Showing posts with label Cyber War. Show all posts
Showing posts with label Cyber War. Show all posts

June 28, 2017

Cyber Attack Hits Ukraine Then Spreads Around The World



A screenshot of what appeared to be the ransomware affecting systems worldwide on Tuesday. The Ukrainian government posted the shot to its official Facebook page.
 
 Computer systems from Ukraine to the United States were struck on Tuesday in an international cyber attack that was similar to a recent assault that crippled tens of thousands of machines worldwide.

In Kiev, the capital of Ukraine, A.T.M.s stopped working. About 80 miles away, workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed. And tech managers at companies around the world — from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States — were scrambling to respond. Even an Australian factory for the chocolate giant Cadbury was affected.

It was unclear who was behind this cyber attack, and the extent of its impact was still hard to gauge Tuesday. It started as an attack on Ukrainian government and business computer systems — an assault that appeared to have been intended to hit the day before a holiday marking the adoption in 1996 of Ukraine’s first Constitution after its break from the Soviet Union. The attack spread from there, causing collateral damage around the world.

The outbreak was the latest and perhaps the most sophisticated in a series of attacks making use of dozens of hacking tools that were stolen from the National Security Agency and leaked online in April by a group called the Shadow Brokers. 


Like the WannaCry attacks in May, the latest global hacking took control of computers and demanded digital ransom from their owners to regain access. The new attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry episode, as well as two other methods to promote its spread, according to researchers at the computer security company Symantec.

The National Security Agency has not acknowledged its tools were used in WannaCry or other attacks. But computer security specialists are demanding that the agency helps the rest of the world defend against the weapons it created.

“The N.S.A. needs to take a leadership role in working closely with security and operating systems platform vendors such as Apple and Microsoft to address the plague that they’ve unleashed,” said Golan Ben-Oni, the global chief information officer at IDT, a Newark-based conglomerate hit by a separate attack in April that used the agency’s hacking tools. Mr. Ben-Oni warned federal officials that more serious attacks were probably on the horizon.

The vulnerability in Windows software used by Eternal Blue was patched by Microsoft in March, but as the WannaCry attacks demonstrated, hundreds of thousands of groups around the world failed to properly install the fix.

“Just because you roll out a patch doesn’t mean it’ll be put in place quickly,” said Carl Herberger, vice president for security at Radware. “The more bureaucratic an organization is, the higher chance it won’t have updated its software.”

Because the ransomware used at least two other ways to spread on Tuesday — including stealing victims’ credentials — even those who used the Microsoft patch could be vulnerable and potential targets for later attacks, according to researchers at F-Secure, a Finnish cybersecurity firm, and others. 
Here’s what we know and don’t know about the attack »
The Ukrainian government said several of its ministries, local banks, and metro systems had been affected. A number of other European companies, including Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency, also said they had been targeted.

Ukrainian officials pointed a finger at Russia on Tuesday, although Russian companies were also affected. Home Credit Bank, one of Russia’s top 50 lenders, was paralyzed, with all of its offices closed, according to the RBC news website. The attack also affected Evraz, a steel manufacturing and mining company that employs about 80,000 people, the RBC website reported.

In the United States, the multinational law firm DLA Piper also reported being hit. Hospitals in Pennsylvania were being forced to cancel operations after the attack hit computers at Heritage Valley Health Systems, a Pennsylvania health care provider, and its hospitals in Beaver and Sewickley, Penn., and satellite locations across the state.

The ransomware also hurt Australian branches of international companies. DLA Piper’s Australian offices warned clients that they were dealing with a “serious global cyber incident” and had disabled email as a precautionary measure. Local news reports said that in Hobart, Tasmania, on Tuesday evening, computers in a Cadbury chocolate factory, owned by Mondelez International, had displayed ransomware messages that demanded $300 in bitcoins.

Qantas Airways’ booking system failed for a time on Tuesday, but the company said the breakdown was due to an unrelated hardware issue.

The Australian government has urged companies to install security updates and isolate any infected computers from their networks.

“This ransomware attack is a wake-up call to all Australian businesses to regularly back up their data and install the latest security patches,” said Dan Tehan, the cyber security minister. “We are aware of the situation and monitoring it closely.”

A National Security Agency spokesman referred questions about the attack on the Department of Homeland Security. “The Department of Homeland Security is monitoring reports of cyber attacks affecting multiple global entities and is coordinating with our international and domestic cyber partners,” Scott McConnell, a department spokesman, said in a statement. 
Computer specialists said the ransomware was very similar to a virus that emerged last year called Petya. Petya means “Little Peter,” in Russian, leading some to speculate the name referred to Sergei Prokofiev’s 1936 symphony “Peter and the Wolf,” about a boy who captures a wolf.

Reports that the computer virus was a variant of Petya suggest the attackers will be hard to trace. Petya was for sale on the so-called dark web, where its creators made the ransomware available as “ransomware as a service” — a play on Silicon Valley terminology for delivering software over the internet, according to the security firm Avast Threat Labs.

That means anyone could launch the ransomware with the click of a button, encrypt someone’s systems and demand a ransom to unlock it. If the victim pays, the authors of the Petya ransomware, who call themselves Janus Cybercrime Solutions, get a cut of the payment.

That distribution method means that pinning down the people responsible for Tuesday’s attack could be difficult. 

A screenshot of what appeared to be the ransomware affecting systems worldwide on Tuesday. The Ukrainian government posted the shot to its official Facebook page.
The attack is “an improved and more lethal version of WannaCry,” said Matthieu Suiche, a security researcher who helped contain the spread of the WannaCry ransomware when he created a kill switch that stopped the attacks.

In just the last seven days, Mr. Suiche noted, WannaCry had tried to hit an additional 80,000 organizations but was prevented from executing attack code because of the kill switch. Petya does not have a kill switch.

Petya also encrypts and locks entire hard drives, whereas the earlier ransomware attacks locked only individual files, said Chris Hinkley, a researcher at the security firm Armor.

The hackers behind Petya demanded $300 worth of the cyber currency Bitcoin to unlock victims’ machines. By Tuesday afternoon, online records showed that 30 victims had paid the ransom, although it was not clear whether they had regained access to their files. Other victims may be out of luck, after Posteo, the German email service provider, shut down the hackers’ email account.

In Ukraine, people turned up at post offices, A.T.M.s and airports to find blank computer screens or signs about closures. At Kiev’s central post office, a few bewildered customers milled about, holding parcels and letters, looking at a sign that said, “Closed for technical reasons.”

The hackers compromised Ukrainian accounting software mandated to be used in various industries in the country, including government agencies and banks, according to researchers at Cisco Talos, the security division of the computer networking company. That allowed them to unleash their ransomware when the software, which is also used in other countries, was updated.

The ransomware spread for five days across Ukraine, and around the world, before activating Tuesday evening.

“If I had to guess, I would think this was done to send a political message,” said Craig Williams, the senior technical researcher at Talos.

One Kiev resident, Tetiana Vasylieva, was forced to borrow money from a relative after failing to withdraw money at four automated teller machines. At one A.T.M. in Kiev belonging to the Ukrainian branch of the Austrian bank Raiffeisen, a message on the screen said the machine was not functioning.

Ukraine’s Infrastructure Ministry, the postal service, the national railway company, and one of the country’s largest communications companies, Ukrtelecom, had been affected, Volodymyr Omelyan, the country’s infrastructure minister, said in a Facebook post.

Officials for the metro system in Kiev said card payments could not be accepted. The national power grid company Kievenergo had to switch off all of its computers, but the situation was under control, according to the Interfax-Ukraine news agency. Metro Group, a German company that runs wholesale food stores, said its operations in Ukraine had been affected. 

At the Chernobyl plant, the computers affected by the attack collected data on radiation levels and were not connected to industrial systems at the site, where, although all reactors have been decommissioned, huge volumes of radioactive waste remain. Operators said radiation monitoring was being done manually.

Cybersecurity researchers questioned whether collecting ransom was the true objective of the attack.

“It’s entirely possible that this attack could have been a smoke screen,” said Justin Harvey, the managing director of global incident response at Accenture Security. “If you are an evildoer and you wanted to cause mayhem, why wouldn’t you try to first mask it as something else?” 

An earlier version of this article referred incorrectly to the occupation of Justin Harvey. He is the managing director of global incident response at Accenture Security, not the chief security officer for the Fidelis Cybersecurity company.


Reporting was contributed by Liz Alderman, Andrew E. Kramer, Iuliia Mendel, Ivan Nechepurenko and Isabella Kwai.

A version of this article appears in print on June 28, 2017, on Page A1 of the New York edition 



June 5, 2017

Russian Military Intelligence Agency Launched Cyber Attack Just Before Election





Russia's military intelligence agency launched an attack before Election Day 2016 on a U.S. company that provides voting services and systems, according to a top secret report posted Monday by The Intercept.

The news site published a report, with redactions, by the National Security Agency that described the Russian spear-phishing scheme, one it described as perpetrated by the same intelligence agency — the GRU — sanctioned by the Obama administration over the 2016 cyber-mischief.
 
According to the NSA report, Russian hackers sent emails to people who worked at a company that provides election software and hardware, trying to trick them into giving up their user credentials. The goal was to get custom software onto their computers so that Russian spies could find out more about the workings of the network. The Intercept reports, "At least one of the employee accounts was likely compromised, the agency concluded."

The NSA report also says the Russian attackers wanted to know more about voter registration systems. But the American spy agency acknowledges it doesn't know how successful the Russian efforts were in that effort or what information or access the GRU may have gleaned.

A spokesman for the Office of the Director of National Intelligence declined to comment. VR Systems, a Florida-based election systems provider referenced in the material, did not respond to NPR's request for comment.

Separately on Monday, the Justice Department announced that it is charging a 25-year-old Georgia woman who works for an intelligence agency contractor with allegedly sending classified material to a news organization.

Reality Leigh Winner of Augusta was arrested on Saturday; the FBI said in court documents that she had been accused of printing out classified material and sending it by mail to a news outlet.

Two national security officials with knowledge of the matter confirmed to NPR on Monday that the cases are connected.

Winner's arrest follows the promise of a crackdown by the Trump administration on leaks, which have detailed a number of sometimes embarrassing details about the inner workings of the government and some of its national security arrangements.
 
"Releasing classified material without authorization threatens our nation's security and undermines public faith in government," Deputy Attorney General Rod Rosenstein said in a statement on Monday. "People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation."

The NSA document posted on Monday offers some of the most official detail yet about Russia's cyberactivity, which the U.S. intelligence community has previously discussed in much broader terms. It also confirmed that the Russian attacks continued after the Department of Homeland Security publicly attributed the meddling to Russia's intelligence agencies, confirming that those statements did not deter more cyberattacks — and after Obama's warning to Putin in September "to cut it out, there were going to be serious consequences if he did not."

Intelligence agency leaders say that Russia's attacks did not change any actual votes in the 2016 race, but election technology experts have been concerned for years that hackers could attempt to manipulate not only individual voting machines but other equipment used to run elections, such as those that tabulate votes or keep track of voter registrations.

While the machines that voters use to cast their ballots are not connected to the Internet, the computers used to program these machines, or to run elections, can be connected at some point, leaving them vulnerable to cyberattacks.

J. Alex Halderman, a computer security expert from the University of Michigan, is among those who have been sounding the alarm for years.

"It's highly significant that these attacks took place, because it confirms that Russia was interested in targeting voting technology, at least to some extent. I hope further investigation can shed more light on what they intended to do and how far they got," he says.

Why The Russia Investigation Matters And Why You Should Care
ANALYSIS

Why The Russia Investigation Matters And Why You Should Care
Halderman and others note that local election officials often contract with private vendors, such as VR Systems, to program their voting equipment. He says if those vendors are hacked, then malware could easily be spread to local election offices and ultimately to individual voting machines.

Jeremy Epstein, another voting security expert, said that even though the NSA report describes efforts to hack into voter registration systems, once a hacker has access to a local election office's computers, they can potentially infect other aspects of the election.

"If I was a Russian trying to manipulate an election, this is exactly how I would do it," he says.

Experts say it would be difficult to know if votes had been tampered with unless the equipment had a paper ballot backup. Those paper ballots can be used to verify whether or not the election results reported electronically were correct.

Lawrence Norden, of the Brennan Center for Justice at the New York University School of Law, notes that seven of the eight states that use VR Systems services — California, Florida, Illinois, Indiana, New York, North Carolina and West Virginia — have paper-based systems. And most of the equipment used in the eighth state — Virginia — also use paper.

Another concern is that even if a hacker did not try to change the actual election results, they could undermine confidence in the voting system by causing enough confusion at the polls to raise doubts about the results. That could happen, for example, if voters showed up at the polls to find that their names were not listed, or listed incorrectly.


Breaking News on NPR (Monday)

October 16, 2016

CIA Will Cyber Strike Russia Back






The Obama administration is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election, U.S. intelligence officials told NBC News.

Current and former officials with direct knowledge of the situation say the CIA has been asked to deliver options to the White House for a wide-ranging "clandestine" cyber operation designed to harass and "embarrass" the Kremlin leadership.

The sources did not elaborate on the exact measures the CIA was considering, but said the agency had already begun opening cyber doors, selecting targets and making other preparations for an operation. Former intelligence officers told NBC News that the agency had gathered reams of documents that could expose unsavory tactics by Russian President Vladimir Putin.
Vice President Joe Biden told "Meet the Press" moderator Chuck Todd on Friday that "we're sending a message" to Putin and that "it will be at the time of our choosing, and under the circumstances that will have the greatest impact."

When asked if the American public will know a message was sent, the vice president replied, "Hope not."

Retired Admiral James Stavridis told NBC News' Cynthia McFadden that the U.S. should attack Russia's ability to censor its internal internet traffic and expose the financial dealings of Putin and his associates.

"PROBE WITH BAYONETS. WHEN YOU HIT MUSH, PROCEED. WHEN YOU HIT STEEL WITHDRAW."
"It's well known that there's great deal of offshore money moved outside of Russia from oligarchs," he said. "It would be very embarrassing if that was revealed, and that would be a proportional response to what we've seen" in Russia's alleged hacks and leaks targeting U.S. public opinion.

Sean Kanuck, who was until this spring the senior U.S. intelligence official responsible for analyzing Russian cyber capabilities, said not mounting a response would carry a cost.
"If you publicly accuse someone," he said, "and don't follow it up with a responsive action, that may weaken the credible threat of your response capability."

President Obama will ultimately have to decide whether he will authorize a CIA operation. Officials told NBC News that for now there are divisions at the top of the administration about whether to proceed.

Two former CIA officers who worked on Russia told NBC News that there is a long history of the White House asking the CIA to come up with options for covert action against Russia, including cyber options — only to abandon the idea.

"We've always hesitated to use a lot of stuff we've had, but that's a political decision," one former officer said. "If someone has decided, `We've had enough of the Russians,' there is a lot we can do. Step one is to remind them that two can play at this game and we have a lot of stuff. Step two, if you are looking to mess with their networks, we can do that, but then the issue becomes, they can do worse things to us in other places."

A second former officer, who helped run intelligence operations against Russia, said he was asked several times in recent years to work on covert action plans, but “none of the options were particularly good, nor did we think that any of them would be particularly effective,” he said. 

Putin is almost beyond embarrassing, he said, and anything the U.S. can do against, for example, Russian bank accounts, the Russian can do in response.

"Do you want to have Barack Obama bouncing checks?" he asked.

Former CIA deputy director Michael Morell expressed skepticism that the U.S. would go so far as to attack Russian networks.

"Physical attacks on networks is not something the U.S. wants to do because we don't want to set a precedent for other countries to do it as well, including against us," he said. "My own view is that our response shouldn't be covert -- it should overt, for everybody to see."

The Obama administration is debating just that question, officials say — whether to respond to Russia via cyber means, or with traditional measures such as sanctions.

The CIA's cyber operation is being prepared by a team within the CIA's Center for Cyber Intelligence, documents indicate. According to officials, the team has a staff of hundreds and a budget in the hundreds of millions, they say.

The covert action plan is designed to protect the U.S. election system and insure that Russian hackers can't interfere with the November vote, officials say. Another goal is to send a message to Russia that it has crossed a line, officials say.

While the National Security Agency is the center for American digital spying, the CIA is the lead agency for covert action and has its own cyber capabilities. It sometimes brings in the NSA and the Pentagon to help, officials say.
In earlier days, the CIA was behind efforts to use the internet to put pressure on Slobodan Milosevic in Serbia in 1999, and to pressure Iraqi leadership in 2003 to split off from Saddam Hussein.

According to documents leaked by Edward Snowden, the CIA requested $685.4 million for computer network operations in 2013, compared to $1 billion by the NSA.

Retired Gen. Mike Hayden, who ran the CIA after leading the NSA, wrote this year: "We even had our own cyber force, the Information Operations Center (IOC), that former CIA director George Tenet launched and which had grown steadily under the next spy chief, Porter Goss, and me. The CIA didn't try to replicate or try to compete with NSA… the IOC was a lot like Marine Corps aviation while NSA was an awful lot like America's Air Force."

"I would quote a Russian proverb," said Adm. Stavridis, "which is, 'Probe with bayonets. When you hit mush, proceed. When you hit steel withdraw.' I think unless we stand up to this kind of cyber attack from Russia, we’ll only see more and more of it in the future."

  and 

Featured Posts

Gay Discrimination Denies over 400K Kids a Loving Family

By Marissa Miller   Nineteen years ago, when Greg Thomas and Ron Preston adopted Samantha, they didn’t expect...