Exclusive: Ukraine says Russia hackers laying groundwork for massive strike

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by cyber attacks, in Kiev, Ukraine June 27, 2017. Picture taken June 27, 2017. REUTERS/Valentyn Ogirenko

By Pavel Polityuk

KIEV (Reuters) – Hackers from Russia are infecting Ukrainian companies with malware to create so-called ‘back doors’ for a large coordinated attack, Ukraine’s cyber police chief told Reuters on Tuesday, almost a year after a strike on Ukraine spread around the world.

Affected companies range across various industries, such as banks or energy infrastructure. The pattern of the malware being rolled out suggests the people behind it want to activate it on a particular day, Serhiy Demedyuk said.

Demedyuk said his staff were cooperating with foreign agencies to track the hackers, without naming the agencies.

Police had identified viruses designed to hit Ukraine since the start of the year, including phishing emails sent from legitimate domains of state institutions whose systems were hacked, or a fake webpage mimicking that of a real state body.

They had intercepted hackers sending malware from different sources and broken into various components so as to remain undetected by antivirus software until activated as a single unit, Demedyuk said.

“Analysis of the malicious software that has already been identified and the targeting of attacks on Ukraine suggest that this is all being done for a specific day,” he said.

Relations between Ukraine and Russia plunged following Russia’s annexation of Crimea in 2014, and Kiev has accused Russia of orchestrating large-scale cyber attacks as part of a “hybrid war” against Ukraine, which Moscow repeatedly denies.

Some attacks coincided with major Ukrainian holidays and Demedyuk said another strike could be launched on Thursday — Constitution Day — or on Independence Day in August.

On June 27 last year, the country was hit by a massive strike known as “NotPetya”, which knocked out Ukrainian IT systems before spreading around the world. The United States and Britain joined Ukraine in blaming Russia for the attack.

Demedyuk said the scale of the latest detected preparations was the same as NotPetya.

“This is support on a government level – very expensive and very synchronized. Without the help of government bodies it would not be possible. We’re talking now about the Russian Federation,” he said.

“Everything we’re seeing, everything we’ve intercepted in this period: 99 percent of the traces come from Russia.”

The Kremlin did not immediately respond to a request for comment.

Ukraine is better prepared to withstand such attacks thanks to cooperation with foreign allies since the NotPetya strike, Demedyuk said. Ukraine has received support from the U.S., Britain and NATO among others to beef up its cyber defenses.

But Demedyuk said some Ukrainian companies had not bothered to clean their computers after NotPetya struck, leaving machines still infected by the virus and vulnerable to being used for another attack.

“We are sounding the alarm to remind people – come to your senses, check your equipment,” he said. “It’s better to be on the safe side than clean up a mess like last time.”

He also appealed to global companies who were hit by NotPetya, including U.S. and European firms in Ukraine, to share details of their investigations and steps to localize the hack.

“They have a huge amount of very interesting evidence, which they store themselves. We would like it if they weren’t scared and approached us.”

(Additional reporting by Margarita Popova in Moscow; writing by Matthias Williams; editing by Philippa Fletcher)

Hackers hit major ATM network after U.S., Russian bank breaches

By Eric Auchard

FRANKFURT (Reuters) – A previously undetected group of Russian-language hackers silently stole nearly $10 million from at least 18 mostly U.S. and Russian banks in recent years by targeting interbank transfer systems, a Moscow-based security firm said on Monday.

Group-IB warned that the attacks, which began 18 months ago and allow money to be robbed from bank automated teller machines (ATMs), appear to be ongoing and that banks in Latin America could be targeted next.

The first attack occurred in the spring of 2016 against First Data’s  “STAR” network, the largest U.S. bank transfer messaging system connecting ATMs at more than 5,000 organizations, Group-IB researchers said in a 36-page report.

The firm said it was continuing to investigate a number of incidents where hackers studied how to make money transfers through the SWIFT banking system, while stopping short of saying whether any such attacks had been carried out successfully.

SWIFT said in October that hackers were still targeting its interbank messaging system, but security controls instituted after last year’s $81 million heist at Bangladesh’s central bank had thwarted many of those attempts. (http://reut.rs/2z1b7Bo)

Group-IB has dubbed the hacker group “MoneyTaker” after the name of software it used to hijack payment orders to then cash out funds through a network of low-level “money mules” who were hired to pick up money from automated teller machines.

The security researchers said they had identified 18 banks who were hit including 15 across 10 states in the United States, two in Russia and one in Britain. Beside banks, financial software firms and one law firm were targeted.

The average amount of money stolen in each of 14 U.S. ATM heists was $500,000 per incident. Losses in Russia averaged $1.2 million per incident, but one bank there managed to catch the attack and return some of the stolen funds, Group-IB said.

Hackers also stole documentation for OceanSystems’ Fed Link transfer system used by 200 banks in Latin America and the United States, it said. In addition, they successfully attacked the Russian interbank messaging system known as AW CRB.

Once hackers penetrated targeted banks and financial organizations, they stole internal bank documentation in order to mount future ATM attacks, Group-IB said. In Russia, the hackers continued to spy on bank networks after break-ins, while at least one U.S. bank had documents robbed twice, it said.

Group-IB said it had notified Interpol and Europol in order to assist in law enforcement investigations.

The unidentified hackers used a mix of constantly changing tools and tactics to bypass anti virus and other traditional security software while being careful to eliminate traces of their operations, helping them to go largely unnoticed. To disguise their moves, hackers used security certificates from brands such as Bank of America, the Fed, Microsoft and Yahoo.

(Reporting by Eric Auchard; editing by Mark Heinrich)

U.S. theory on Democratic Party breach: Hackers meant to leave Russia’s mark

secure URL picture

By John Walcott, Joseph Menn and Mark Hosenball

WASHINGTON (Reuters) – Some U.S. intelligence officials suspect that Russian hackers who broke into Democratic Party computers may have deliberately left digital fingerprints to show Moscow is a “cyberpower” that Washington should respect.

Three officials, all speaking on condition of anonymity, said the breaches of the Democratic National Committee (DNC) were less sophisticated than other cyber intrusions that have been traced to Russian intelligence agencies or criminals.

For example, said one official, the hackers used some Cyrillic characters, worked during Russian government business hours but not on Russian religious or political holidays.”Either these guys were incredibly sloppy, in which case it’s not clear that they could have gotten as far as they did without being detected, or they wanted us to know they were Russian,” said the official.

Private sector cyber security experts agreed that the evidence clearly points to Russian hackers but dismissed the idea that they intentionally left evidence of their identities.

These experts – who said they have examined the breach in detail – said the Cyrillic characters were buried in metadata and in an error message. Other giveaways, such as a tainted Internet protocol address, also were difficult to find.

Russian hacking campaigns have traditionally been harder to track than China’s but not impossible to decipher, private sector experts said. But the Russians have become more aggressive and easier to detect in the past two years, security experts said, especially when they are trying to move quickly.

False flags have grown more common, but the government and private experts do not believe that is involved in the DNC case.

The two groups of hackers involved are adept at concealing their intrusions, said Laura Galante, head of global threat intelligence at FireEye, whose Mandiant subsidiary conducted forensic analysis of the attack and corroborated the findings of another cyber company, CrowdStrike.

Russian officials have dismissed the allegations of Moscow’s involvement as absurd. Russian Foreign Minister Sergei Lavrov, in his only response to reporters, said: “I don’t want to use four-letter words.”

EMBARRASSING EMAILS

While private cyber experts and the government were aware of the political party’s hacking months ago, embarrassing emails were leaked last weekend by the WikiLeaks anti-secrecy group just as the Democratic Party prepared to anoint Hillary Clinton as its presidential candidate for the Nov. 8 election.

DNC chairwoman, Debbie Wasserman Schultz, resigned after the leaked emails showed party leaders favoring Clinton over her rival in the campaign for the nomination, U.S. Senator Bernie Sanders of Vermont. The committee is supposed to be neutral.

The U.S. intelligence officials conceded that they had based their views on deductive reasoning and not conclusive evidence, but suggested Russia’s aim probably was much broader than simply undermining Clinton’s campaign.

They said the hack fit a pattern of Russian President Vladimir Putin pushing back on what he sees as the United States and its European allies trying to weaken Russia.

“Call it the cyber equivalent of buzzing NATO ships and planes using fighters with Russian flags on their tails,” said one official.

Two sources familiar with Democratic Party investigations into the hacking said the private email accounts of Democratic Party officials were targeted as well as servers.

They said that the FBI had advised the DNC that it was looking into the hacking of the individual officials’ private accounts. They also said the FBI also requested additional information identifying the personal email accounts of certain party officials.

The DNC hired CrowdStrike to investigate the hack. It spent about six weeks, from late April to about June 11 or 12, monitoring the systems and watching while the hackers – who they believed were Russian – operated inside the systems, one of the sources said.

What actions, if any, the Obama administration will take are unclear and could depend on what diplomatic considerations may ultimately be involved, a former White House cyber security official said.

In past cases, administration officials have decided to publicly blame North Korea and indict members of China’s military for hacking because the administration decided that the net benefit of public shaming – and increased awareness brought to cyber security – outweighed potential risks, the former official said.

But “the Russia calculation is far more difficult and precarious,” the former official said. “Russia is a much more aggressive, capable foreign actor both in the traditional military sense and in the cyber realm” and that made public attribution or covert retaliation much less likely.

The former official, and a source familiar with the Democratic Party investigations, said that they also were unaware of any U.S. intelligence clearly demonstrating that WikiLeaks had received the hacked materials directly from Russians or that WikiLeaks’ release of the materials was in any way directed by Russians.

(Reporting By John Walcott, Joseph Menn and Mark Hosenball; Additional reporting by Dustin Volz; Editing by David Rohde and Grant McCool)

FBI investigates hacking of Democratic Party organization

he headquarters of the Democratic National Committee is seen in Washington,

By Dustin Volz

WASHINGTON (Reuters) – The Federal Bureau of Investigation is investigating the nature and scope of a cyber intrusion at the Democratic National Committee, the agency said on Monday, amid concerns hackers working for Russia are attempting to use the breach to influence the U.S. presidential election.

“A compromise of this nature is something we take very seriously, and the FBI will continue to investigate and hold accountable those who pose a threat in cyberspace,” the FBI said in a statement.

Emails among DNC employees were released by anti-secrecy group WikiLeaks over the weekend appearing to expose favoritism for presumptive Democratic nominee Hillary Clinton over her chief rival in the primary contest, Senator Bernie Sanders.

The correspondence prompted the resignation of DNC chairwoman Debbie Wasserman Schultz on Sunday, effective at the end of the party’s convention in Philadelphia. Protesters jeered Wasserman Schultz on Monday at a meeting ahead of the convention.

Separately, the U.S. House of Representatives intelligence committee has been briefed on the hack and would seek information on any potential connection to Russia or another state, said Representative Adam Schiff, the senior Democrat on the panel.

Clinton campaign manager Robby Mook told CNN on Sunday that the emails were released by suspected Russian hackers in order to sow discord at the convention and help Republican nominee Donald Trump, her rival in the Nov. 8 presidential election.

The Trump campaign dismissed the allegation as absurd.

(Reporting by Dustin Volz; editing by Grant McCool)