NSA backtracks on sharing number of Americans caught in warrant-less spying

A security car patrols the National Security Agency (NSA) data center in Bluffdale, Utah, U.S., March 24, 2017. REUTERS/George Frey

By Dustin Volz

WASHINGTON (Reuters) – For more than a year, U.S. intelligence officials reassured lawmakers they were working to calculate and reveal roughly how many Americans have their digital communications vacuumed up under a warrant-less surveillance law intended to target foreigners overseas.

This week, the Trump administration backtracked, catching lawmakers off guard and alarming civil liberties advocates who say it is critical to know as Congress weighs changes to a law expiring at the end of the year that permits some of the National Security Agency’s most sweeping espionage.

“The NSA has made Herculean, extensive efforts to devise a counting strategy that would be accurate,” Dan Coats, a career Republican politician appointed by Republican President Donald Trump as the top U.S. intelligence official, testified to a Senate panel on Wednesday.

Coats said “it remains infeasible to generate an exact, accurate, meaningful, and responsive methodology that can count how often a U.S. person’s communications may be collected” under the law known as Section 702 of the Foreign Intelligence Surveillance Act.

He told the Senate Intelligence Committee that even if he dedicated more resources the NSA would not be able to calculate an estimate, which privacy experts have said could be in the millions.

The statement ran counter to what senior intelligence officials had previously promised both publicly and in private briefings during the previous administration of President Barack Obama, a Democrat, lawmakers and congressional staffers working on drafting reforms to Section 702 said.

Representative John Conyers, the top Democrat in the House of Representatives Judiciary Committee, said that for many months intelligence agencies “expressly promised” members of both parties to deliver the estimated number to them.

Senior intelligence officials had also previously said an estimate could be delivered. In March, then NSA deputy director Rick Ledgett, said “yes” when asked by a Reuters reporter if an estimate would be provided this year.

“We’re working on that with the Congress and we’ll come to a satisfactory resolution, because we have to,” said Ledgett, who has since retired from public service.

The law allows U.S. intelligence agencies to eavesdrop on and collect vast amounts of digital communications from foreign suspects living outside of the United States, but often incidentally scoops up communications of Americans.

The decision to scrap the estimate is likely to complicate a debate in Congress over whether to curtail certain aspects of the surveillance law, congressional aides said. Congress must vote to renew Section 702 to avoid its expiration on Dec. 31.

Privacy issues often scramble traditional party lines, but there are signs that Section 702’s renewal will be even more politically unpredictable.

Some Republicans who usually support surveillance programs have expressed concerns about Section 702, in part because they are worried about leaks of intercepts of conversations between Trump associates and Russian officials amid investigations of possible collusion.

U.S. intelligence agencies last year accused Russia of interfering in the 2016 presidential election campaign, allegations Moscow denies. Trump denies there was collusion. Intelligence officials have said Section 702 was not directly connected to surveillance related to those leaks.

“As big a fan as I am of collection, incidental collection, I’m not going to reauthorize a program that could be politically manipulated,” Senator Lindsey Graham, usually a defender of U.S. surveillance activities, told reporters this week.

Graham was among 14 Republican senators, including every Republican member of the intelligence panel, who on Tuesday introduced a bill supported by the White House and top intelligence chiefs, that would renew Section 702 without changes and make it permanent.

Critics have called the process under which the FBI and other agencies can query the pool of data collected for U.S. information a “backdoor search loophole” that evades traditional warrant requirements.

“How can we accept the government’s reassurance that our privacy is being protected when the government itself has no idea how many Americans’ communications are being swept up and stored?” said Liza Goitein, a privacy expert at the Brennan Center for Justice.

(Reporting by Dustin Volz; additional reporting by Richard Cowan; Editing by Jonathan Weber and Grant McCool)

U.S. intelligence contractor pleads not guilty to leaking charge

Reality Winner, the U.S. intelligence contractor charged with leaking classified National Security Agency material is shown in this courtroom sketch during her hearing at the U.S. District Courthouse in Augusta, Georgia, U.S., June 8, 2017. Courtesy Richard Miller via REUTERS

By Rich McKay

AUGUSTA, Ga. (Reuters) – A U.S. intelligence contractor accused of illegally leaking a classified report on Russian interference in U.S. elections to a media outlet pleaded not guilty on Thursday to an espionage offense, and a federal judge denied her request for bail.

Reality Leigh Winner, 25, is accused of passing the top secret National Security Agency report to The Intercept last month while working with Pluribus International Corp, which provides analytical services for U.S. defense and intelligence.

Winner was charged in a federal grand jury indictment on Wednesday with a single count of willful retention and transmission of national defense information, a felony offense under the Espionage and Censorship Act that carries a maximum sentence of 10 years in prison.

A federal judge ordered that Winner remain held without bond after prosecutors argued during Thursday’s three-hour hearing that she posed a flight risk and public danger, citing what they called “disturbing” comments found in her notebook.

In one notation she wrote: “I want to burn the White House down,” Assistant U.S. Attorney Jennifer Solari told the judge. The prosecutor said investigators also found the names of three Islamic extremists known to federal authorities listed in Winner’s notebook.

According to a probable-cause affidavit from the Federal Bureau of Investigation, Winner admitted to intentionally printing a copy of the intelligence report in her office and mailing it to the news outlet.

The NSA document in question provided technical details on what it said were Russian attempts to hack election officials in the United States and a voting-machine firm before the presidential election in November, two U.S. officials with knowledge of the case have confirmed to Reuters.

The FBI said unauthorized disclosure of the secret document “could reasonably result in exceptionally grave damage to the national security,” though the government has not alleged that Winner sought to share the report with foreign agents.

She is the first person charged with leaking classified information to the media since the inauguration of President Donald Trump, who has called for investigations into leaks to the media.

A White House spokeswoman said at a press briefing ahead of Winner’s detention hearing that Trump believes anyone found guilty of unlawfully disclosing government secrets should be punished to the fullest extent of the law.

Winner, shackled at the feet and wearing an orange jumpsuit in court, said little during Thursday’s proceeding, except to reply, “Not guilty, your honor,” when asked for her plea, and to answer “yes” and “no” to procedural questions put to her by the judge.

Winner’s parents testified in support of her request to be released from jail on bond, describing their daughter as a church-going patriot who volunteered for the military and was never previously in trouble.

“Your honor, my daughter is a good girl. She will do whatever you tell her to do if you grant her bond,” her stepfather, Gary Winner, told the judge.

Solari countered that Winner’s political agenda mattered more to her than her oath to protect secrets entrusted to her, adding that she might be tempted to flee if further charges were brought in the continuing investigation.

(Reporting Rich McKay in Augusta. Additional reporting by Dustin Volz in Washington; Writing by Jim Finkle in Toronto and Steve Gorman in Los Angeles; Editing by Grant McCool and Tom Brown)

U.S. spy agencies probe another flank in Russian hacking

Reality Leigh Winner, 25, a federal contractor charged by the U.S. Department of Justice for sending classified material to a news organization, poses in a picture posted to her Instagram account. Reality Winner/Social Media via REUTERS

By Joseph Menn

SAN FRANCISCO (Reuters) – Russian hacking of the 2016 U.S. election included sophisticated targeting of state officials responsible for voter rolls and voting procedures, according to a top secret U.S. intelligence document that was leaked and published this week, revealing another potential method of attempted interference in the vote.

The month-old National Security Agency document outlined activities including impersonating an election software vendor to send trick emails to more than 100 state election officials. Analysts at the NSA believed the hackers were working for the Russian military’s General Staff Main Intelligence Directorate, or GRU, according to the document.

The document’s publication on Monday by The Intercept, a news outlet that focuses on security issues, received particular attention because an intelligence contractor, Reality Leigh Winner, was charged the same day with leaking it.

U.S. intelligence agencies have previously said the Kremlin tried to influence the election outcome in favor of Republican candidate Donald Trump through leaks during the campaign of hacked emails from Democratic Party officials, aimed at discrediting Democratic candidate Hillary Clinton.

The new revelations suggest that U.S. investigators are also still probing a more direct attempt to attack the election itself, and a federal official confirmed that is the case. However, there is no evidence that hackers were able to manipulate votes, or the vote tally.

The document says at least one employee of the software vendor had an account compromised but does not cover whether any of the elections officials were also successfully compromised.

If they did compromise the officials, hackers could have planted malicious software, then captured proof of the infection to suggest that there had been fraud on Clinton’s behalf, had she won the Nov. 8 election, experts said.

“If your goal is to disrupt an election, you don’t need to pick the winner or actually tamper with tally result,” said Matt Blaze, a University of Pennsylvania computer science professor who has written on the security of voting machines. Simply casting doubt on the legitimacy of the results could achieve the goals of a government-sponsored hacking campaign, he said.

U.S. intelligence officials had previously stated that Russian intelligence had won access to “multiple” election officials but had said that compromised machines were not involved with vote tallies. But they had not said how sophisticated and extensive the effort was or how it worked.

Russian President Vladimir Putin has strongly denied Russian government involvement in election hacking, though he said last week that “patriotic” Russians could have been involved. Trump has denied any collusion.

SPEAR-PHISHING ON ELECTIONS OFFICIALS

The newly leaked NSA report said the hackers used so-called “spear-phishing” techniques on election officials, trying to convince targets to click on links in emails that seemed to come from legitimate correspondents.

The report describes just one phishing campaign, which hit state officials a week before the election, but does not give any locations or say if it was successful. Although there may have been many others, security experts said one coming so late in the game would be more likely to be about sowing chaos than trying to alter vote counts.

The report did not say what the hackers were trying to accomplish, and any investigation of the computers of people who were targeted would be the jurisdiction of the FBI.

An FBI spokeswoman declined to comment Tuesday, as did the office of the special counsel Robert Mueller, who is investigating possible collusion between Trump campaign officials and the Russian government.

ATTACKING VOTER ROLLS

The “bait” used in the spear-phishing campaign involved software for managing voter registration rolls. The hackers might have been considering deleting some records and forcing officials to turn legitimate voters away, said elections technology security expert Alex Halderman, of the University of Michigan.

There were no wide reports of mass rejections of voters, so perhaps that plan was abandoned or proved too hard to execute, he said.

It is also possible that the idea was to get onto the machines of officials who oversaw both registration and voting software. Elections are run by counties in the United States.

“Depending on the county’s configuration and security practices and what is separated from what, they could have access to potentially every aspect, from lists of registered voters, to voting machines, to firmware on those machines, to the ballots that are presented, to the software that controls the final tally,” Blaze said.

“This is the holy grail of what an attacker would want to compromise.”

Members of Congress said they hoped to learn more about the hacking attempts.

“It’s important that the American people understand that the Russian attempts to break into a number of our state voting processes – we talked about this in the fall – was broad-based,” Democrat Mark Warner, vice chairman of the Senate Intelligence committee, told reporters.

“It’s my hope in the coming days that we can get more information out about that.”

(Reporting by Joseph Menn in San Francisco; Additonal reporting by Dustin Volz, Jim Finkle and Mark Hosenball in Washington; Editing by Jonathan Weber and Frances Kerry)

Wikipedia can pursue NSA surveillance lawsuit: U.S. appeals court

A man is silhouetted near logos of the U.S. National Security Agency (NSA) and Wikipedia in this photo illustration taken in Sarajevo March 11, 2015. REUTERS/Dado Ruvic/File Photo

By Jonathan Stempel

(Reuters) – A federal appeals court on Tuesday revived a Wikipedia lawsuit that challenges a U.S. National Security Agency (NSA) program of mass online surveillance, and claims that the government unconstitutionally invades people’s privacy rights.

By a 3-0 vote, the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, said the Wikimedia Foundation, which hosts the Wikipedia online encyclopedia, had a legal right to challenge the government’s Upstream surveillance program.

The decision could make it easier for people to learn whether authorities have spied on them through Upstream, which involves bulk searches of international communications within the internet’s backbone of cables, switches and routers.

Upstream’s existence was revealed in leaks by former NSA contractor Edward Snowden in 2013.

Lawyers for the Wikipedia publisher and eight other plaintiffs including Amnesty International USA and Human Rights Watch, with more than 1 trillion international communications annually, argued that the surveillance violated their rights to privacy, free expression and association.

The U.S. Department of Justice countered that the Foreign Intelligence Surveillance Act had authorized Upstream’s review of communications between Americans and foreign “targets.”

In October 2015, U.S. District Judge T.S. Ellis III in Baltimore dismissed the lawsuit, finding a lack of evidence that the NSA, headquartered in Maryland, was conducting surveillance “at full throttle.”

Writing for the appeals court panel, however, Circuit Judge Albert Diaz found “nothing speculative” about the Wikimedia Foundation’s claims.

Diaz said the NSA interception and copying of communications showed “an invasion of a legally protected interest – the Fourth Amendment right to be free from unreasonable searches and seizures.”

The foundation could also pursue its First Amendment claim because it had “self-censored” some communications in response to the Upstream surveillance, Diaz said.

By a 2-1 vote, the same panel also ruled the plaintiffs lacked standing to challenge the NSA’s alleged “dragnet” to intercept “substantially all” text-based communications to and from the United States while conducting Upstream surveillance.

Justice Department spokesman Mark Abueg declined to comment.

Patrick Toomey, an American Civil Liberties Union lawyer representing the plaintiffs, said the ruling means Upstream “will finally face badly needed scrutiny” in the courts.

“This is an important victory for the rule of law,” he said in a statement. “Our government shouldn’t be searching the private communications of innocent people in bulk.”

Some Democratic and Republican lawmakers are working on legislation to curtail parts of Upstream. A section of FISA that authorizes the program expires at year end.

The case is Wikimedia Foundation et al v National Security Agency et al, 4th U.S. Circuit Court of Appeals, No. 15-2560.

(Reporting by Jonathan Stempel in New York; Additional reporting by Dustin Volz in Washington; editing by Jeffrey Benkoe and Phil Berlowitz)

U.S. cyber bill would shift power away from spy agency

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Joel Schectman

WASHINGTON (Reuters) – A bill proposed in Congress on Wednesday would require the U.S. National Security Agency to inform representatives of other government agencies about security holes it finds in software like the one that allowed last week’s “ransomware” attacks.

Under former President Barack Obama, the government created a similar inter-agency review, but it was not required by law and was administered by the NSA itself.

The new bill would mandate a review when a government agency discovers a security hole in a computer product and does not want to alert the manufacturer because it hopes to use the flaw to spy on rivals. It also calls for the review process to be chaired by the defense-oriented Department of Homeland Security rather than the NSA, which spends 90 percent of its budget on offensive capabilities and spying.

Republican Senator Ron Johnson of Wisconsin and Democratic Senator Brian Schatz of Hawaii introduced the legislation in the U.S. Senate Homeland Security and Governmental Affairs Committee.

“Striking the balance between U.S. national security and general cyber security is critical, but it’s not easy,” said Senator Schatz in a statement. “This bill strikes that balance.”

Tech companies have long criticized the practice of withholding information about software flaws so they can be used by government intelligence agencies for attacks.

Hackers attacked 200,000 in more than 150 countries last week using a Microsoft Windows software vulnerability that had been developed by the NSA and later leaked online.

Microsoft President Brad Smith harshly criticized government practices on security flaws in the wake of the ransomware attacks. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote in a blog post.

Agencies like the NSA often have greater incentives to exploit any security holes they find for spying, instead of helping companies protect customers, cyber security experts say.

“Do you get to listen to the Chinese politburo chatting and get credit from the president?” said Richard Clayton a cyber-security researcher at the University of Cambridge. “Or do you notify the public to help defend everyone else and get less kudos?”

Susan Landau, a cyber security policy expert at Worcester Polytechnic Institute, said that in putting DHS in charge of the process, the new bill was an effort to put the process “into civilian control.”

The new committee’s meetings would still be secret. But once a year it would issue a public version of a secret annual report.

The NSA did not immediately respond to a request for comment.

(Reporting by Joel Schectman; Editing by Jonathan Weber and David Gregorio)

Chinese state media says U.S. should take some blame for cyber attack

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

BEIJING (Reuters) – Chinese state media on Wednesday criticized the United States for hindering efforts to stop global cyber threats in the wake of the WannaCry “ransomware” attack that has infected more than 300,000 computers worldwide in recent days.

The U.S. National Security Agency (NSA) should shoulder some blame for the attack, which targets vulnerabilities in Microsoft Corp <MSFT.O> systems and has infected some 30,000 Chinese organizations as of Saturday, the China Daily said.

“Concerted efforts to tackle cyber crimes have been hindered by the actions of the United States,” it said, adding that Washington had “no credible evidence” to support bans on Chinese tech firms in the United States following the attack.

The malware attack, which began on Friday and has been linked by some researchers to previous hits by a North Korean-run hacking operation, leveraged a tool built by the NSA that leaked online in April, Microsoft says.

It comes as China prepares to enforce a wide-reaching cyber security law that U.S. business groups say will threaten the operations of foreign firms in China with strict local data storage laws and stringent surveillance requirements.

China’s cyber authorities have repeatedly pushed for what they call a more “equitable” balance in global cyber governance, criticizing U.S. dominance.

The China Daily pointed to the U.S. ban on Chinese telecommunication provider Huawei Technologies Co Ltd [HWT.UL], saying the curbs were hypocritical given the NSA leak.

Beijing has previously said the proliferation of fake news on U.S. social media sites, which are largely banned in China, is a reason to tighten global cyber governance.

The newspaper said that the role of the U.S. security apparatus in the attack should “instill greater urgency” in China’s mission to replace foreign technology with its own.

The state-run People’s Daily compared the cyber attack to the terrorist hacking depicted in the U.S. film “Die Hard 4”, warning that China’s role in global trade and internet connectivity opened it to increased risks from overseas.

The fast-spreading cyber extortion campaign eased for second day on Tuesday, but the identity and motive of its creators remain unknown.

(Reporting by Cate Cadell; Editing by Nick Macfie)

Global cyber attack slows but experts see risk of fresh strikes

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Eric Auchard

SINGAPORE/FRANKFURT (Reuters) – A global cyber attack described as unprecedented in scale forced a major European automaker to halt some production lines while hitting schools in China and hospitals in Indonesia on Saturday, though it appeared to die down a day after its launch.

Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, the cyber assault has infected tens of thousands of computers in nearly 100 countries, with Britain’s health system suffering the worst disruptions.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.

Once inside the targeted network, so-called ransomware made use of recently revealed spy tools to silently infect other out-of-date machines without any human intervention. This, security experts said, marked an unprecedented escalation in the risk of fresh attacks spreading in the coming days and weeks.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Researchers observed some victims paying via the digital currency bitcoin, though no one knows how much may have been transferred to extortionists because of the largely anonymous nature of such transactions.

Researchers with security software maker Avast said they had observed 126,534 ransomware infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

The hackers, who have not come forward to claim responsibility or otherwise been identified, took advantage of a worm, or self-spreading malware, by exploiting a piece of NSA spy code known as “Eternal Blue” that was released last month by a hackers group known as the Shadow Brokers, according to researchers with several private cyber security firms.

Renault said it had halted auto production at several sites including Sandouville in northwestern France and Renault-owned Dacia plants in Romania on Saturday to prevent the spread of ransomware in its systems.

Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business”, a spokesman for the Japanese carmaker said.German rail operator Deutsche Bahn [DBN.UL] said some electronic signs at stations announcing arrivals and departures were infected, with travelers posting pictures showing some bearing a message demanding a cash payment to restore access.

“UNPRECEDENTED” ATTACK EASES

Europol’s European Cybercrime Center said it was working closely with country investigators and private security firms to combat the threat and help victims. “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, and so limited the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The researcher in Britain widely credited with foiling the ransomware’s proliferation told Reuters he had not seen any such tweaks yet, “but they will (happen).”

Researchers said the worm deployed in the latest attack, or similar tools released by Shadow Brokers, are likely to be used for fresh assaults not just with ransomware but other malware to break into firms, seize control of networks and steal data.

Finance chiefs from the Group of Seven rich countries were to commit on Saturday to joining forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, though the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government. “Things could likely emerge on Monday” as staff return to work.

China’s information security watchdog said “a portion” of Windows systems users in the country were infected, according to a notice posted on the official Weibo page of the Beijing branch of the Public Security Bureau on Saturday. Xinhua state news agency said some secondary schools and universities were hit.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been hit.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also breached. “We are implementing remediation steps as quickly as possible,” a FedEx statement said.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by focusing on targets in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, he added.

MICROSOFT BOLSTERS WINDOWS DEFENCES

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

The attack targeted Windows computers that had not installed patches released by Microsoft in March, or older machines running software that Microsoft no longer supports and for which patches did not exist, including the 16-year-old Windows XP system, researchers said.

Microsoft said it pushed out automatic Windows updates to defend existing clients from WannaCry. It had issued a patch on March 14 to protect them from Eternal Blue. Late on Friday, Microsoft also released patches for a range of long discontinued software, including Windows XP and Windows Server 2003.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

POLITICALLY SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus. The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French run-off vote on May 7.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted by ransomware. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small- to mid-sized organizations. “Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; editing by Mark Heinrich)

Global cyber attack fuels concern about U.S. vulnerability disclosures

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Dustin Volz

WASHINGTON (Reuters) – A global cyber attack on Friday renewed concerns about whether the U.S. National Security Agency and other countries’ intelligence services too often hoard software vulnerabilities for offensive purposes, rather than quickly alerting technology companies to such flaws.

Hacking tools believed to belong to the NSA that were leaked online last month appear to be the root cause of a major cyber attack unfurling throughout Europe and beyond, security researchers said, stoking fears that the spy agency’s powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.

Some cyber security experts and privacy advocates said the massive attack reflected a flawed approach by the United States to dedicate more cyber resources to offense rather than defense, a practice they argued makes the internet less secure.

Across the U.S. federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters in March. (http://reut.rs/2o7qHqN)

“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world,” Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.

The NSA did not respond to a request for comment.

Hospitals and doctors’ surgeries in parts of England on Friday were forced to turn away patients and cancel appointments after they were infected with the “ransomware”, which scrambled data on computers and demanded payments of $300 to $600 to restore access.

Security software maker Avast said it had observed more than 57,000 infections in 99 countries. Russia, Ukraine and Taiwan were the top targets, it said.

Private security firms identified the virus as a new variant of ‘WannaCry’ ransomware with the ability to automatically spread across large networks by exploiting a bug in Microsoft Corp’s Windows operating system.

Security experts said the ransomware used in the attacks leveraged a hacking tool found in a leak of documents in April by a group known as Shadow Brokers.

At the time, Microsoft acknowledged the vulnerabilities and said they had been patched in a series of earlier updates pushed to customers, the most recent of which had been rolled out only a month earlier in March. But the episode prompted concerns about whether the tools could be leveraged by hackers to attack unpatched systems.

In a statement, a Microsoft spokesman said on Friday its engineers had provided additional detection and protection services against the WannaCry malware and that it was working with customers to provide additional assistance. The spokesman reiterated that customers who have Windows Updates enabled and use the company’s free antivirus software are protected.

Shadow Brokers first emerged last year and began dumping tranches of documents that it said belonged to the NSA, though the files appeared at least a few years old.

Over time, western researchers have grown more confident that Russia may be behind Shadow Brokers and possibly other recent disclosures of sensitive information about cyber capabilities that have been pilfered from U.S. intelligence agencies.

Some researchers cast blame not on the NSA but on the hospitals and other customers that appeared to leave themselves open to attack.

“The main problem here is organizations taking more than eight weeks to patch once Microsoft released the update,” said Chris Wysopal, chief technology officer at the cyber firm Veracode. “Eight weeks is plenty of time for a criminal organization to develop a sophisticated attack on software and launch it on a wide scale.”

Former intelligence contractor Edward Snowden, who in 2013 leaked documents to journalists revealing the existence of broad U.S. surveillance programs, said on Twitter the NSA had built attack tools targeting U.S. software that “now threatens the lives of hospital patients.”

“Despite warnings, (NSA) built dangerous attack tools that could target Western software,” Snowden said. “Today we see the cost.”

(This version of the story has been refiled to correct spelling of hoard in first paragraph)

(Reporting by Dustin Volz; Editing by Lisa Shumaker)

Global cyber attack hits hospitals and companies, threat seen fading for now

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Jeremy Wagstaff and Costas Pitas

SINGAPORE/LONDON (Reuters) – A global cyber attack leveraging hacking tools believed to have been developed by the U.S. National Security Agency has infected tens of thousands of computers in nearly 100 countries, disrupting Britain’s health system and global shipper FedEx.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, limiting the worm’s spread.

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The British-based researcher who may have foiled the ransomware’s spread told Reuters he had not seen any such tweaks yet, “but they will.”

Finance chiefs from the Group of Seven rich countries will commit on Saturday to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

HOSPITALS IN FIRING LINE

In Asia, some hospitals, schools, universities and other institutions were affected, although the full extent of the damage is not yet known because it is the weekend.

“I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government.

“Things could likely emerge on Monday.”

China’s official Xinhua news agency said some secondary schools and universities had been affected, without specifying how many or identifying them.

In Vietnam, Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea’s Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been affected.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Thakur.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur added.

MICROSOFT UPS DEFENSES

The U.S. Department of Homeland Security said it was sharing information with domestic and foreign partners and was ready to lend technical support.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm”, or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement on Friday, adding it was working with customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that began the previous week when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus.The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

The British government did not know who was behind the attack but its National Crime Agency was working to find out, interior minister Amber Rudd said.

Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French one.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations.

“Seeing a large telco like Telefonica get hit is going to get everybody worried,” said Chris Wysopal, chief technology officer with cyber security firm Veracode.

(Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; Editing by Rob Birsel and Mike Collett-White)

Hackers exploit stolen U.S. spy agency tool to launch global cyberattack

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency hit international shipper FedEx, disrupted Britain’s health system and infected computers in nearly 100 countries on Friday.

Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Still, only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur said.

The U.S. Department of Homeland Security said late on Friday that it was aware of reports of the ransomware, was sharing information with domestic and foreign partners and was ready to lend technical support.

Telecommunications company Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“Once it gets in and starts moving across the infrastructure, there is no way to stop it,” said Adam Meyers, a researcher with cyber security firm CrowdStrike.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm,” or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft on Friday said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement. It said the company was working with its customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that kicked off a week earlier when hackers posted a huge trove of campaign documents tied to French candidate Emmanuel Macron just 1-1/2 days before a run-off vote in which he was elected as the new president of France.

On Wednesday, hackers disputed the websites of several French media companies and aerospace giant Airbus.Also, the hack happened four weeks before a British parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed an entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as the country’s biggest bank, Sberbank, said they were targeted. The interior ministry said on its website that around 1,000 computers had been infected but it had localized the virus.

The emergencies ministry told Russian news agencies it had repelled the cyberattacks while Sberbank said its cyber security systems had prevented viruses from entering its systems.

NEW BREED OF RANSOMWARE

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh; Writing by Mark Trevelyan and Jim Finkle; Editing by Ralph Boulton and Grant McCool)