Toggle Menu
  1. Home/
  2. Tech & Science/
  3. IT&C/

Hackers use stolen U.S. spy agency tool, launch ‘unprecedented’ cyber attack on UK hospitals, companies – UPDATE

A global cyber attack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency disrupted Britain’s health system, hit international shipper FedEx, and infected computers in nearly 100 countries.

UPDATE 7 Experts see risk of fresh strikes

Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, and so limited the worm’s spread.

loading...

“We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” said Vikram Thakur, principal research manager at Symantec.

“The numbers are extremely low and coming down fast.”

But the attackers may yet tweak the code and restart the cycle. The researcher in Britain widely credited with foiling the ransomware’s proliferation told Reuters he had not seen any such tweaks yet, “but they will (happen).”

Researchers said the worm deployed in the latest attack, or similar tools released by Shadow Brokers, are likely to be used for fresh assaults not just with ransomware but other malware to break into firms, seize control of networks and steal data.

Finance chiefs from the Group of Seven rich countries were to commit on Saturday to joining forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Italy.

“Appropriate economy-wide policy responses are needed,” the ministers said in their draft statement, seen by Reuters.

UPDATE 6 Russian banks withstood massive cyber attacks

loading...

Russia‘s central bank said on Saturday it had detected “massive” cyber attacks on domestic banks, which successfully thwarted them, the RIA news agency reported.

The report came amid a global cyber attack leveraging hacking tools believed to have been developed by the U.S. National Security Agency that infected tens of thousands of computers in nearly 100 countries.

Local media reported that state-owned Russian Railways also successfully defended itself from a cyber attack.

UPDATE 5 German rail operator affected by global cyber attack

German rail operator Deutsche Bahn said on Saturday its systems were infected by a global cyber attack that caused computer turmoil in nearly 100 countries.

It said in a statement that train services were not disrupted but some electronic boards at stations announcing arrivals and departures had been affected.

Pictures posted online by travellers showed red windows appearing on announcement boards with a message demanding a cash payment to restore access. Deutsche Bahn said it was working to rectify the problem.

German Interior Minister Thomas de Maiziere said government computer systems were not affected.

UPDATE 4 Renault stops production at some sites after cyber attack

French carmaker Renault stopped production at several sites on Saturday to prevent the spread of a global cyber attack that hit its computer systems, a spokesman said.

“Proactive measures have been put in place, including the temporarily suspension of industrial activity at some sites,” the spokesman said.

Renault’s plant at Sandouville in northwestern France was one of the factories that stopped production, the spokesman said, declining to provide a full list of affected sites.

The manufacturer is the first major French company to report being affected by the ransomware cyber attack that has infected tens of thousands of computers in nearly 100 countries.

PSA Group, Renault’s French rival, was not affected, a spokesman said on Saturday.

UPDATE 3 Europol says the cyberattack is at an unprecedented level

Europol announced the European Cybercrime Centre, EC3, is working closely with affected countries cybercrime units and key industry partners to mitigate the threat and assist victims of the Wannacry ransomware.

“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits. The Joint Cybercrime Action Taskforce (JCAT), at EC3 is a group of specialist international cyber investigators and is specially designed to assist in such investigations and will play an important role in supporting the investigation,” a press release shows.

Users are urged to visit a free online resource developed by Europol, Dutch Police and industry partners for further information, how to protect their data, devices, and what to do when infected with ransomware.

UPDATE 2 Renault hit by ransomware global cyber attack

French carmaker Renault was hit by the global ransomware cyber attack that has infected tens of thousands of computers in nearly 100 countries, a spokeswoman said on Saturday.

It is the first major French company to report being affected by the malicious malware.

“Measures are being put in place to stop the spread of the virus; it’s the first step,” the spokeswoman said.

“We’re seeking to have a global vision to see which sites have been affected,” she added.

UPDATE 1 UK government in dark over who behind cyber attack

The British government does not yet know who was behind Friday’s global cyber attack that disrupted the country’s health system, interior minister Amber Rudd said on Saturday.

“We’re not able to tell you who’s behind the attack. That work is still ongoing,” she told BBC radio.

She said Britain’s National Cyber Security Centre was working with the country’s health service to ensure the attack was contained, while the National Crime Agency was working with them to find out where it came from.

Rudd said the government did not know if the attack was directed by a foreign government.


Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.

The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percent had given in to the extortionists.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers.

International shipper FedEx Corp said some of its Windows computers were also infected. “We are implementing remediation steps as quickly as possible,” it said in a statement.

Still, only a small number of U.S.-headquartered organizations were hit because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec.

By the time they turned their attention to the United States, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur said.

The U.S. Department of Homeland Security said late on Friday that it was aware of reports of the ransomware, was sharing information with domestic and foreign partners and was ready to lend technical support.

Telecommunications company Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Private security firms identified the ransomware as a new variant of “WannaCry” that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

“Once it gets in and starts moving across the infrastructure, there is no way to stop it,” said Adam Meyers, a researcher with cyber security firm CrowdStrike.

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm,” or self spreading malware, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

“This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

Microsoft on Friday said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

“Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” Microsoft said in a statement. It said the company was working with its customers to provide additional assistance.

SENSITIVE TIMING

The spread of the ransomware capped a week of cyber turmoil in Europe that kicked off a week earlier when hackers posted a huge trove of campaign documents tied to French candidate Emmanuel Macron just 1-1/2 days before a run-off vote in which he was elected as the new president of France.

On Wednesday, hackers disputed the websites of several French media companies and aerospace giant Airbus.

Also, the hack happened four weeks before a British parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed an entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

On Friday, Russia’s interior and emergencies ministries, as well as the country’s biggest bank, Sberbank, said they were targeted. The interior ministry said on its website that around 1,000 computers had been infected but it had localized the virus.

The emergencies ministry told Russian news agencies it had repelled the cyberattacks while Sberbank said its cyber security systems had prevented viruses from entering its systems.

NEW BREED OF RANSOMWARE

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.

Reuters

Loading...