News by Professionals 4 Professionals

india

Researchers see possible North Korea link to global cyber attack

By Dustin Volz[1] | WASHINGTON

WASHINGTON Cyber security researchers have found technical clues they said could link North Korea with the global WannaCry “ransomware” cyber attack that has infected more than 300,000 machines in 150 countries since Friday.

Symantec and Kaspersky Lab said on Monday some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.

“This is the best clue we have seen to date as to the origins of WannaCry,” Kaspersky Lab researcher Kurt Baumgartner told Reuters.

Both firms said it was too early to tell whether North Korea was involved in the attacks, which slowed to a crawl on Monday but have already become one of the fastest-spreading extortion campaigns on record.

The cyber companies’ research will be closely followed by law enforcement agencies around the world, including Washington, where U.S. President Donald Trump’s homeland security adviser said on Monday that both foreign nations and cyber criminals were possible culprits.

The two companies said they needed to study the code more and asked for others to help with the analysis. Hackers do reuse code from other operations, so even copied lines fall well short of proof.

U.S. and European security officials told Reuters on condition of anonymity that it was still too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in pursuit of financial gain than others, and have been blamed for the theft of $81 million from a Bangladesh bank. The North Korean mission to the United Nations was not immediately available for comment.

Regardless of the source of the attack, investors piled into cyber security stocks on Monday, betting that governments and corporations will spend more to upgrade their defenses.

SMALL PAYOUT

The perpetrators had raised less than $70,000 from users looking to regain access to their computers, according to Trump homeland security adviser Tom Bossert.

“We are not aware if payments have led to any data recovery,” Bossert said, adding that no federal government systems had been affected.

Some private sector cyber security experts said they were not sure if the motive of the attack was primarily to make money, noting that most large ransomware and other types of cyber extortion campaigns pull in millions of dollars of revenue.

I believe that this was spread for the purpose of causing as much damage as possible, said Matthew Hickey, co-founder of British cyber consulting firm Hacker House.

The countries most affected by WannaCry to date are Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.

The number of infections has fallen dramatically since Friday s peak when more than 9,000 computers were being hit per hour. Earlier on Monday, Chinese traffic police and schools reported they had been targeted as the attack rolled into Asia for the new work week, but no there were no major disruptions.

Authorities in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.

Shares in firms that provide cyber security services rose sharply, led by Israel’s Cyren Ltd (CYRN.O) and U.S. firm FireEye Inc (FEYE.O).

Cisco Systems (CSCO.O) closed up 2.3 percent, making it the second-biggest gainer in the Dow Jones Industrial Average, as investors focused more on opportunities the attack presented rather than the risk it posed to corporations.

Morgan Stanley, in upgrading the stock, said Cisco should benefit from network spending driven by security needs.

POLITICAL TOPIC

Beyond the immediate need to shore up computer defenses, the attack has turned cyber security into a political topic in Europe and the United States, including discussion of the role national governments play.

In a blog post on Sunday, Microsoft Corp (MSFT.O) President Brad Smith confirmed what researchers already widely concluded: the attack made use of a hacking tool built by the U.S. National Security Agency (NSA) that had leaked online in April.

He poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the internet.

On Monday, Bossert sought to distance the NSA from any blame.

“This was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states, that were put together in such a way as to deliver phishing emails, put it into embedded documents, and cause infection, encryption and locking,” Bossert said.

Russian President Vladimir Putin, noting the technology’s link to the U.S. spy service, said it should be “discussed immediately on a serious political level.”

“Once they’re let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators,” he said.

In Britain, where the virus first raised alarm when it caused hospitals to divert patients on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service (NHS) vulnerable.

RANSOM VIA BITCOIN

Some victims were ignoring official advice and paying the $300 ransom demanded by the cyber criminals to unlock their computers, which was due to double to $600 on Monday for computers hit by Friday’s first wave.

So far only a few victims of the attack appeared to have paid, based on publicly available bitcoin accounts on the web, where victims have been instructed to pay.

The initial ransom demand was $300 per machine. Three days after becoming infected the demand doubles. Starting on Monday, the first victims began facing demands of $600 to unlock their machines.

This coming Friday, victims face being locked out of their computers permanently if they fail to pay the $600 ransom, said Tom Robinson, co-founder of Elliptic, a London-based private security company that investigates ransomware attacks.

As of 1400 GMT, the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just $55,169, from 209 payments, according to calculations made by Reuters using publicly available data.

Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him “the customer service provided by the criminals is second-to-none,” with helpful advice on how to pay: “One customer said they actually forgot they were being robbed.”

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

Renault-Nissan (RENA.PA) (7201.T) said output had returned to normal at nearly all its plants. PSA Group (PEUP.PA), Fiat Chrysler (FCHA.MI), Volkswagen (VOWG_p.DE), Daimler (DAIGn.DE), Toyota (7203.T) and Honda (7267.T) said their plants were unaffected.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a “kill switch” – an internet address which halted the virus when activated.

Individual European countries and the United States saw infections at a rate of only 10 percent to 20 percent of the most affected countries, according to the researcher who stumbled on the kill switch.

The virus hit computers running older versions of Microsoft Corp (MSFT.O) software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks. The company’s shares were down about 1 percent on Monday, in a slightly higher broad market.

Infected computers appear to be largely out-of-date devices. Some were machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.

For a graphic on how the cyber attack spread, see: tmsnrt.rs/2qIUckv[2]

(Additional reporting by Guy Faulconbridge, Jim Finkle, Cate Cadell, Jemima Kelly, Noel Randewich, Eric Auchard, Joseph Menn, Michelle Nichols and Tim Ahmann; Writing by Peter Graff and Nick Zieminski; Editing by Peter Millership and Bill Rigby)

Next In Cyber Risk

Researchers See Possible North Korea Link To Global Cyber Attack

European, Asian companies short on cyber insurance before ransomware attack

LONDON/NEW YORK Many companies outside the United States may not have cover for a recent computer-system attack, leaving them potentially with millions of dollars of losses because there has been relatively little take-up of cyber insurance, insurers say.

Researchers See Possible North Korea Link To Global Cyber Attack

For some ransomware victims, hard lessons

SINGAPORE/HANOI The WannaCry ransomware worm that hobbled big institutions and businesses at the weekend, including FedEx and Britain’s National Health Service, also indiscriminately caught many smaller victims across Asia, from hoteliers to Chinese students.

Researchers See Possible North Korea Link To Global Cyber Attack

Cyber worm attack propels health funding to center of British election campaign

LONDON The most disruptive cyber attack in the history of Britain’s National Health Service propelled a debate over state hospital funding to the center of the election campaign on Monday, though officials said there had been no second wave of infections.

References

  1. ^ Dustin Volz (www.reuters.com)
  2. ^ tmsnrt.rs/2qIUckv (tmsnrt.rs)

Global cyber attack slows; search on for hackers, motive

By Dustin Volz[1] | WASHINGTON

WASHINGTON The global WannaCry “ransomware” cyber attack slowed on Monday, with no major infections reported, as global law enforcement agencies shifted their attention to finding the hackers who unleashed it.

The attack infected 300,000 machines in 150 countries, said Tom Bossert, U.S. President Donald Trump’s homeland security adviser. That would make it one of the fastest-spreading online extortion campaigns in history.

Stocks of cyber security companies surged as investors bet on governments and corporations spending to upgrade their defenses.

The U.S. government is investigating whether the attack was launched by cyber criminals or a foreign nation state, Bossert said, noting that the perpetrators had raised less than $70,000 from users looking to regain access to their computers.

“We are not aware if payments have led to any data recovery,” Bossert said, adding that no federal government systems had been affected.

Private cyber security experts said they were not sure if the motive of the attack was primarily to make money, noting that most large ransomware attempts pull in millions of dollars of revenue.

I believe that this was spread for the purpose of causing as much damage as possible, said Matthew Hickey, co-founder of British cyber consulting firm Hacker House.

The countries most affected by WannaCry to date are Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.

The number of infections has fallen dramatically since Friday s peak when more than 9,000 computers were being hit per hour. By afternoon on the U.S East Coast, new infections had fallen to the low hundreds of machines and continue to decline, Avast said.

Earlier on Monday, Chinese traffic police and schools reported they had been targeted as the attack rolled into Asia for the new work week, but no there were no major disruptions.

As the immediate threat receded, authorities and researchers in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.

A new variant of the ransomware did surface on Monday, according to Check Point Software Technologies Ltd (CHKP.O), but the cyber security firm said it stopped it from damaging computers by activating a “kill switch” in the software.

Investors focused more on opportunities the attack presented rather than the risk it posed to corporations, pushing up shares in firms that provide cyber security services, such as Israel’s Cyren Ltd (CYRN.O) and U.S. firm FireEye Inc (FEYE.O).

Network company Cisco Systems (CSCO.O) closed up 2.3 percent, making it the second-biggest gainer in the Dow Jones Industrial Average. Wall Street firm Morgan Stanley upgraded the stock on the belief it would benefit from more network spending driven by security needs.

POLITICAL TOPIC

Beyond the immediate need to shore up computer defenses, the attack has turned cyber security into a political topic in Europe and the United States, including discussion of the role national governments play.

In a blog post on Sunday, Microsoft Corp (MSFT.O) President Brad Smith confirmed what researchers already concluded: the attack made use of a hacking tool built by the U.S. National Security Agency (NSA) that had leaked online in April.

He poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the internet.

On Monday, Bossert sought to distance the NSA from any blame.

“This was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states, that were put together in such a way as to deliver phishing emails, put it into embedded documents, and cause infection, encryption and locking,” Bossert said.

Russian President Vladimir Putin, noting the technology’s link to the U.S. spy service, said it should be “discussed immediately on a serious political level.”

“Once they’re let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators,” he said.

In Britain, where the virus first raised alarm when it caused hospitals to divert patients on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service (NHS) vulnerable.

“The government’s response has been chaotic,” Labour’s health spokesman Jon Ashworth said. “If you’re not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack.”

Britain’s NHS is the world’s fifth-largest employer. The government says that under a previous Labour administration the trusts that run local hospitals were given responsibility to manage their own computer systems.

Asked if the government had ignored warnings over the NHS being at risk from cyber attack, Prime Minister Theresa May told Sky News: “No. It was clear (that) warnings were given to hospital trusts.”

British health minister Jeremy Hunt said it was “encouraging” that a predicted second spike of attacks had not occurred, but the ransomware was a warning to public and private organizations.

RANSOM VIA BITCOIN

Some victims were ignoring official advice and paying the $300 ransom demanded by the cyber criminals to unlock their computers, which was due to double to $600 on Monday for computers hit by Friday’s first wave.

So far only a few victims of the attack appeared to have paid, based on publicly available bitcoin accounts on the web, where victims have been instructed to pay.

The initial ransom demand was $300 per machine. Three days after becoming infected the demand doubles. Starting on Monday, the first victims began facing demands of $600 to unlock their machines.

This coming Friday, victims face being locked out of their computers permanently if they fail to pay the $600 ransom, said Tom Robinson, co-founder of Elliptic, a London-based private security company that investigates ransomware attacks.

As of 1400 GMT, the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just $55,169, from 209 payments, according to calculations made by Reuters using publicly available data.

Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him “the customer service provided by the criminals is second-to-none,” with helpful advice on how to pay: “One customer said they actually forgot they were being robbed.”

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

Renault-Nissan (RENA.PA) (7201.T) said output had returned to normal at nearly all its plants. PSA Group (PEUP.PA), Fiat Chrysler (FCHA.MI), Volkswagen (VOWG_p.DE), Daimler (DAIGn.DE), Toyota (7203.T) and Honda (7267.T) said their plants were unaffected.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a “kill switch” – an internet address which halted the virus when activated.

Individual European countries and the United States saw infections at a rate of only 10 percent to 20 percent of the most affected countries, according to the researcher who stumbled on the kill switch.

The virus hit computers running older versions of Microsoft Corp (MSFT.O) software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks. The company’s shares were down about 1 percent on Monday, in a slightly higher broad market.

Infected computers appear to be largely out-of-date devices. Some were machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.

For a graphic on how the cyber attack spread, see: tmsnrt.rs/2qIUckv[2]

(Additional reporting by Guy Faulconbridge, Jim Finkle, Cate Cadell, Jemima Kelly, Noel Randewich, Eric Auchard and Tim Ahmann; Writing by Peter Graff and Nick Zieminski; Editing by Peter Millership and Bill Rigby)

Next In Cyber Risk

Global Cyber Attack Slows; Search On For Hackers, Motive

European, Asian companies short on cyber insurance before ransomware attack

LONDON/NEW YORK Many companies outside the United States may not have cover for a recent computer-system attack, leaving them potentially with millions of dollars of losses because there has been relatively little take-up of cyber insurance, insurers say.

Global Cyber Attack Slows; Search On For Hackers, Motive

For some ransomware victims, hard lessons

SINGAPORE/HANOI The WannaCry ransomware worm that hobbled big institutions and businesses at the weekend, including FedEx and Britain’s National Health Service, also indiscriminately caught many smaller victims across Asia, from hoteliers to Chinese students.

Global Cyber Attack Slows; Search On For Hackers, Motive

Ransomware hits small number of U.S. critical infrastructure operators: official

WASHINGTON A small number of U.S. critical infrastructure operators have been affected by the global ransomware worm, but there has been no significant disruption in their work, a Department of Homeland Security official told Reuters on Monday.

References

  1. ^ Dustin Volz (www.reuters.com)
  2. ^ tmsnrt.rs/2qIUckv (tmsnrt.rs)

Book review: Recounting the chase with aplomb!

Veerappan: Chasing the Brigand is an unputdownable book, specially for those who love thrillers. If K. Vijay Kumar wanted, he could have written an autobiography perhaps titled Supercop , which would have been a runaway bestseller given the numerous accomplishments he has against his name as an IPS officer. Vijay Kumar was among the first batch of IPS officers to join the SPG, the Special Protection Group that guards Prime Ministers; he also had a successful tenure fighting militancy in Kashmir in the late 1990s while serving in the Border Security Force besides various postings in the Tamil Nadu Police. He is, however, best known for eliminating the dreaded brigand Veerappan in 2004 as head of the Tamil Nadu Special Task Force (STF). It is therefore fitting that Vijay Kumar has chosen to write on one of the most challenging assignments he undertook in a career spanning over three decades. Veerappan: Chasing the Brigand is an unputdownable book, specially for those who love thrillers.

The book is not fiction, but the incredible detailing that Vijay Kumar has managed to pack into this 250-page book will leave the reader gasping. Interspersed with vignettes from his career and personal life the brutally hard training he underwent in the Alps after becoming a member of the Close Protection Team (CPT) that forms the innermost ring of protection around the Prime Minister; his experience as SP of Salem district, or the fact that he chose to remain in the IPS despite qualifying for the Indian Administrative Service (IAS) the book traces the painful journey of Tamil Nadu, Kerala and Karnataka police in trying to capture or kill Veerappan who was truly the lord of the jungle spread over 1,200 sq. km across the three states. For nearly three decades, Veerappan had built an impregnable fortress in the jungles, running an empire built on income from loot, ransom and smuggling. Reputed to have killed an elephant when still a juvenile, Veerappan knew the forest like his backyard. Despite 20 years of attempts by police forces of three states, Veerappan had remained elusive. Time and again, he had kidnapped and ruthlessly murdered forest officials, informers and even policemen. In one instance, he had brutally beheaded a Karnataka forest official blaming him for the suicide of his sister. The officer s head was apparently found three years after he was lured and trapped by Veerappan s gang. Cunning, suspicious of everyone around him and absolutely comfortable operating in the forest Veerappan also had a keen eye for tactics and strategy and could have made an excellent commander had he not chosen to lead the life of a bandit. Vijay Kumar s book is important to read not only because of the insights it provides into what constitutes police work but also the thankless job that policemen often do. Police forces often face criticism in many cases valid and justified because of widespread corruption, unjustified brutality and seemingly low rate of success in prosecuting criminals. The STFs in both Karnataka and Tamil Nadu were routinely criticised for their failure to nab Veerappan for so long and the apparent impunity with which he operated in his area of influence. Vijay Kumar traces the early history of the cat and mouse game between the police and Veerappan, the gradual whittling down of the bandit s gang through desertion and attrition enforced by the law enforcers.

However despite being reduced to a single digit in the early 2000s from a high of 150 members in the 1990s, Veerappan continued to remain at large. It took a patient, longish operation to finally lure the brigand out into a semi-urban setting where he met his nemesis. Vijay Kumar, chosen personally by the late J. Jayalalithaa to head the STF in 2001 (there is a nice passage where he narrates how one phone call from the then Tamil Nadu chief minister ensured that Vijay Kumar was repatriated back to the Tamil Nadu cadre, even before he could finish his five-year stint in the BSF), revitalised the STF, revamped the intelligence network and through a combination of guile, technology and by simply leading from the front, delivered the prized trophy in less than three years. Behind the success, as Vijay Kumar himself acknowledges, was the blood, sweat and toil of hundreds of policemen and informers. Legendary cops Walter Devaram and Shankar Bidari and many colleagues from both Tamil Nadu and Karnataka find repeated mention for their important contribution in waging a relentless battle of attrition against Veerappan notwithstanding several lives lost in the line of duty which reduced Veerappan s gang to a single digit. Finally, when he was gunned down outside Padi near Dharmapuri in Tamil Nadu on October 18, 2004, 20 years of battle was over in 20 minutes. By the count of ballistics experts, in the encounter that began at 10.50 pm, 24 policemen fired 338 bullets on the vehicle that carried Veerappan and three members of his gang after they had been lured into the kill area, out of the forest. Three bullets were found to have hit Veerappan. Of the three, one went clean through the left eye. Ironically, Veerappan was travelling in what he believed was an ambulance taking him to Salem for treatment of his failing eyesight but was, in fact, a decoy vehicle sent by Vijay Kumar s STF.

One important factor for the eventual success achieved by the Tamil Nadu STF must be noted here: Unflinching faith reposed by former chief minister Jayalalithaa in the abilities of her officers. Vijay Kumar mentions at least thrice how Jayalalithaa provided without hesitation whatever vital equipment and resources the STF needed and provided them without any bureaucratic delay. She never interfered either in the day-to-day functioning of the STF and was patient enough to wait for the eventual result. Police officers backed by well-meaning and decisive politicians can achieve the impossible.

Vijay Kumar says he took a long time to complete the book although the initial draft was ready within two years of his great accomplishment. That wait has certainly been worth it.

Nitin A. Gokhale is a veteran journalist and a specialist in conflict reporting

1 2 3 91