U.S. to indict North Koreans over WannaCry, Sony cyber attacks

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Christopher Bing

WASHINGTON (Reuters) – The U.S. Justice Department is poised to charge North Korean hackers over the 2017 global WannaCry ransomware attack and the 2014 cyber attack on Sony Corp, a U.S. official told Reuters on Thursday.

The charges, part of a strategy by the U.S. government to deter future cyber attacks by naming and shaming the alleged perpetrators, will also allege that the North Korean hackers broke into the central bank of Bangladesh in 2016, according to the official.

In 2014, U.S. officials said unnamed North Korean hackers were responsible for a major cyber intrusion into Sony, which resulted in leaked internal documents and data being destroyed.

The attacks came after Pyongyang sent a letter to the United Nations, demanding that Sony not move forward with a movie comedy that portrayed the U.S.-backed assassination of a character made to look like North Korean leader Kim Jong Un.

The FBI said at the time it had recovered evidence connecting North Korea to the attack and others in South Korea.

Last year, the WannaCry ransomware attack affected thousands of businesses across the globe through a computer virus that encrypted files on affected systems, including Britain’s National Health Service, where nonfunctional computer systems forced the cancellation of thousands of appointments.

(Reporting by Christopher Bing; Additional writing by Susan Heavey; Editing by Chizu Nomiyama and Jeffrey Benkoe)

Ukraine cyber security firm warns of possible new attacks

Ukraine cyber security firm warns of possible new attacks

KIEV (Reuters) – Ukrainian cyber security firm ISSP said on Tuesday it may have detected a new computer virus distribution campaign, after security services said Ukraine could face cyber attacks similar to those which knocked out global systems in June.

The June 27 attack, dubbed NotPetya, took down many Ukrainian government agencies and businesses, before spreading rapidly through corporate networks of multinationals with operations or suppliers in eastern Europe.

ISPP said that, as with NotPetya, the new malware seemed to originate in accounting software and could be intended to take down networks when Ukraine celebrates its Independence Day on Aug. 24.

“This could be an indicator of a massive cyber attack preparation before National Holidays in Ukraine,” it said in a statement.

In a statement, the state cyber police said they also had detected new malicious software.

The incident is “in no way connected with global cyber attacks like those that took place on June 27 of this year and is now fully under control,” it said.

The state cyber police and the Security and Defence Council have said Ukraine could be targeted with a NotPetya-style attack aimed at destabilizing the country as it marks its 1991 independence from the Soviet Union.

Last Friday, the central bank said it had warned state-owned and private lenders of the appearance of new malware, spread by opening email attachments of word documents.

Ukraine – regarded by some, despite Kremlin denials, as a guinea pig for Russian state-sponsored hacks – is fighting an uphill battle in turning pockets of protection into a national strategy to keep state institutions and systemic companies safe.

(Reporting by Natalia Zinets; Additional reporting by Pavel Polityuk; Writing by Alessandra Prentice; editing by Mark Heinrich and Richard Balmforth)

Ukraine central bank warns of new cyber-attack risk

Ukraine central bank warns of new cyber-attack risk

By Natalia Zinets

KIEV (Reuters) – The Ukrainian central bank said on Friday it had warned state-owned and private lenders of the appearance of new malware as security services said Ukraine faced cyber attacks like those that knocked out global systems in June.

The June 27 attack, dubbed NotPetya, took down many Ukrainian government agencies and businesses, before spreading rapidly through corporate networks of multinationals with operations or suppliers in eastern Europe.

Kiev’s central bank has since been working with the government-backed Computer Emergency Response Team (CERT) and police to boost the defenses of the Ukrainian banking sector by quickly sharing information.

“Therefore on Aug. 11…, the central bank promptly informed banks about the appearance of new malicious code, its features, compromise indicators and the need to implement precautionary measures to prevent infection,” the central bank told Reuters in emailed comments.

According to its letter to banks, seen by Reuters, the new malware is spread by opening email attachments of word documents.

“The nature of this malicious code, its mass distribution, and the fact that at the time of its distribution it was not detected by any anti-virus software, suggest that this attack is preparation for a mass cyber-attack on the corporate networks of Ukrainian businesses,” the letter said.

Ukraine – regarded by some, despite Kremlin denials, as a guinea pig for Russian state-sponsored hacks – is fighting an uphill battle in turning pockets of protection into a national strategy to keep state institutions and systemic companies safe.

The state cyber police and Security and Defence Council have said Ukraine could be targeted on Aug. 24 with a NotPetya-style attack aimed at destabilizing the country as it celebrates its 1991 independence from the Soviet Union.

(Writing by Alessandra Prentice; editing by Mark Heinrich)

Greater China cyber insurance demand set to soar after WannaCry attack: AIG

FILE PHOTO: A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. REUTERS/Edgar Su/File Photo

By Julie Zhu

HONG KONG (Reuters) – Demand for cyber insurance from firms in Greater China and elsewhere in Asia is poised to soar, based on enquiries received after the “WannaCry ransomware” attack earlier this year, executives at American International Group Inc said.

The American insurer saw an 87 percent jump in enquiries for cyber insurance policies in May compared to April for Greater China including Hong Kong as a direct result of the WannaCry attack, while the global increase was 38 percent, they said.

“The big increase means the organizations are aware they really need protection,” Cynthia Sze, head of an AIG business in Greater China that provides solutions to companies dealing with cyber breaches, told reporters. AIG executives declined to give details on numbers or say how many of the enquiries actually resulted in policy sales.

The self-replicating WannaCry malware in May infected over 200,000 computers in 150 countries.

A typical cyber insurance policy can protect companies against extortion like ransomware attacks. It could also cover the investigation costs and pay the ransom.

In Hong Kong, which is dominated by small and medium sized enterprises, the impact of a cyber attack could be severe as cyber threats are not a priority given the limited resources of SMEs, said Sze.

Citing Hong Kong police statistics, Sze said computer security incident reports have grown to about 6,000 last year from 1,500 in 2009. Financial losses resulting from such incidents jumped from HK$45 million ($5.76 million) to HK$2.3 billion over the same period, she said.

Hong Kong police did not immediately respond to a request for comment to confirm the numbers.

“WannaCry has really changed the dynamics. We used to tap large multinational companies that understood where the exposure was. Now we are really talking about mid-market and SMEs,” said Jason Kelly, AIG’s head of liabilities and financial lines for Greater China, Australasia and South Korea.

The global market for cyber insurance is worth $2 billion, with 30 percent of middle to large firms purchasing cyber insurance protection, according to AIG. The insurer has also seen an average annual growth rate of 20 to 25 percent in cyber insurance policies over the past three years worldwide, said Kelly.

Insurance companies have been cautiously entering the cyber insurance market as they look for growth amid stiff competition and potential exposure to cyber breaches.

According to Kelly, the annual damage from hackers to the global economy reached about $400 billion in 2015.

(Reporting by Julie Zhu; Editing by Muralikumar Anantharaman)

Ukraine finally battens down its leaky cyber hatches after attacks

FILE PHOTO: A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko/File Photo

By Matthias Williams

KIEV (Reuters) – When the chief of Microsoft Ukraine switched jobs to work for President Petro Poroshenko, he found that everyone in the office used the same login password. It wasn’t the only symptom of lax IT security in a country suffering crippling cyber attacks.

Sometimes pressing the spacebar was enough to open a PC, according to Dmytro Shymkiv, who became Deputy Head of the Presidential Administration with a reform brief in 2014.

Today discipline is far tighter in the president’s office. But Ukraine – regarded by some, despite Kremlin denials, as a guinea pig for Russian state-sponsored hacks – is fighting an uphill battle in turning pockets of protection into a national strategy to keep state institutions and systemic companies safe.

As in many aspects of Ukrainian life, corruption is a problem. Most computers run on pirated software, and even when licensed programs are used, they can be years out of date and lack security patches to help keep the hackers at bay.

Three years into the job, Shymkiv is leading the fight back. He has put together a team, led by a former Microsoft colleague, doing drills, sending out email bulletins to educate staff on new viruses and doing practice hacks offsite.

In the early days, staff complacency and resistance to change were as much a problem as insecure equipment.

“I remember the first weeks when we forced people to do a password change,” Shymkiv told Reuters. “My team heard all kind of screams and disrespectful messages … Over three years, it’s a different organization.”

The team’s small office has a screen with dials, charts and a green spider web showing activity on the network. If there is an attack, a voice shouts “major alarm!” in English, a recording the team downloaded from YouTube.

Eliminating bad practices and introducing good ones is the reason, Shymkiv believes, why the presidential administration was immune to a June 27 virus that spread from Ukraine to cause disruption in companies as far away as India and Australia.

But the country still has a long way to go. Since 2014 repeated cyber attacks have knocked out power supplies, frozen supermarket tills, affected radiation monitoring at the stricken Chernobyl nuclear power plant, and forced the authorities to prop up the hryvnia currency after banks’ IT systems crashed.

Even Poroshenko’s election that year was compromised by a hack on the Central Election Commission’s network, trying to proclaim victory for a far-right candidate — a foretaste of alleged meddling in the 2016 U.S. presidential election.

Ukraine believes the attacks are part of Russia’s “hybrid war” waged since protests in 2014 moved Ukraine away from Moscow’s orbit and closer to the West. Moscow has denied running hacks on Ukraine.

Shymkiv said the task is to “invest in my team, and upgrade them, and teach them, and connect them with other organizations who are doing the right things”.

“If you do nothing like this, you probably will be wiped out,” he added.

The head of Shymkiv’s IT team, Roman Borodin, said the administration is hit by denial-of-service (DDoS) attacks around once every two weeks, and by viruses specifically designed to target it. The hackers seem mainly interested in stealing information from the defense and foreign relations departments, Borodin told Reuters in his first ever media interview.

HONOR AT STAKE

Bruised by past experiences, Ukraine is protecting itself better.

Finance Minister Oleksandr Danylyuk told Reuters his ministry overhauled security after a hack in November crashed 90 percent of its network at the height of budget preparations.

Officials couldn’t log into the system that manages budget transactions for 48 hours, something that played on Danylyuk’s mind as he addressed the Verkhovna Rada or parliament.

“Imagine that, knowing this, I went to the Verkhovna Rada to present the budget – the main financial document on which 45 million people live – and at the same time I was thinking about how to save not only the document itself, but also the honor of the ministry,” he said.

“I understood that if I showed even the slightest hint of our nervousness, the organizers of the attack would achieve their goal.”

Consultants uncovered familiar weaknesses: the budget system operated on a platform dating from 2000, and the version of the database management system should have been upgraded in 2006.

The ministry is introducing new systems to detect anomalies and to improve data protection. “We’re completely revising and restructuring the ministry’s IT landscape,” Danylyuk said.

The ministry emerged unscathed from the June 27 attack. Others weren’t so lucky: Deputy Prime Minister Pavlo Rozenko tweeted a picture of a crashed computer in the cabinet office that same day.

Ukraine is also benefiting from help from abroad.

A cyber police force was set up in 2015 with British funding and training in a project coordinated by the Organization for Security and Co-operation in Europe (OSCE).

While Ukraine is not a NATO member, the Western alliance supplied equipment to help piece together who was behind the June attack and is helping the army set up a cyber defense unit.

Ukraine shares intelligence with neighboring Moldova, another ex-Soviet state that has antagonized Moscow by moving closer to the West and complains of persistent Russian cyber attacks on its institutions.

“At the beginning of this year we had attacks on state-owned enterprises. If it were not for cooperation with the guys from Moldova, we would not have identified these criminals,” Serhiy Demedyuk, the head of the Ukrainian cyber police, told Reuters.

Demedyuk said the attack had been staged by a Russian citizen using a server in Moldova, but declined to give further details.

LAYING DOWN THE LAW

While there has been progress in some areas, Ukraine is still fighting entrenched problems. No less than 82 percent of software is unlicensed, compared with 17 percent in the United States, according to a 2016 survey by the Business Software Alliance, a Washington-based industry group.

Experts say pirated software was not the only factor in the June attack, which also hit up-to-date computers, but the use of unlicensed programs means security patches which could limit the rapid spread of such infections cannot be applied.

Ukraine ranked 60 out of 63 economies in a 2017 survey on digital competitiveness by the International Institute for Management Development. The low ranking is tied to factors such as a weak regulatory framework.

Another problem is that Ukraine has no single agency in charge of ensuring that state bodies and companies of national importance, such as banks, are protected.

This surfaced on June 27, when the NotPetya virus penetrated the company that produces M.E.Doc, an accounting software used by around 80 percent of Ukrainian businesses.

“Locally, the weak spot is accounting, but more generally it is the lack of cyber defenses at a government level. There aren’t agencies analyzing risks at a government level,” said Aleksey Kleschevnikov, the owner of internet provider Wnet, which hosted M.E.Doc’s servers.

Valentyn Petrov, head of the information security department at the National Security and Defence Council, said the state cannot interfere with companies’ security.

“It’s a total disaster from our perspective,” he told Reuters. “All state companies, including state banks, have suffered from attacks, and we really have no influence on them – neither on issuing regulations or checking how they fulfill these regulations.”

Poroshenko signed a decree in February to improve protection of critical institutions. This proposed legislation to spell out which body was in charge of coordinating cyber security and a unified methodology for assessing threats.

The law failed to gather enough votes the day before parliament’s summer recess in July, and MPs voted against extending the session. Shymkiv called that a “big disgrace”.

He added that in many ministries and firms, “we’ve seen very little attention to the IT infrastructures, and it’s something that’s been lagging behind for years”.

Attitudes can be slow to change. Borodin said a policy at the administration to lock computer screens after 15 minutes of inactivity was greeted with indignation. One staffer pointed out that their room was protected by an armed guard.

The staffer said “‘I have a guy with a weapon in my room. Who can steal information from this computer?'” Borodin recounted.

(Additional reporting by Pavel Polityuk, Jack Stubbs, Natalia Zinets and Margaryta Chornokondratenko in Kiev, Eric Auchard in Frankfurt and David Mardiste in Tallinn; editing by David Stamp)

Global shipping feels fallout from Maersk cyber attack

The Maersk ship Adrian Maersk is seen as it departs from New York Harbor in New York City, U.S., June 27, 2017. REUTERS/Brendan McDermid

By Jonathan Saul

LONDON (Reuters) – Global shipping is still feeling the effects of a cyber attack that hit A.P. Moller-Maersk <MAERSKb.CO> two days ago, showing the scale of the damage a computer virus can unleash on the technology dependent and inter-connected industry.

About 90 percent of world trade is transported by sea, with ships and ports acting as the arteries of the global economy. Ports increasingly rely on communications systems to keep operations running smoothly, and any IT glitches can create major disruptions for complex logistic supply chains.

The cyber attack was among the biggest-ever disruptions to hit global shipping. Several port terminals run by a Maersk division, including in the United States, India, Spain, the Netherlands, were still struggling to revert to normal operations on Thursday after experiencing massive disruptions.

South Florida Container Terminal, for example, said dry cargo could not be delivered and no container would be received. Anil Diggikar, chairman of JNPT port, near the Indian commercial hub of Mumbai, told Reuters that he did not know “when exactly the terminal will be running smoothly”.

His uncertainty was echoed by Maersk itself, which told Reuters that a number of IT systems were still shut down and that it could not say when normal business operations would be resumed.

It said it was not able to comment on specific questions regarding the breach of its IT systems or the state of its cyber security as it had “all available hands focused on practical stuff and getting things back to normal”.

The impact of the attack on the company has reverberated across the industry given its position as the world’s biggest container shipping line and also operator of 76 ports via its APM Terminals division.

Container ships transport much of the world’s consumer goods and food, while dry bulk ships haul commodities including coal and grain and tankers carry vital oil and gas supplies.

“As Maersk is about 18 percent of all container trade, can you imagine the panic this must be causing in the logistic chain of all those cargo owners all over the world?” said Khalid Hashim, managing director of Precious Shipping <PSL.BK>, one of Thailand’s largest dry cargo ship owners.

“Right now none of them know where any of their cargoes (or)containers are. And this ‘black hole’ of lack of knowledge will continue till Maersk are able to bring back their systems on line.”

BACK TO BASICS

The computer virus, which researchers are calling GoldenEye or Petya, began its spread on Tuesday in Ukraine and affected companies in dozens of countries.

Maersk said the attack had caused outages at its computer systems across the world.

In an example of the turmoil that ensued, the unloading of vessels at the group’s Tacoma terminal was severely slowed on Tuesday and Wednesday, said Dean McGrath, president of the International Longshore and Warehouse Union Local 23 there.

The terminal is a key supply line for the delivery of domestic goods such as milk and groceries and construction materials to Anchorage, Alaska.

“They went back to basics and did everything on paper,” McGrath said.

Ong Choo Kiat, President of U-Ming Marine Transport <2606.TW>, Taiwan’s largest dry bulk ship owner, said the fact Maersk had been affected rang alarm bells for the whole shipping industry as the Danish company was regarded as a leader in IT technology.

“But they ended up one of the first few casualties. I therefore conclude that shipping is lacking behind the other industry in term of cyber security,” he said.

“How long would it takes to catch up? I don’t know. But recently all owners and operators are definitely more aware of the risk of cyber security and beginning to pay more attention to it.”

In a leading transport survey by international law firm Norton Rose Fulbright published this week, 87 percent of respondents from the shipping industry believed cyber attacks would increase over the next five years – a level that was higher than counterparts in the aviation, rail and logistics industries.

VULNERABLE

Apart from the reliance on computer systems, ships themselves are increasingly exposed to interference through electronic navigation devices such as the Global Positioning System (GPS) and lack the backup systems airliners have to prevent crashes, according to cyber security experts.

There were no indications that GPS and other electronic navigation aids were affected by this week’s attack, but security specialists say such systems are vulnerable to signal loss from deliberate jamming by hackers.

Last year, South Korea said hundreds of fishing vessels had returned early to port after its GPS signals were jammed by North Korea, which denied responsibility.

“The Maersk attack raises our awareness of the vulnerability of shipping and ports to technological failure,” said Professor David Last, a previous president of Britain’s Royal Institute of Navigation.

“When GPS fails, ships’ captains lose their principal means of navigation and much of their communications and computer links. They have to slow down and miss port schedules,” said Last, who is also a strategic advisor to the General Lighthouse Authorities of the UK and Ireland.

A number of countries including the UK and the United States are looking into deploying a radar based back up navigation system for ships called eLoran, but this will take time to develop.

David Nordell, head of strategy and policy for London-based think tank, the Centre for Strategic Cyberspace and Security Science, said the global shipping and port industries were vulnerable to cyber attack, because their operating technologies tend to be old.

“It’s certainly possible to imagine that two container ships, or, even worse, oil or gas tankers, could be hacked into colliding, resulting in loss of life and cargo, and perhaps total loss of the vessels,” Nordell said.

“Carried out in a strategically sensitive location such as the Malacca Straits or the Bosphorus, a collision like this could block shipping for enough time to cause serious dislocations to trade.”

SECRETIVE INDUSTRY

Cyber risks also pose challenges for insurance cover.

In a particularly secretive industry, information about the nature of cyber attacks is still scarce, which insurance and shipping officials say is an obstacle to mitigating the risk, which means there are gaps in insurance cover available.

“There has been a lot of non-reporting (of breaches) on ships, and we’re trying efforts where even if there could be anonymous reporting on a platform so we can start to get the information and the data,” said Andrew Kinsey, senior marine consultant at insurer Allianz Global Corporate & Specialty.

There is also a gap in provision, because most existing cyber or hull insurance policies – which insure the ship itself – will not cover the risk of a navigation system being jammed or physical damage to the ship caused by a hacking attack.

“The industry is just waking up to its vulnerability,” said Colin Gillespie, deputy director of loss prevention with ship insurer North.

“Perhaps it is time for insurers, reinsurers, ship operators and port operators to sit down together and consider these risks in detail. A collective response is needed – we are all under attack.”

(Additional reporting by Jacob Gronholt-Pedersen in Copenhagen, Keith Wallis and Carolyn Cohn in London, Euan Rocha in Mumbai, Miyoung Kim in Singapore, Alexander Cornwell in Dubai, Michael Hirtzer in Chicago, Noor Zainab Hussain in Bangalore, Adam Jourdan and Shanghai newsroom; Editing by Pravin Char)

New computer virus spreads from Ukraine to disrupt world business

A user takes a selfie in front of a laptop at WPP, a British multinational advertising and public relations company in Hong Kong, China June 28, 2017 in this picture obtained from social media. INSTAGRAM/KENNYMIMO via REUTERS

By Eric Auchard and Dustin Volz

FRANKFURT/WASHINGTON (Reuters) – A computer virus wreaked havoc on firms around the globe on Wednesday as it spread to more than 60 countries, disrupting ports from Mumbai to Los Angeles and halting work at a chocolate factory in Australia.

Risk-modeling firm Cyence said economic losses from this week’s attack and one last month from a virus dubbed WannaCry would likely total $8 billion. That estimate highlights the steep tolls businesses around the globe face from growth in cyber attacks that knock critical computer networks offline.

“When systems are down and can’t generate revenue, that really gets the attention of executives and board members,” said George Kurtz, chief executive of security software maker CrowdStrike. “This has heightened awareness of the need for resiliency and better security in networks.”

The virus, which researchers are calling GoldenEye or Petya, began its spread on Tuesday in Ukraine. It infected machines of visitors to a local news site and computers downloading tainted updates of a popular tax accounting package, according to national police and cyber experts.

It shut down a cargo booking system at Danish shipping giant A.P. Moller-Maersk <MAERSKb.CO>, causing congestion at some of the 76 ports around the world run by its APM Terminals subsidiary..

Maersk said late on Wednesday that the system was back online: “Booking confirmation will take a little longer than usual but we are delighted to carry your cargo,” it said via Twitter.

U.S. delivery firm FedEx said its TNT Express division had been significantly affected by the virus, which also wormed its way into South America, affecting ports in Argentina operated by China’s Cofco.

The malicious code encrypted data on machines and demanded victims $300 ransoms for recovery, similar to the extortion tactic used in the global WannaCry ransomware attack in May.

Security experts said they believed that the goal was to disrupt computer systems across Ukraine, not extortion, saying the attack used powerful wiping software that made it impossible to recover lost data.

“It was a wiper disguised as ransomware. They had no intention of obtaining money from the attack,” said Tom Kellermann, chief executive of Strategic Cyber Ventures.

Brian Lord, a former official with Britain’s Government Communications Headquarters (GCHQ) who is now managing director at private security firm PGI Cyber, said he believed the campaign was an “experiment” in using ransomware to cause destruction.

“This starts to look like a state operating through a proxy,” he said.

ETERNAL BLUE

The malware appeared to leverage code known as “Eternal Blue” believed to have been developed by the U.S. National Security Agency.

Eternal Blue was part of a trove of hacking tools stolen from the NSA and leaked online in April by a group that calls itself Shadow Brokers, which security researchers believe is linked to the Russian government.

That attack was noted by NSA critics, who say the agency puts the public at risk by keeping information about software vulnerabilities secret so that it can use them in cyber operations.

U.S. Representative Ted Lieu, a Democrat, on Wednesday called for the NSA to immediately disclose any information it may have about Eternal Blue that would help stop attacks.

“If the NSA has a kill switch for this new malware attack, the NSA should deploy it now,” Lieu wrote in a letter to NSA Director Mike Rogers.

The NSA did not respond to a request for comment and has not publicly acknowledged that it developed the hacking tools leaked by Shadow Brokers.

The target of the campaign appeared to be Ukraine, an enemy of Russia that has suffered two cyber attacks on its power grid that it has blamed on Moscow.

ESET, a Slovakian cyber-security software firm, said 80 percent of the infections detected among its global customer base were in Ukraine, followed by Italy with about 10 percent.

Ukraine has repeatedly accused Moscow of orchestrating cyber attacks on its computer networks and infrastructure since Russia annexed Crimea in 2014.

The Kremlin, which has consistently rejected the accusations, said on Wednesday it had no information about the origin of the attack, which also struck Russian companies including oil giant Rosneft <ROSN.MM> and a steelmaker.

“Unfounded blanket accusations will not solve this problem,” said Kremlin spokesman Dmitry Peskov.

Austria’s government-backed Computer Emergency Response Team (CERT) said “a small number” of international firms appeared to be affected, with tens of thousands of computers taken down.

Microsoft, Cisco Systems Inc and Symantec Corp <SYMC.O> said they believed the first infections occurred in Ukraine when malware was transmitted to users of a tax software program.

Russian security firm Kaspersky said a news site for the Ukraine city of Bakhumut was also hacked and used to distribute the ransomware.

A number of the victims were international firms with have operations in Ukraine.

They include French construction materials company Saint Gobain <SGOB.PA>, BNP Paribas Real Estate <BNPP.PA>, and Mondelez International Inc <MDLZ.O>, which owns Cadbury chocolate.

Production at the Cadbury factory on the Australian island state of Tasmania ground to a halt late on Tuesday after computer systems went down.

(Additional reporting by Jack Stubbs in Moscow, Alessandra Prentice in Kiev, Helen Reid in London, Teis Jensen in Copenhagen, Maya Nikolaeva in Paris, Shadia Naralla in Vienna, Marcin Goettig in Warsaw, Byron Kaye in Sydney, John O’Donnell in Frankfurt, Ari Rabinovitch in Tel Aviv, Noor Zainab Hussain in Bangalore; Writing by Eric Auchard, David Clarke and Jim Finkle; Editing by David Clarke and Andrew Hay)

Global business reels from second major cyber attack in two months

Customers queue in 'Rost' supermarket in Kharkiv, Ukraine June 27, 2017 in this picture obtained from social media. MIKHAIL GOLUB via REUTERS

By Eric Auchard and Jack Stubbs

FRANKFURT/MOSCOW (Reuters) – A major cyber attack, believed to have first struck Ukraine, caused havoc around the world on Wednesday, crippling computers or halting operations at port operator Maersk, a Cadbury chocolate plant in Australia and the property arm of French bank BNP Paribas.

Russia’s biggest oil company, Ukrainian banks and multinational firms were among those hit on Tuesday by the cyber extortion campaign, which has underscored growing concerns that businesses have failed to secure their networks from increasingly aggressive hackers.

The rapidly spreading computer worm appeared to be a variant of an existing ransomware family known as Petya which also has borrowed key features from last month’s ransomware attack, named “WannaCry”.

ESET, an anti-virus vendor based in Bratislava, said 80 percent of all infections from the new attack detected among its global customer base were in Ukraine, with Italy second hardest hit at around 10 percent. Several of the international firms hit had operations in Ukraine.

Shipping giant A.P. Moller-Maersk <MAERSKb.CO>, which handles one in seven containers shipped worldwide and has a logistics unit in Ukraine, is not able to process new orders after being hit by the attack on Tuesday, it told Reuters.

“Right now, at this hour, we’re not able to take new orders,” Maersk Line Chief Commercial Officer Vincent Clerc said in a telephone interview on Wednesday.

BNP Paribas Real Estate <BNPP.PA>, which provides property and investment management services, confirmed it had been hit but declined to specify how widely it had affected its business. It employed nearly 3,500 staff in 16 countries as of last year.

“The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack,” the bank told Reuters on Wednesday, after a person familiar with the matter had said that some staff computers were blocked on Tuesday due to the incident.

Production at the Cadbury <MDLZ.O> factory on the island state of Tasmania ground to a halt late on Tuesday after computer systems went down, said Australian Manufacturing and Workers Union state secretary John Short.

Russia’s Rosneft <ROSN.MM>, one of the world’s biggest crude producers by volume, said on Tuesday its systems had suffered “serious consequences” but said oil production had not been affected because it switched over to backup systems.

The virus crippled computers running Microsoft Corp’s <MSFT.O> Windows by encrypting hard drives and overwriting files, then demanded $300 in bitcoin payments to restore access.

Several security experts questioned whether the effort to extort victims with computers hit by the virus was the main goal, or whether the unknown hackers behind the attack could have other motives.

(Reporting by Eric Auchard; Editing by Adrian Croft)

Ransomware virus hits computer servers across the globe

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko

By Jack Stubbs and Pavel Polityuk

MOSCOW/KIEV (Reuters) – A ransomware attack hit computers across the world on Tuesday, taking out servers at Russia’s biggest oil company, disrupting operations at Ukrainian banks, and shutting down computers at multinational shipping and advertising firms.

Cyber security experts said those behind the attack appeared to have exploited the same type of hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May before a British researcher created a kill-switch.

“It’s like WannaCry all over again,” said Mikko Hypponen, chief research officer with Helsinki-based cyber security firm F-Secure.

He said he expected the outbreak to spread in the Americas as workers turned on vulnerable machines, allowing the virus to attack. “This could hit the U.S.A. pretty bad,” he said.

The U.S. Department of Homeland Security said it was monitoring reports of cyber attacks around the world and coordinating with other countries.

The first reports of organizations being hit emerged from Russia and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.

Within hours, the attack had gone global.

Danish shipping giant A.P. Moller-Maersk, which handles one out of seven containers shipped globally, said the attack had caused outages at its computer systems across the world on Tuesday, including at its terminal in Los Angeles.

Pharmaceutical company Merck & Co said its computer network had been affected by the global hack.

A Swiss government agency also reported computer systems were affected in India, though the country’s cyber security agency said it had yet to receive any reports of attacks.

“DON’T WASTE YOUR TIME”

After the Wannacry attack, organizations around the globe were advised to beef up IT security.

“Unfortunately, businesses are still not ready and currently more than 80 companies are affected,” said Nikolay Grebennikov, vice president for R&D at data protection firm Acronis.

One of the victims of Tuesday’s cyber attack, a Ukrainian media company, said its computers were blocked and it had a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.

“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the message said, according to a screenshot posted by Ukraine’s Channel 24.

The same message appeared on computers at Maersk offices in Rotterdam and at businesses affected in Norway.

Other companies that said they had been hit by a cyber attack included Russian oil producer Rosneft, French construction materials firm Saint Gobain and the world’s biggest advertising agency, WPP – though it was not clear if their problems were caused by the same virus.

“The building has come to a standstill. It’s fine, we’ve just had to switch everything off,” said one WPP employee who asked not to be named.

WANNACRY AGAIN

Cyber security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of hacking tool exploited by WannaCry, and to identify ways to stop the onslaught.

Experts said the latest ransomware attacks unfolding worldwide, dubbed GoldenEye, were a variant of an existing ransomware family called Petya.

It uses two layers of encryption which have frustrated efforts by researchers to break the code, according to Romanian security firm Bitdefender.

“There is no workaround to help victims retrieve the decryption keys from the computer,” the company said.

Russian security software maker Kaspersky Lab, however, said its preliminary findings suggested the virus was not a variant of Petya but a new ransomware not seen before.

Last’s month’s fast-spreading WannaCry ransomware attack was crippled after a 22-year-old British security researcher Marcus Hutchins created a so-called kill-switch that experts hailed as the decisive step in slowing the attack.

Any organization that heeded strongly worded warnings in recent months from Microsoft Corp to urgently install a security patch and take other steps appeared to be protected against the latest attacks.

Ukraine was particularly badly hit, with Prime Minister Volodymyr Groysman describing the attacks on his country as “unprecedented”.

An advisor to Ukraine’s interior minister said the virus got into computer systems via “phishing” emails written in Russian and Ukrainian designed to lure employees into opening them.

According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

Yevhen Dykhne, director of the Ukrainian capital’s Boryspil Airport, said it had been hit. “In connection with the irregular situation, some flight delays are possible,” Dykhne said in a post on Facebook. A Reuters reporter who visited the airport late on Tuesday said flights were operating as normal.

Ukrainian Deputy Prime Minister Pavlo Rozenko said the government’s computer network had gone down and the central bank said a operation at a number of banks and companies, including the state power distributor, had been disrupted by the attack.

“As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations,” the central bank said in a statement.

Russia’s Rosneft, one of the world’s biggest crude producers by volume, said its systems had suffered “serious consequences” from the attack. It said it avoided any impact on oil production by switching to backup systems.

The Russian central bank said there were isolated cases of lenders’ IT systems being infected by the cyber attack. One consumer lender, Home Credit, had to suspend client operations.

(Additional reporting by European bureaux and Jim Finkle in Toronto; writing by Christian Lowe; editing by David Clarke)

Security experts find clues to ransomware worm’s lingering risks

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

(Corrects spelling of first name in paragraph 22 of this May 18 story to Salim from Samil)

By Eric Auchard

FRANKFURT (Reuters) – Two-thirds of those caught up in the past week’s global ransomware attack were running Microsoft’s Windows 7 operating system without the latest security updates, a survey for Reuters by security ratings firm BitSight found.

Researchers are struggling to try to find early traces of WannaCry, which remains an active threat in hardest-hit China and Russia, believing that identifying “patient zero” could help catch its criminal authors.

They are having more luck dissecting flaws that limited its spread.

Security experts warn that while computers at more than 300,000 internet addresses were hit by the ransomware strain, further attacks that fix weaknesses in WannaCry will follow that hit larger numbers of users, with more devastating consequences.

“Some organizations just aren’t aware of the risks; some don’t want to risk interrupting important business processes; sometimes they are short-staffed,” said Ziv Mador, vice president of security research at Trustwave’s Israeli SpiderLabs unit.

“There are plenty of reasons people wait to patch and none of them are good,” said Mador, a former long-time security researcher for Microsoft.

WannaCry’s worm-like capacity to infect other computers on the same network with no human intervention appear tailored to Windows 7, said Paul Pratley, head of investigations & incident response at UK consulting firm MWR InfoSecurity.

Data from BitSight covering 160,000 internet-connected computers hit by WannaCry, shows that Windows 7 accounts for 67 percent of infections, although it represents less than half of the global distribution of Windows PC users.

Computers running older versions, such as Windows XP used in Britain’s NHS health system, while individually vulnerable to attack, appear incapable of spreading infections and played a far smaller role in the global attack than initially reported.

In laboratory testing, researchers at MWR and Kyptos say they have found Windows XP crashes before the virus can spread.

Windows 10, the latest version of Microsoft’s flagship operating system franchise, accounts for another 15 percent, while older versions of Windows including 8.1, 8, XP and Vista, account for the remainder, BitSight estimated.

COMPUTER BASICS

Any organization which heeded strongly worded warnings from Microsoft to urgently install a security patch it labeled “critical” when it was released on March 14 on all computers on their networks are immune, experts agree.

Those hit by WannaCry also failed to heed warnings last year from Microsoft to disable a file sharing feature in Windows known as SMB, which a covert hacker group calling itself Shadow Brokers had claimed was used by NSA intelligence operatives to sneak into Windows PCs.

“Clearly people who run supported versions of Windows and patched quickly were not affected”, Trustwave’s Mador said.

Microsoft has faced criticism since 2014 for withdrawing support for older versions of Windows software such as 16-year-old Windows XP and requiring users to pay hefty annual fees instead. The British government canceled a nationwide NHS support contract with Microsoft after a year, leaving upgrades to local trusts.

Seeking to head off further criticism in the wake of the WannaCry outbreak, the U.S. software giant last weekend released a free patch for Windows XP and other older Windows versions that it previously only offered to paying customers.(http://reut.rs/2qvSPUR)

Microsoft declined to comment for this story.

On Sunday, the U.S. software giant called on intelligence services to strike a better balance between their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – and sharing those flaws with technology companies to better secure the internet (http://reut.rs/2qAOdLm).

Half of all internet addresses corrupted globally by WannaCry are located in China and Russia, with 30 and 20 percent respectively. Infection levels spiked again in both countries this week and remained high through Thursday, according to data supplied to Reuters by threat intelligence firm Kryptos Logic.

By contrast, the United States accounts for 7 percent of WannaCry infections while Britain, France and Germany each represent just 2 percent of worldwide attacks, Kryptos said.(http://tmsnrt.rs/2qIUckv)

DUMB AND SOPHISTICATED

The ransomware mixes copycat software loaded with amateur coding mistakes and recently leaked spy tools widely believed to have been stolen from the U.S. National Security Agency, creating a vastly potent class of crimeware.

“What really makes the magnitude of this attack so much greater than any other is that the intent has changed from information stealing to business disruption”, said Samil Neino, 32, chief executive of Los Angeles-based Kryptos Logic.

Last Friday, the company’s British-based 22-year-old data breach research chief, Marcus Hutchins, created a “kill-switch”, which security experts have widely hailed as the decisive step in halting the ransomware’s rapid spread around the globe.

WannaCry appears to target mainly enterprises rather than consumers: Once it infects one machine, it silently proliferates across internal networks which can connect hundreds or thousands of machines in large firms, unlike individual consumers at home.

An unknown number of computers sit behind the 300,000 infected internet connections identified by Kryptos.

Because of the way WannaCry spreads sneakily inside organization networks, a far larger total of ransomed computers sitting behind company firewalls may be hit, possibly numbering upward of a million machines. The company is crunching data to arrive at a firmer estimate it aims to release later Thursday.

Liran Eshel, chief executive of cloud storage provider CTERA Networks, said: “The attack shows how sophisticated ransomware has become, forcing even unaffected organizations to rethink strategies.”

ESCAPE ROUTE

Researchers from a variety of security firms say they have so far failed to find a way to decrypt files locked up by WannaCry and say chances are low anyone will succeed.

However, a bug in WannaCry code means the attackers cannot use unique bitcoin addresses to track payments, security researchers at Symantec found this week. The result: “Users unlikely to get files restored”, the company’s Security Response team tweeted.

The rapid recovery by many organizations with unpatched computers caught out by the attack may largely be attributed to back-up and retrieval procedures they had in place, enabling technicians to re-image infected machines, experts said.

While encrypting individual computers it infects, WannaCry code does not attack network data-backup systems, as more sophisticated ransomware packages typically do, security experts who have studied WannaCry code agree.

These factors help explain the mystery of why such a tiny number of victims appear to have paid ransoms into the three bitcoin accounts to which WannaCry directs victims.

Less than 300 payments worth around $83,000 had been paid into WannaCry blackmail accounts by Thursday (1800 GMT), six days after the attack began and one day before the ransomware threatens to start locking up victim computers forever. (Reuters graphic: [http://tmsnrt.rs/2rqaLyz)

The Verizon 2017 Data Breach Investigations Report, the most comprehensive annual survey of security breakdowns, found that it takes three months before at least half of organizations install major new software security patches.

WannaCry landed nine weeks after Microsoft’s patch arrived.

“The same things are causing the same problems. That’s what the data shows,” MWR research head Pratley said.

“We haven’t seen many organizations fall over and that’s because they did some of the security basics,” he said.

For a graphic on WannaCry worm, click http://fingfx.thomsonreuters.com/gfx/rngs/CYBER-ATTACK/010041552FY/index.html

(Editing by Philippa Fletcher)