Bayer contains cyber attack it says bore Chinese hallmarks

FILE PHOTO: Logo of Bayer AG is pictured at the annual results news conference of the German drugmaker in Leverkusen, Germany February 27, 2019. REUTERS/Wolfgang Rattay/File Photo

By Patricia Weiss and Ludwig Burger

FRANKFURT (Reuters) – German drugmaker Bayer has contained a cyber attack it believes was hatched in China, the company said, highlighting the risk of data theft and disruption faced by big business.

Bayer found the infectious software on its computer networks early last year, covertly monitored and analyzed it until the end of last month and then cleared the threat from its systems, the company said on Thursday.

“There is no evidence of data theft,” Bayer said in a statement, though a spokesman added that the overall damage was still being assessed and that German state prosecutors had launched an investigation.

“This type of attack points toward the ‘Wicked Panda’ group in China, according to security experts,” the spokesman added, citing DCSO, a cyber security group set up by Bayer in 2015 with German partners Allianz, BASF and Volkswagen.

Third-party personal data was also not compromised, the spokesman said.

The hackers used malware called WINNTI, which makes it possible to access a system remotely and then pursue further exploits from there, said Andreas Rohr of the DCSO.

“Once it has been installed, more or less any action can be carried out,” Rohr said.

Discovery of WINNTI provides clear evidence of complex and sophisticated malware that is used in a targeted, sustained espionage campaign, he added

Bayer, Germany’s biggest drugmaker and the world’s largest agricultural supplies company after its takeover of Monsanto, said it could not determine exactly when its systems were first compromised.

‘ACTIVE GROUP’

There was a WINNTI attack on computer systems at German technology group ThyssenKrupp in 2016, according to media reports at the time.

Rohr declined to comment in detail on the Bayer case, citing a non-disclosure agreement but said he knew of at least five WINNTI attacks in Germany.

“This is a very active group of hackers with the ability to carry multiple international attacks in parallel,” he said.

Manufacturing groups across the globe are expanding their data networks as sensors, processing chips and analytical tools become more advanced and cheaper.

Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids, the country’s cybersecurity agency said in February.

While it’s not possible to say with certainty who was responsible for the attack, because the malware used is widely available, Rohr said the methods bore the hallmarks of Chinese hackers.

“The malware most probably comes from a Chinese group of ‘mercenaries’ who carry out targeted attacks and campaigns on the internet for money,” he said.

“Their targets have in the past been the online gambling industry, the theft of intellectual property of the affected companies or the use of access for the purposes of espionage.”

German broadcasters BR and NDR initially reported the incident.

(Additional reporting by Douglas Busvine; Editing by Keith Weir and David Goodman)

Hackers hit aluminum maker Hydro, knock some plants offline

A note warning visitors about a cyber attack is seen at the headquarters of aluminum producer Norsk Hydro in Oslo, Norway March 19, 2019. NTB Scanpix/Terje Pedersen via REUTERS

By Gwladys Fouche and Terje Solsvik

OSLO (Reuters) – Norsk Hydro, one of the world’s largest producers of aluminum, battled on Tuesday to contain a cyber attack which hit parts of its production, sending its shares lower and aluminum prices higher.

The company shut several metal extrusion plants, which transform aluminum ingots into components for car makers, builders and other industries, while its giant smelters in countries including Norway, Qatar and Brazil were being operated manually.

The attack began on Monday evening and escalated overnight, hitting Hydro’s IT systems for most of its activities and forcing staff to issue updates via social media.

FILE PHOTO: An aluminium coil is seen during opening of a production line for the car industry at a branch of Norway's Hydro aluminum company in Grevenbroich, Germany May 4, 2017. REUTERS/Wolfgang Rattay/File Photo

FILE PHOTO: An aluminum coil is seen during the opening of a production line for the car industry at a branch of Norway’s Hydro aluminum company in Grevenbroich, Germany May 4, 2017. REUTERS/Wolfgang Rattay/File Photo

The Norwegian National Security Authority (NNSA), the state agency in charge of cybersecurity, said the attack used a virus known as LockerGoga, a relatively new strain of so-called ransomware which encrypts computer files and demands payment to unlock them.

Citing a message sent by the NNSA, public broadcaster NRK said on its website hackers had demanded ransom money from Hydro to stop the attack, but the company has not confirmed this.

The malware is not widely used by cybercrime groups, researchers said, but has been linked to an attack on French engineering consultancy Altran Technologies in January.

“Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation,” the company said in a statement.

It added that the attack had not affected the safety of its staff and it was too early to assess the impact on customers.

News of the attack pushed aluminum prices up 1.2 percent to a three-month high of $1,944 a tonne in early trade on the London Metal Exchange, before giving up some gains to trade at $1,938 by 1253 GMT.

The event was a rare case of an attack on industrial operations in Norway. The last publicly acknowledged cyber attack in the Nordic country was on software firm Visma, when hackers allegedly working on behalf of Chinese intelligence breached its network to steal secrets from its clients.

PLANT CLOSURES

Companies and governments have become increasingly concerned about the damage hackers can cause to industrial systems and critical national infrastructure following a number of high-profile cyber attacks.

In 2017, hackers later accused by the United States of working for the North Korean government unleashed billions of dollars worth of damage with the Wannacry ransomware virus, which crippled hospital, banks and other companies worldwide.

Pyongyang has denied the allegations.

Other cyber attacks have downed electricity grids and transport systems in recent years, and an attack on Italian oil services firm Saipem late last year destroyed more than 300 of the company’s computers.

Hydro makes products across the aluminum value chain, from the refinement of alumina raw material via metal ingots to bespoke components used in cars and construction.

“Some extrusion plants that are easy to stop and start have chosen to temporarily shut production,” said a Hydro spokesman.

The company’s hydroelectric power plants were running as normal on isolated IT systems unaffected by the outage.

Norsk Hydro’s main website page was unavailable on Tuesday, although some of the web pages belonging to subsidiaries could still be accessed. The company was giving updates on the situation on its Facebook page.

“Hydro’s main priority now is to limit the effects of the attack and to ensure continued people safety,” it wrote in a Facebook post.

Hydro shares fell 3.4 percent in early trade before a partial recovery to trade down 0.4 percent by 1253 GMT. They were still lagging the Oslo benchmark index, which was up 0.7 percent.

Hydro, which has 36,000 employees in 40 countries, made a net profit of 4.3 billion Norwegian crowns ($505 million) last year on sales of 159.4 billion.

(Additional reporting by Nerijus Adomaitis in Oslo, with Jack Stubbs and Barbara Lewis in London; Editing by Kirsten Donovan and David Holmes)

World must keep lethal weapons under human control, Germany says

FILE PHOTO: German Foreign Minister Heiko Maas arrives for the weekly German cabinet meeting at the Chancellery in Berlin, Germany, March 13, 2019. REUTERS/Annegret Hilse

BERLIN (Reuters) – Germany’s foreign minister on Friday called for urgent efforts to ensure that humans remained in control of lethal weapons, as a step toward banning “killer robots”.

Heiko Maas told an arms control conference in Berlin that rules were needed to limit the development and use of weapons that could kill without human involvement.

Critics fear that the increasingly autonomous drones, missile defense systems and tanks made possible by new technology and artificial intelligence could turn rogue in a cyber-attack or as a result of programming errors.

The United Nations and the European Union have called for a global ban on such weapons, but discussions so far have not yielded a clear commitment to conclude a treaty.

“Killer robots that make life-or-death decisions on the basis of anonymous data sets, and completely beyond human control, are already a shockingly real prospect today,” Maas said. “Fundamentally, it’s about whether we control the technology or it controls us.”

Germany, Sweden and the Netherlands signed a declaration at the conference vowing to work to prevent weapons proliferation.

“We want to want to codify the principle of human control over all deadly weapons systems internationally, and thereby take a big step toward a global ban on fully autonomous weapons,” Maas told the conference.

He said he hoped progress could be made in talks under the Convention on Certain Conventional Weapons (CCW) this year. The next CCW talks on lethal autonomous weapons take place this month in Geneva.

Human Rights Watch’s Mary Wareham, coordinator of the Campaign to Stop Killer Robots, urged Germany to push for negotiations on a global treaty, rather than a non-binding declaration.

“Measures that fall short of a new ban treaty will be insufficient to deal with the multiple challenges raised by killer robots,” she said in a statement.

In a new Ipsos survey, 61 percent of respondents in 26 countries opposed the use of lethal autonomous weapons.

(Reporting by Andrea Shalal; Editing by Kevin Liffey)

British Airways says a further 185,000 payment cards possibly hit in cyber attack

FILE PHOTO - People queue with their luggage for the British Airways check-in desk at Gatwick Airport in southern England, Britain, May 28, 2017. REUTERS/Hannah McKay

(Reuters) – International Airlines Group said an investigation into the theft of customers’ data at its unit British Airways showed the hackers may have stolen personal information from an additional 185,000 payment cards.

BA said in September that around 380,000 card payments were compromised, with hackers obtaining names, street and email addresses, credit card numbers, expiry dates and security codes – sufficient information to steal from accounts.

On Thursday, British Airways revised that number down, saying that only 244,000 of those originally identified were affected, but said additional customers could have been affected.

On the whole, the total number of payment cards potentially affected stood at 429,000 as of Thursday.

The hackers obtained names, street and email addresses, credit card numbers, expiry dates and in some cases, security codes – sufficient information to steal from accounts.

(Reporting by Arathy S Nair in Bengaluru; Editing by Elaine Hardcastle)

Japan hit by another cryptocurrency heist, $60 million stolen

The silhouette of Japan's highest mountain Mount Fuji is seen beyond buildings in Tokyo in a file photo. REUTERS/Issei Kato

By Taiga Uranaka

TOKYO (Reuters) – Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.

Tech Bureau, which had already been slapped with two business improvement orders by regulators this year, said its Zaif exchange was hacked over a two-hour period on Sept. 14. It detected server problems on Sept. 17, confirmed the hack the following day, and notified authorities, the exchange said on Thursday.

Following the hack, Tech Bureau said it had agreed with JASDAQ-listed Fisco Ltd to receive a 5 billion yen ($44.59 million) investment in exchange for majority ownership. The proceeds from the investment would be used to replace the digital currencies stolen from client accounts.

However, Fisco said in a statement the 5 billion yen in “financial assistance” may change in value if the amount affected by the heist changes upon further investigation.

Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.

Japan’s crypto exchanges have been under close regulatory scrutiny after the theft of $530 million in digital coins at Tokyo-based cryptocurrency exchange Coincheck Inc. in January. Coincheck has since been acquired by Japanese online brokerage Monex Group Inc.

In the industry-wide check that followed the Coincheck theft, FSA said it found sloppy management at many exchanges, including the lack of proper safeguards for client assets and basic anti-money laundering measures.

In the Tech Bureau theft, virtual currencies worth about 6.7 billion yen ($59.67 million), including Bitcoin, Monacoin and Bitcoin Cash, were stolen from the exchange’s “hot wallet”. About 2.2 billion yen worth of the stolen currency was its own while the remaining 4.5 billion yen belonged to customers, it said.

Hot wallets are connected to the internet. Industry experts consider them to be more vulnerable to hacks than “cold wallets”, which are not connected to the internet.

The latest hack is likely to affect the FSA’s ongoing regulatory review of the industry. Other countries are also grappling with how to regulate crypto market.

Japan last year became the first country to regulate cryptocurrency exchanges, as it encourages technological innovation while ensuring consumer protection. Exchanges have to register with FSA and required reporting and other responsibilities.

FSA said last week more than 160 entities have expressed interest in entering the cryptocurrency exchange business but FSA has not issued any approval since December last year.

Toshihide Endo, FSA commissioner told Reuters in an interview last month that the agency is trying to strike a balance between safeguarding clients and technological innovation.

“We have no intention to curb (the crypto industry) excessively,” he said. “We would like to see it grow under appropriate regulation.”

($1 = 112.1400 yen)

(Additional reporting by Chang-Ran Kim and Takahiko Wada; Editing by Shri Navaratnam and Sam Holmes)

British Airways apologizes after 380,000 customers hit in cyber attack

Commuters pass a British Airways advert on the tube at Canary Wharf station in London, Britain September 7, 2018. REUTERS/Kevin Coombs

By Paul Sandle

LONDON (Reuters) – British Airways was forced to apologize on Friday after the credit card details of hundreds of thousands of its customers were stolen over a two-week period in the most serious attack on its website and app.

The airline discovered on Wednesday that bookings made between Aug. 21 and Sept. 5 had been infiltrated in a “very sophisticated, malicious criminal” attack, BA Chairman and Chief Executive Alex Cruz said. It immediately contacted customers when the extent of the breach became clear.

Around 380,000 card payments were compromised, the airline said, with hackers obtaining names, street, and email addresses, credit card numbers, expiry dates and security codes – sufficient information to steal from accounts.

The attack came 15 months after the carrier suffered a massive computer system failure at London’s Heathrow airport, which stranded 75,000 customers over a holiday weekend.

Shares in BA’s parent, International Airlines Group, were down 2 percent in afternoon trading on Friday.

Cruz said the carrier was “deeply sorry” for the disruption caused by the attack which was unprecedented in the more than 20 years that BA had operated online.

He said the attackers had not broken the airline’s encryption but did not explain exactly how they had obtained the customer information.

“There were other methods, very sophisticated efforts, by criminals in obtaining the data,” he told BBC radio.

IT security company Avast said that based on the limited information available the attackers had probably targeted a gateway between the airline and a payment processor because no travel details had been stolen.

“Quite often, when it’s just a hack of a database somewhere it is hard to identify when something has been compromised,” Avast’s consumer security expert Pete Turner said.

“This feels much more like a transaction-type attack, where data is moving about within the system.”

COMPENSATION

The British government said authorities including the National Cyber Security Centre and the National Crime Agency were working to establish what had happened.

The country’s Information Commissioner’s Office said it had been alerted by BA and it was making inquiries. Under new GDPR data regulations, companies must inform regulators of a cyber attack within 72 hours.

BA advised customers to contact their bank or credit card provider and follow their recommended advice. It also took out ads in national newspapers on Friday.

Cruz said anyone who lost out financially would be compensated by the airline.

Data security expert Trevor Reschke said that like any website which sees large volumes of card transactions, BA was a ripe target for hackers.

“It is now a race between British Airways and the criminal underground,” said Reschke, head of threat intelligence at Trusted Knight.

“One will be figuring out which cards have been compromised and alerting victims, whilst the other will be trying to abuse them while they are still fresh.”

NatWest, one of Britain’s biggest card issuers, said it was receiving higher-than-usual call volumes because of the breach.

It said in a recorded message that its security systems would likely stop any fraud as a result of the hack but anyone affected should look out for unusual activity on their accounts.

IAG said the data breach had been resolved and the website was working normally, and that no travel or passport details were stolen.

After the computer system failure in May 2017, BA said it would take steps to ensure such an incident never happened again, but in July it was forced to cancel and delay flights out of the same airport due to problems with a supplier’s IT systems.

(Reporting by Paul Sandle and James Davey in London and Sangameswaran S and Rama Venkat Raman in Bengaluru; Editing by Keith Weir)

Cyber-attack on Singapore health database steals details of 1.5 million, including PM

Singapore Prime Minister Lee Hsien Loong in Manila, Philippines November 14, 2017. REUTERS/Aaron Favila/Pool

By Jack Kim

SINGAPORE (Reuters) – A major cyber attack on Singapore’s government health database stole the personal information of about 1.5 million people, including Prime Minister Lee Hsien Loong, the government said on Friday.

The attack, which the government called “the most serious breach of personal data” that the country has experienced, comes as the highly wired and digitalized state has made cybersecurity a top priority for the ASEAN bloc and for itself.

Singapore is this year’s chair of the 10-member Association of Southeast Asian Nations (ASEAN) group.

“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)confirmed that this was a deliberate, targeted and well-planned cyberattack,” a government statement said.

“It was not the work of casual hackers or criminal gangs,” the joint statement by the Health Ministry and the Ministry of Communications and Information said.

About 1.5 million patients who visited clinics between May 2015 and July 4 this year have had their non-medical personal particulars illegally accessed and copied, the statement said.

“The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines,” it said.

A Committee of Inquiry will be established and immediate action will be taken to strengthen government systems against cyber attacks, the Ministry of Communications said in a separate statement.

It did not provide details about what entity or individuals may have been behind the attack.

Lee, in a Facebook post following the announcement, said the breach of his personal medical data was not incidental and he did not know what information the attackers were hoping to find.

“My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it,” he said.

(Reporting by Jack Kim; Editing by Clarence Fernandez and Michael Perry)

Exclusive: Ukraine says Russia hackers laying groundwork for massive strike

A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by cyber attacks, in Kiev, Ukraine June 27, 2017. Picture taken June 27, 2017. REUTERS/Valentyn Ogirenko

By Pavel Polityuk

KIEV (Reuters) – Hackers from Russia are infecting Ukrainian companies with malware to create so-called ‘back doors’ for a large coordinated attack, Ukraine’s cyber police chief told Reuters on Tuesday, almost a year after a strike on Ukraine spread around the world.

Affected companies range across various industries, such as banks or energy infrastructure. The pattern of the malware being rolled out suggests the people behind it want to activate it on a particular day, Serhiy Demedyuk said.

Demedyuk said his staff were cooperating with foreign agencies to track the hackers, without naming the agencies.

Police had identified viruses designed to hit Ukraine since the start of the year, including phishing emails sent from legitimate domains of state institutions whose systems were hacked, or a fake webpage mimicking that of a real state body.

They had intercepted hackers sending malware from different sources and broken into various components so as to remain undetected by antivirus software until activated as a single unit, Demedyuk said.

“Analysis of the malicious software that has already been identified and the targeting of attacks on Ukraine suggest that this is all being done for a specific day,” he said.

Relations between Ukraine and Russia plunged following Russia’s annexation of Crimea in 2014, and Kiev has accused Russia of orchestrating large-scale cyber attacks as part of a “hybrid war” against Ukraine, which Moscow repeatedly denies.

Some attacks coincided with major Ukrainian holidays and Demedyuk said another strike could be launched on Thursday — Constitution Day — or on Independence Day in August.

On June 27 last year, the country was hit by a massive strike known as “NotPetya”, which knocked out Ukrainian IT systems before spreading around the world. The United States and Britain joined Ukraine in blaming Russia for the attack.

Demedyuk said the scale of the latest detected preparations was the same as NotPetya.

“This is support on a government level – very expensive and very synchronized. Without the help of government bodies it would not be possible. We’re talking now about the Russian Federation,” he said.

“Everything we’re seeing, everything we’ve intercepted in this period: 99 percent of the traces come from Russia.”

The Kremlin did not immediately respond to a request for comment.

Ukraine is better prepared to withstand such attacks thanks to cooperation with foreign allies since the NotPetya strike, Demedyuk said. Ukraine has received support from the U.S., Britain and NATO among others to beef up its cyber defenses.

But Demedyuk said some Ukrainian companies had not bothered to clean their computers after NotPetya struck, leaving machines still infected by the virus and vulnerable to being used for another attack.

“We are sounding the alarm to remind people – come to your senses, check your equipment,” he said. “It’s better to be on the safe side than clean up a mess like last time.”

He also appealed to global companies who were hit by NotPetya, including U.S. and European firms in Ukraine, to share details of their investigations and steps to localize the hack.

“They have a huge amount of very interesting evidence, which they store themselves. We would like it if they weren’t scared and approached us.”

(Additional reporting by Margarita Popova in Moscow; writing by Matthias Williams; editing by Philippa Fletcher)

Atlanta officials reveal worsening effects of cyber attack

(Reuters) – The Atlanta cyber attack has had a more serious impact on the city’s ability to deliver basic services than previously understood, a city official said at a public meeting on Wednesday, as she proposed an additional $9.5 million to help pay for recovery costs.

Atlanta’s administration has disclosed little about the financial impact or scope of the March 22 ransomware hack, but information released at the budget briefings confirms concerns that it may be the worst cyber assault on any U.S. city.

More than a third of the 424 software programs used by the city have been thrown offline or partially disabled in the incident, Atlanta Information Management head Daphne Rackley said. Nearly 30 percent of the affected applications are considered “mission critical,” affecting core city services, including police and courts.

Initially, officials believed the reaches of the cyber assault on city software was close to 20 percent and that no critical applications were compromised, Rackley said.

“It’s a lot more… it seems to be growing every day,” she told the Atlanta City Council, which must vote on a fiscal 2019 budget by the end of the month.

Rackley anticipated an additional $9.5 million would be needed by her department in the coming year due to the hacking. That would be a sharp increase from the $35 million Mayor Keisha Lance Bottoms suggested for the technology department in her budget pitch, which was delayed in the cyber incident.

Top city officials are still discovering the extent of the ransomware incident, in which hackers demanded $51,000 worth of bitcoin for the release of encrypted city data. Atlanta has said it did not pay the ransom.

Departments citywide, including municipal courts, told the council on Wednesday about their struggles to regain workplace normalcy since the attack. Interim City Attorney Nina Hickson said her office lost 71 of 77 computers as well as a decade of legal documents.

The discussions came two days after Atlanta Police Chief Erika Shields told local television news station WSB-TV 2 that the hack wiped out police dash-cam recordings. “That is lost and will not be recovered,” she said in a brief televised interview.

City Council President Felicia Moore told the administrators she was frustrated by how little she has been told about the cyber attack investigation. Many times, Moore said, she learns about developments in the news. “Something has to give,” she said.

Councilman Howard Shook, chair of the finance committee, asked how much attack-related costs have risen elsewhere in the city since the budget proposal was put together.

“A lot of water has gone over the dam since then,” Shook said.

In response, administrators said they were still working on determining total costs. Deputy Chief Financial Officer John Gaffney, whose department help’s develop the mayor’s budget proposal, said the city was still in the “response phase.”

(Reporting by Laila Kearney; Editing by Leslie Adler)

Cyber firms, Ukraine warn of planned Russian attack

Power lines are seen near the Trypillian thermal power plant in Kiev region, Ukraine November 23, 2017. REUTERS/Valentyn Ogirenko

By Jim Finkle and Pavel Polityuk

TORONTO/KIEV (Reuters) – Cisco Systems Inc warned on Wednesday that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malicious software – activity Ukraine said was preparation for a future Russian cyber attack.

Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack against Ukraine ahead of the Champions League soccer final, due to be held in Kiev on Saturday.

“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilizing the situation during the Champions League final,” it said in a statement after Cisco’s findings were released.

Russia has previously denied assertions by Ukraine, the United States, other nations and Western cyber-security firms that it is behind a massive global hacking program, which has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.

The Kremlin did not immediately respond to a request for comment submitted by Reuters on Wednesday.

Cisco said the new malware, dubbed VPNFilter, could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

“With a network like this you could do anything,” Williams told Reuters.

CONSTITUTION DAY ATTACK

The warning about the malware – which includes a module that targets industrial networks like ones that operate the electric grid – will be amplified by alerts from members of the Cyber Threat Alliance (CTA), a nonprofit group that promotes the fast exchange of data on new threats between rivals in the cyber security industry.

Members include Cisco, Check Point Software Technologies Ltd, Fortinet Inc, Palo Alto Networks Inc, Sophos Group Plc  and Symantec Corp.

“We should be taking this pretty seriously,” CTA Chief Executive Officer Michael Daniel said in an interview.

The devices infected with VPNFilter are scattered across at least 54 countries, but Cisco determined the hackers are targeting Ukraine following a surge in infections in that country on May 8, Williams told Reuters.

Researchers decided to go public with what they know about the campaign because they feared the surge in Ukraine, which has the largest number of infections, meant Moscow is poised to launch an attack there next month, possibly around the time the country celebrates Constitution Day on June 28, Williams said.

Some of the biggest cyber attacks on Ukraine have been launched on holidays or the days leading up to them.

They include the June 2017 “NotPetya” attack that disabled computer systems in Ukraine before spreading around the globe, as well as hacks on the nation’s power grid in 2015 and 2016 that hit shortly before Christmas.

VPNFilter gives hackers remote access to infected machines, which they can use for spying, launching attacks on other computers or downloading additional types of malware, Williams said.

The researchers discovered one malware module that targets industrial computers, such as ones used in electric grids, other infrastructure and in factories. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.

The malware also includes an auto-destruct feature that hackers can use to delete the malware and other software on infected devices, making them inoperable, he said.

(Writing by Jim Finkle and Jack Stubbs; Editing by Mark Heinrich)