an interview at his office in Kiev.

“With this 35 megabytes you can exfiltrate anything – emails from all of the banks, user accounts, passwords, anything.”

Little known outside Ukrainian accounting circles, M.E.Doc is used by around 80 percent of companies in Ukraine. The software allows its 400,000 clients to send and collaborate on financial documents between internal departments, as well as file them with the Ukrainian state tax service.

Ukraine’s government said on Tuesday it would submit a draft law to parliament for the country’s tax deadline to be extended to July 15, and waive fines for companies who missed the previous June 13 cutoff because of the attack.

“We had program failures in connection to the cyber attack, which meant that businesses were unable to submit account reports on time,” Prime Minister Volodymyr Groysman told a cabinet meeting.

Separately, Ukraine’s security service, the SBU, said it had discussed cyber defense with NATO officials and had received equipment from the alliance to better combat future cyber attacks. Ukraine is not in NATO but is seeking closer ties.

On Saturday Ukrainian intelligence officials accused Russian security services of being behind the attack, and cyber security researchers linked it to a suspected Russian group who attacked the Ukrainian power grid in December 2016.

A Kremlin spokesman dismissed charges of Russian involvement as “unfounded blanket accusations”.

Derevianko said the hacker’s activity in April and reported access to M.E.Doc’s source code showed Ukraine’s computer networks had already been compromised and that the intruders were still operating inside them.

“It definitely tells us about the advanced capabilities of the adversaries,” he said. “I don’t think any additional evidence is needed to attribute this to a nation-state attack.”

(Additional reporting by Natalia Zinets; Writing by Jack Stubbs; Editing by Gareth Jones and Matthias Williams)

Ransomware virus hits computer servers across the globe

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko

By Jack Stubbs and Pavel Polityuk

MOSCOW/KIEV (Reuters) – A ransomware attack hit computers across the world on Tuesday, taking out servers at Russia’s biggest oil company, disrupting operations at Ukrainian banks, and shutting down computers at multinational shipping and advertising firms.

Cyber security experts said those behind the attack appeared to have exploited the same type of hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May before a British researcher created a kill-switch.

“It’s like WannaCry all over again,” said Mikko Hypponen, chief research officer with Helsinki-based cyber security firm F-Secure.

He said he expected the outbreak to spread in the Americas as workers turned on vulnerable machines, allowing the virus to attack. “This could hit the U.S.A. pretty bad,” he said.

The U.S. Department of Homeland Security said it was monitoring reports of cyber attacks around the world and coordinating with other countries.

The first reports of organizations being hit emerged from Russia and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.

Within hours, the attack had gone global.

Danish shipping giant A.P. Moller-Maersk, which handles one out of seven containers shipped globally, said the attack had caused outages at its computer systems across the world on Tuesday, including at its terminal in Los Angeles.

Pharmaceutical company Merck & Co said its computer network had been affected by the global hack.

A Swiss government agency also reported computer systems were affected in India, though the country’s cyber security agency said it had yet to receive any reports of attacks.

“DON’T WASTE YOUR TIME”

After the Wannacry attack, organizations around the globe were advised to beef up IT security.

“Unfortunately, businesses are still not ready and currently more than 80 companies are affected,” said Nikolay Grebennikov, vice president for R&D at data protection firm Acronis.

One of the victims of Tuesday’s cyber attack, a Ukrainian media company, said its computers were blocked and it had a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.

“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the message said, according to a screenshot posted by Ukraine’s Channel 24.

The same message appeared on computers at Maersk offices in Rotterdam and at businesses affected in Norway.

Other companies that said they had been hit by a cyber attack included Russian oil producer Rosneft, French construction materials firm Saint Gobain and the world’s biggest advertising agency, WPP – though it was not clear if their problems were caused by the same virus.

“The building has come to a standstill. It’s fine, we’ve just had to switch everything off,” said one WPP employee who asked not to be named.

WANNACRY AGAIN

Cyber security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of hacking tool exploited by WannaCry, and to identify ways to stop the onslaught.

Experts said the latest ransomware attacks unfolding worldwide, dubbed GoldenEye, were a variant of an existing ransomware family called Petya.

It uses two layers of encryption which have frustrated efforts by researchers to break the code, according to Romanian security firm Bitdefender.

“There is no workaround to help victims retrieve the decryption keys from the computer,” the company said.

Russian security software maker Kaspersky Lab, however, said its preliminary findings suggested the virus was not a variant of Petya but a new ransomware not seen before.

Last’s month’s fast-spreading WannaCry ransomware attack was crippled after a 22-year-old British security researcher Marcus Hutchins created a so-called kill-switch that experts hailed as the decisive step in slowing the attack.

Any organization that heeded strongly worded warnings in recent months from Microsoft Corp to urgently install a security patch and take other steps appeared to be protected against the latest attacks.

Ukraine was particularly badly hit, with Prime Minister Volodymyr Groysman describing the attacks on his country as “unprecedented”.

An advisor to Ukraine’s interior minister said the virus got into computer systems via “phishing” emails written in Russian and Ukrainian designed to lure employees into opening them.

According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

Yevhen Dykhne, director of the Ukrainian capital’s Boryspil Airport, said it had been hit. “In connection with the irregular situation, some flight delays are possible,” Dykhne said in a post on Facebook. A Reuters reporter who visited the airport late on Tuesday said flights were operating as normal.

Ukrainian Deputy Prime Minister Pavlo Rozenko said the government’s computer network had gone down and the central bank said a operation at a number of banks and companies, including the state power distributor, had been disrupted by the attack.

“As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations,” the central bank said in a statement.

Russia’s Rosneft, one of the world’s biggest crude producers by volume, said its systems had suffered “serious consequences” from the attack. It said it avoided any impact on oil production by switching to backup systems.

The Russian central bank said there were isolated cases of lenders’ IT systems being infected by the cyber attack. One consumer lender, Home Credit, had to suspend client operations.

(Additional reporting by European bureaux and Jim Finkle in Toronto; writing by Christian Lowe; editing by David Clarke)

Security firms warn of new cyber threat to electric grid

An electricity station with high-tension electricity power lines is seen in Galapagar, Spain, January 20, 2017.

By Jim Finkle

(Reuters) – Two cyber security companies said they have uncovered a sophisticated piece of malicious software capable of causing power outages by ordering industrial computers to shut down electricity transmission.

Analysis of the malware, known as Crash Override or Industroyer, indicates it was likely used in a December 2016 cyber attack that cut power in Ukraine, according to the firms, Slovakian security software maker ESET and U.S. critical-infrastructure security firm Dragos Inc.

The discovery may stoke fears about cyber vulnerabilities in power grids that have intensified in the wake of the December Ukraine attack, and one a year earlier that also cut power in that nation.

Ukraine authorities have previously blamed Russia for the attacks on its grid. Moscow has denied responsibility.

Dragos founder Robert M. Lee said the malware is capable of causing outages of up to a few days in portions of a nation’s grid, but is not potent enough to bring down a country’s entire grid.

The firm has alerted government authorities and power companies about the threat, advising them of steps to defend against the threat, Lee said in an interview.

Crash Override can be detected if a utility specifically monitors its network for abnormal traffic, including signs that the malware is searching for the location of substations or sending messages to switch breakers, according to Lee, a former U.S. Air Force warfare operations officer.

The sample of Crash Override that was analyzed by Dragos is capable of attacking power operators across Europe, according to Lee.

“With small modifications, it could be leveraged against the United States,” he said.

Reuters reviewed an ESET technical analysis of the malware provided by the security firm, which they planned to release publicly on Monday. An ESET spokeswoman said the firm’s researchers were not available for comment ahead of its release.

ESET said in its report that it believed the malware was “very probably” used in the 2016 attack in Ukraine, noting it has an activation time stamp of Dec. 17, the day of the outage.

Crash Override is the second piece of malware discovered to date that is capable of disrupting industrial processes, according to Lee.

The first, Stuxnet, was discovered in 2010 and is widely believed by security researchers to have been used by the United States and Israel to attack Iran’s nuclear program.

Malware has been used in other attacks on industrial targets, including the 2015 Ukraine power outage, but in those cases human intervention was required to interfere with operations, Lee said.

(Reporting by Jim Finkle in Toronto; Editing by Tom Brown and Richard Pullin)