50,000 companies exposed to hacks of ‘business critical’ SAP systems: researchers

FILE PHOTO: People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic

By Jack Stubbs

LONDON (Reuters) – Up to 50,000 companies running SAP software are at greater risk of being hacked after security researchers found new ways to exploit vulnerabilities of systems that haven’t been properly protected and published the tools to do so online.

German software giant SAP said it issued guidance on how to correctly configure the security settings in 2009 and 2013. But data compiled by security firm Onapsis shows that 90 percent of affected SAP systems have not been properly protected.

“Basically, a company can be brought to a halt in a matter of seconds,” said Onapsis Chief Executive Mariano Nunez, whose company specializes in securing business applications such as those made by SAP and rival Oracle.

“With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”

SAP said: “SAP always strongly recommends to install security fixes as they are released.”

SAP software is used by more than 90 percent of the world’s top 2,000 companies to manage everything from employee payrolls to product distribution and industrial processes.

Security experts say attacks on those systems could be hugely damaging, both for the victim organizations and their wider supply chain. SAP customers collectively distribute 78 percent of the world’s food and 82 percent of global medical devices, the company says on its website.

Sogeti security consultant Mathieu Geli, one of the researchers who developed the exploits released online last month, said the issue concerned the way SAP applications to talk to one another inside a company.

If a company’s security settings are not configured correctly, he said, a hacker can trick an application into thinking they are another SAP product and gain full access without the need for any login credentials.

SAP said customer security was a priority and the vulnerabilities showed the need for clients to implement recommended fixes when they are released. “Security is a collaborative process, so our customers and partners need to safeguard their systems as well,” it said in a statement.

CRITICAL SYSTEMS

Researchers at Onapsis said on Thursday they were naming the exploits “10KBLAZE” because of the threat they posed to “business-critical applications” which, if hacked, could result in “material misstatements” in U.S. financial filings.

Nunez said he would share his company’s ability to detect the vulnerabilities with other security vendors to help secure all SAP users against possible future attacks. Full details here.

Sogeti’s Geli said he created the exploits to prove the danger of the vulnerabilities and released them online in order to help experts test the security of SAP systems.

He said there was a risk they could be used by malicious actors but not people without technical ability, and it was more important for companies to update their security settings.

“We are just pointing out something that is already fixed for SAP but clients maybe are a bit late on,” he said. “We are trying to push that and say: ‘Guys, this is critical, you need to fix it.'”

 

(Reporting by Jack Stubbs; editing by Georgina Prodhan)

Bayer contains cyber attack it says bore Chinese hallmarks

FILE PHOTO: Logo of Bayer AG is pictured at the annual results news conference of the German drugmaker in Leverkusen, Germany February 27, 2019. REUTERS/Wolfgang Rattay/File Photo

By Patricia Weiss and Ludwig Burger

FRANKFURT (Reuters) – German drugmaker Bayer has contained a cyber attack it believes was hatched in China, the company said, highlighting the risk of data theft and disruption faced by big business.

Bayer found the infectious software on its computer networks early last year, covertly monitored and analyzed it until the end of last month and then cleared the threat from its systems, the company said on Thursday.

“There is no evidence of data theft,” Bayer said in a statement, though a spokesman added that the overall damage was still being assessed and that German state prosecutors had launched an investigation.

“This type of attack points toward the ‘Wicked Panda’ group in China, according to security experts,” the spokesman added, citing DCSO, a cyber security group set up by Bayer in 2015 with German partners Allianz, BASF and Volkswagen.

Third-party personal data was also not compromised, the spokesman said.

The hackers used malware called WINNTI, which makes it possible to access a system remotely and then pursue further exploits from there, said Andreas Rohr of the DCSO.

“Once it has been installed, more or less any action can be carried out,” Rohr said.

Discovery of WINNTI provides clear evidence of complex and sophisticated malware that is used in a targeted, sustained espionage campaign, he added

Bayer, Germany’s biggest drugmaker and the world’s largest agricultural supplies company after its takeover of Monsanto, said it could not determine exactly when its systems were first compromised.

‘ACTIVE GROUP’

There was a WINNTI attack on computer systems at German technology group ThyssenKrupp in 2016, according to media reports at the time.

Rohr declined to comment in detail on the Bayer case, citing a non-disclosure agreement but said he knew of at least five WINNTI attacks in Germany.

“This is a very active group of hackers with the ability to carry multiple international attacks in parallel,” he said.

Manufacturing groups across the globe are expanding their data networks as sensors, processing chips and analytical tools become more advanced and cheaper.

Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids, the country’s cybersecurity agency said in February.

While it’s not possible to say with certainty who was responsible for the attack, because the malware used is widely available, Rohr said the methods bore the hallmarks of Chinese hackers.

“The malware most probably comes from a Chinese group of ‘mercenaries’ who carry out targeted attacks and campaigns on the internet for money,” he said.

“Their targets have in the past been the online gambling industry, the theft of intellectual property of the affected companies or the use of access for the purposes of espionage.”

German broadcasters BR and NDR initially reported the incident.

(Additional reporting by Douglas Busvine; Editing by Keith Weir and David Goodman)

Millions of Facebook records found on Amazon cloud servers: UpGuard

FILE PHOTO: A 3D plastic representation of the Facebook logo is seen in front of displayed cables in this illustration in Zenica, Bosnia and Herzegovina May 13, 2015. REUTERS/Dado Ruvic/File Photo

(Reuters) – Millions of Facebook Inc’s user records were inadvertently posted on Amazon.com Inc’s cloud computing servers in plain sight, researchers at cybersecurity firm UpGuard reported on Wednesday.

Facebook said last month it resolved a glitch that exposed passwords of millions of users stored in readable format within its internal systems to its employees.

Cybersecurity blog KrebsOnSecurity also reported in March that the passwords were accessible to as many as 20,000 Facebook employees and dated back as early as 2012.

Facebook and Amazon did not immediately respond to requests for comment.

(Reporting by Akanksha Rana in Bengaluru; Editing by James Emmanuel)

White House pledges to step up cyber offense on hackers

FILE PHOTO: A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

By Christopher Bing

WASHINGTON (Reuters) – The White House warned foreign hackers on Thursday it will increase offensive measures as part of a new national cyber security strategy.

The move comes as U.S. intelligence officials expect a flurry of digital attacks ahead of the Nov. 6 congressional elections.

The strategy provides federal agencies with new guidance for how to protect themselves and the private data of Americans, White House National Security Adviser John Bolton told reporters.

Bolton said the policy change was needed “not because we want more offensive operations in cyberspace but precisely to create the structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.”

The new policy also outlines a series of broad priorities, including the need to develop global internet policies and a competent domestic cybersecurity workforce.

It follows a recent Trump administration decision to reverse an Obama-era directive, known as PPD-20, which established an exhaustive approval process for the military to navigate in order to launch hacking operations. Bolton said the removal provided more leeway to respond to foreign cyber threats.

“In general, I think there is new tone in the policy but not much new policy other than the revocation of PPD-20, which had already been announced,” Ari Schwartz, White House National Security Council cybersecurity director under President Barack Obama, told Reuters.

“In my experience it has not been deterrence policies that held back response, but the inability of agencies to execute,” he said.

“I guess we will see what happens if this strategy really leads to less oversight, but a lack of oversight will likely lead to a lot of confusing finger-pointing in the wake of any failure.”

(Reporting by Christopher Bing; editing by Lisa Shumaker and Dan Grebler)

Exclusive: Iran-based political influence operation – bigger, persistent, global

FILE PHOTO: Silhouettes of mobile users are seen next to a screen projection of Instagram logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration

By Jack Stubbs and Christopher Bing

LONDON/WASHINGTON (Reuters) – An apparent Iranian influence operation targeting internet users worldwide is significantly bigger than previously identified, Reuters has found, encompassing a sprawling network of anonymous websites and social media accounts in 11 different languages.

Facebook and other companies said last week that multiple social media accounts and websites were part of an Iranian project to covertly influence public opinion in other countries. A Reuters analysis has identified 10 more sites and dozens of social media accounts across Facebook, Instagram, Twitter and YouTube.

U.S.-based cybersecurity firm FireEye Inc and Israeli firm ClearSky reviewed Reuters’ findings and said technical indicators showed the web of newly-identified sites and social media accounts – called the International Union of Virtual Media, or IUVM – was a piece of the same campaign, parts of which were taken down last week by Facebook Inc, Twitter Inc and Alphabet Inc.

IUVM pushes content from Iranian state media and other outlets aligned with the government in Tehran across the internet, often obscuring the original source of the information such as Iran’s PressTV, FARS news agency and al-Manar TV run by the Iran-backed Shi’ite Muslim group Hezbollah.

PressTV, FARS, al-Manar TV and representatives for the Iranian government did not respond to requests for comment. The Iranian mission to the United Nations last week dismissed accusations of an Iranian influence campaign as “ridiculous.”

The extended network of disinformation highlights how multiple state-affiliated groups are exploiting social media to manipulate users and further their geopolitical agendas, and how difficult it is for tech companies to guard against political interference on their platforms.

In July, a U.S. grand jury indicted 12 Russians whom prosecutors said were intelligence officers, on charges of hacking political groups in the 2016 U.S. presidential election. U.S. officials have said Russia, which has denied the allegations, could also attempt to disrupt congressional elections in November.

Ben Nimmo, a senior fellow at the Atlantic Council’s Digital Forensic Research Lab who has previously analyzed disinformation campaigns for Facebook, said the IUVM network displayed the extent and scale of the Iranian operation.

“It’s a large-scale amplifier for Iranian state messaging,” Nimmo said. “This shows how easy it is to run an influence operation online, even when the level of skill is low. The Iranian operation relied on quantity, not quality, but it stayed undetected for years.”

FURTHER INVESTIGATIONS

Facebook spokesman Jay Nancarrow said the company is still investigating accounts and pages linked to Iran and had taken more down on Tuesday.

“This is an ongoing investigation and we will continue to find out more,” he said. “We’re also glad to see that the information we and others shared last week has prompted additional attention on this kind of inauthentic behavior.”

Twitter referred to a statement it tweeted on Monday shortly after receiving a request for comment from Reuters. The statement said the company had removed a further 486 accounts for violating its terms of use since last week, bringing the total number of suspended accounts to 770.

“Fewer than 100 of the 770 suspended accounts claimed to be located in the U.S. and many of these were sharing divisive social commentary,” Twitter said.

Google declined to comment but took down the IUVM TV YouTube account after Reuters contacted the company with questions about it. A message on the page on Tuesday said the account had been “terminated for a violation of YouTube’s Terms of Service.”

IUVM did not respond to multiple emails or social media messages requesting comment.

The organization does not conceal its aims, however. Documents on the main IUVM website  said its headquarters are in Tehran and its objectives include “confronting with remarkable arrogance, western governments, and Zionism front activities.”

APP STORE AND SATIRICAL CARTOONS

IUVM uses its network of websites – including a YouTube channel, breaking news service, mobile phone app store, and a hub for satirical cartoons mocking Israel and Iran’s regional rival Saudi Arabia – to distribute content taken from Iranian state media and other outlets which support Tehran’s position on geopolitical issues.

Reuters recorded the IUVM network operating in English, French, Arabic, Farsi, Urdu, Pashto, Russian, Hindi, Azerbaijani, Turkish and Spanish.

Much of the content is then reproduced by a range of alternative media sites, including some of those identified by FireEye last week as being run by Iran while purporting to be domestic American or British news outlets.

For example, an article run by in January by Liberty Front Press – one of the pseudo-U.S. news sites exposed by FireEye – reported on the battlefield gains made by the army of Iranian ally Syrian President Bashar al-Assad. That article was sourced to IUVM but actually lifted from two FARS news agency stories.

FireEye analyst Lee Foster said iuvmpress.com, one of the biggest IUVM websites, was registered in January 2015 with the same email address used to register two sites already identified as being run by Iran. ClearSky said multiple IUVM sites were hosted on the same server as another website used in the Iranian operation.

(Reporting by Jack Stubbs in LONDON, Christopher Bing in WASHINGTON; Additional reporting by Bozorgmehr Sharafedin in LONDON; Editing by Damon Darlin and Grant McCool)

Russian hackers targeted U.S. Senate, think tanks: Microsoft

FILE PHOTO: A Microsoft logo is seen in Los Angeles, California U.S. November 7, 2017. REUTERS/Lucy Nicholson/File Phot

By Brendan O’Brien

(Reuters) – Microsoft Corp charged that hackers linked to Russia’s government sought to launch cyber attacks on the U.S. Senate and conservative American think tanks, warning that Moscow is broadening attacks ahead of November’s congressional elections.

The world’s biggest software company said late on Monday that it last week took control of six web domains that hackers had created to mimic sites belonging to the Senate and the think tanks. Users who visited the fake sites were asked to enter login credentials.

It is the latest in a string of actions Microsoft has taken to thwart what it charges are Russian government hacking attempts. The company said it has shut down 84 fake websites in 12 court-approved actions over the past two years.

“We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections,” Microsoft President Brad Smith said in a blog post.

Microsoft said it had no evidence that the hackers had succeeded in compromising any user credentials before it took control of the malicious sites.

The Kremlin rejected the Microsoft allegations and said there was no evidence to support them.

“We don’t know what hackers they are talking about,” Kremlin spokesman Dmitry Peskov told reporters. “Who exactly are they talking about? We don’t understand what the proof and the basis is for them drawing these kind of conclusions. Such information (proof) is lacking.”

Moscow has repeatedly dismissed allegations that it has used hackers to influence U.S. elections and political opinion.

The targets, Microsoft said, included the International Republican Institute, whose high-profile Republican board members include Senator John McCain of Arizona, who has criticized U.S. President Donald Trump’s interactions with Russia and Moscow’s rights record.

The Hudson Institute, another target, has hosted discussions on topics including cyber security, according to Microsoft. It has also examined the rise of kleptocracy, especially in Russia, and has been critical of the Russian government.

Other malicious domains were used to mimic legitimate sites used by the U.S. Senate and Microsoft’s Office software suite, the company said.

CYBER TENSIONS

Microsoft’s report came amid increasing tensions between Moscow and Washington ahead of midterm elections in November.

A U.S. federal grand jury indicted 12 Russian intelligence officers in July on charges of hacking the computer networks of 2016 Democratic presidential candidate Hillary Clinton and the Democratic Party.

Special Counsel Robert Mueller is investigating Russia’s role in the 2016 election and whether Trump’s campaign worked with Russians to sway the vote. Russia denies interfering in the elections and Trump has denied any collusion.

The type of attack is known as “spear fishing,” in which the hackers trick victims into entering their username and password into a fake site in order to steal their credentials.

Facebook Inc said late last month it had removed 32 pages and fake accounts from its platforms in a bid to combat foreign meddling ahead of the U.S. votes.

The company stopped short of identifying the source of the misinformation. But members of Congress who had been briefed by Facebook on the matter said the methodology of the influence campaign suggested Russian involvement.

(Reporting by Brendan O’Brien; Additional reporting by Andrew Osborn and Tom Balmforth in Moscow; Editing by Jim Finkle and Steve Orlofsky)

More U.S. states deploy technology to track election hacking attempts

FILE PHOTO: A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, U.S. on July 29, 2017. REUTERS/Steve Marcus/File Photo

By Christopher Bing

WASHINGTON (Reuters) – A majority of U.S. states has adopted technology that allows the federal government to see inside state computer systems managing voter data or voting devices in order to root out hackers.

Two years after Russian hackers breached voter registration databases in Illinois and Arizona, most states have begun using the government-approved equipment, according to three sources with knowledge of the deployment. Voter registration databases are used to verify the identity of voters when they visit polling stations.

The rapid adoption of the so-called Albert sensors, a $5,000 piece of hardware developed by the Center for Internet Security https://www.cisecurity.org, illustrates the broad concern shared by state government officials ahead of the 2018 midterm elections, government cybersecurity experts told Reuters.

CIS is a nonprofit organization based in East Greenbush, N.Y., that helps governments, businesses and organization fight computer intrusions.

“We’ve recently added Albert sensors to our system because I believe voting systems have tremendous vulnerabilities that we need to plug; but also the voter registration systems are a concern,” said Neal Kelley, chief of elections for Orange County, California.

“That’s one of the things I lose sleep about: It’s what can we do to protect voter registration systems?”

As of August 7, 36 of 50 states had installed Albert at the “elections infrastructure level,” according to a Department of Homeland Security official. The official said that 74 individual sensors across 38 counties and other local government offices have been installed. Only 14 such sensors were installed before the U.S. presidential election in 2016.

“We have more than quadrupled the number of sensors on state and county networks since 2016, giving the election community as a whole far greater visibility into potential threats than we’ve ever had in the past,” said Matthew Masterson, a senior adviser on election security for DHS.

The 14 states that do not have a sensor installed ahead of the 2018 midterm elections have either opted for another solution, are planning to do so shortly or have refused the offer because of concerns about federal government overreach. Those 14 states were not identified by officials.

But enough have installed them that cybersecurity experts can begin to track intrusions and share that information with all states. The technology directly feeds data about cyber incidents through a non-profit cyber intelligence data exchange and then to DHS.

“When you start to get dozens, hundreds of sensors, like we have now, you get real value,” said John Gilligan, the chief executive of CIS.

“As we move forward, there are new sensors that are being installed literally almost every day. Our collective objective is that all voter infrastructure in states has a sensor.”

Top U.S. intelligence officials have predicted that hackers working for foreign governments will target the 2018 and 2020 elections.

Maria Benson, a spokesperson for the National Association of Secretaries of States, said that in some cases installations have been delayed because of the time spent working out “technical and contractual arrangements.”

South Dakota and Wyoming are among the states without Albert fully deployed to protect election systems, a source with knowledge of the matter told Reuters.

The South Dakota Secretary of State’s office did not respond to a request for comment. The Wyoming Secretary of State’s office said it is currently considering expanding use of the sensors.

(Reporting by Chris Bing; Editing by Damon Darlin and Dan Grebler)

Chinese hackers targeted U.S. firms, government after trade mission: researchers

A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Christopher Bing and Jack Stubbs

WASHINGTON/LONDON (Reuters) – Hackers operating from an elite Chinese university probed American companies and government departments for espionage opportunities following a U.S. trade delegation visit to China earlier this year, security researchers told Reuters.

Cybersecurity firm Recorded Future said the group used computers at China’s Tsinghua University to target U.S. energy and communications companies, and the Alaskan state government, in the weeks before and after Alaska’s trade mission to China. Led by Governor Bill Walker, companies and economic development agencies spent a week in China in May.

Organizations involved in the trade mission were subject to focused attention from Chinese hackers, underscoring the tensions around an escalating tit-for-tat trade war between Washington and Beijing.

China was Alaska’s largest foreign trading partner in 2017 with over $1.32 billion in exports.

Recorded Future said in a report to be released later on Thursday that the websites of Alaskan internet service providers and government offices were closely inspected in May by university computers searching for security flaws, which can be used by hackers to break into normally locked and confidential systems.

The Alaskan government was again scanned for software vulnerabilities in June, just 24 hours after Walker said he would raise concerns in Washington about the economic damage caused by the U.S.-China trade dispute.

A Tsinghua University official, reached by telephone, said the allegations were false.

“This is baseless. I’ve never heard of this, so I have no way to give a response,” said the official, who declined to give his name.

Tsinghua University, known as “China’s MIT,” is closely connected to Tsinghua Holdings, a state-backed company focused on the development of various technologies, including artificial intelligence and robotics.

China’s Defense Ministry did not respond to a request for comment.

Recorded Future gave a copy of its report to law enforcement. The FBI declined to comment.

It is unclear whether the targeted systems were compromised, but the highly focused, extensive and peculiar scanning activity indicates a “serious interest” in hacking them, said Priscilla Moriuchi, director of strategic threat development at Recorded Future and former head of the National Security Agency’s East Asia and Pacific cyber threats office.

“The spike in scanning activity at the conclusion of trade discussions on related topics indicates that the activity was likely an attempt to gain insight into the Alaskan perspective on the trip and strategic advantage in the post-visit negotiations,” Recorded Future said in the report.

The targeted organizations included Alaska Communications Systems Group In, Ensco Atwood Oceanics, the Alaska Department of Natural Resources, the Alaska governor’s office and regional internet service provider TelAlaska.

Alaska Communications declined to comment. The others did not respond to requests for comment.

U.S.-China trade tensions have escalated in recent months with both sides imposing a series of punitive tariffs and restrictions across multiple industries, and threatening more.

The economic conflict has also damaged cooperation in cyberspace following a 2015 agreement by Beijing and Washington to stop cyber-enabled industrial espionage, Moriuchi said.

“In the fall of 2015, cybersecurity cooperation was seen as a bright spot in the U.S.-China relationship,” she said.

“It was seen as a topic that the U.S. and China could actually have substantive discussions on. That’s not really the case anymore, especially with this trade war that both sides have vowed not to lose.”

(Reporting by Christopher Bing in Washington and Jack Stubbs in London; Additional reporting by Gao Liangping and Ben Blanchard in Beijing; Editing by Lisa Shumaker)

Boy, 11, hacks into replica U.S. vote website in minutes at convention

FILE PHOTO: A man takes part in a hacking contest during the Def Con hacker convention in Las Vegas, Nevada, U.S. on July 29, 2017. REUTERS/Steve Marcus/File Photo

(Reuters) – An 11-year-old boy managed to hack into a replica of Florida’s election results website in 10 minutes and change names and tallies during a hackers convention, organizers said, stoking concerns about security ahead of nationwide votes.

The boy was the quickest of 35 children, ages 6 to 17, who all eventually hacked into copies of the websites of six swing states during the three-day Def Con security convention over the weekend, the event said on Twitter on Tuesday.

The event was meant to test the strength of U.S. election infrastructure and details of the vulnerabilities would be passed onto the states, it added.

The National Association of Secretaries of State – who are responsible for tallying votes – said it welcomed the convention’s efforts. But it said the actual systems used by states would have additional protections.

“It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” the association said.

The hacking demonstration came as concerns swirl about election system vulnerabilities before mid-term state and federal elections.

U.S President Donald Trump’s national security team warned two weeks ago that Russia had launched “pervasive” efforts to interfere in the November polls.

Participants at the convention changed party names and added as many as 12 billion votes to candidates, the event said.

“Candidate names were changed to ‘Bob Da Builder’ and ‘Richard Nixon’s head’,” the convention tweeted.

The convention linked to what it said was the Twitter account of the winning boy – named there as Emmett Brewer from Austin, Texas.

A screenshot posted on the account showed he had managed to change the name of the winning candidate on the replica Florida website to his own and gave himself billions of votes.

The convention’s “Voting Village” also aimed to expose security issues in other systems such as digital poll books and memory-card readers.

(Reporting by Brendan O’Brien in Milwaukee; Editing by Andrew Heavens)

New genre of artificial intelligence programs take computer hacking to another level

FILE PHOTO: Servers for data storage are seen at Advania's Thor Data Center in Hafnarfjordur, Iceland August 7, 2015. REUTERS/Sigtryggur Ari

By Joseph Menn

SAN FRANCISCO (Reuters) – The nightmare scenario for computer security – artificial intelligence programs that can learn how to evade even the best defenses – may already have arrived.

That warning from security researchers is driven home by a team from IBM Corp. who have used the artificial intelligence technique known as machine learning to build hacking programs that could slip past top-tier defensive measures. The group will unveil details of its experiment at the Black Hat security conference in Las Vegas on Wednesday.

State-of-the-art defenses generally rely on examining what the attack software is doing, rather than the more commonplace technique of analyzing software code for danger signs. But the new genre of AI-driven programs can be trained to stay dormant until they reach a very specific target, making them exceptionally hard to stop.

No one has yet boasted of catching any malicious software that clearly relied on machine learning or other variants of artificial intelligence, but that may just be because the attack programs are too good to be caught.

Researchers say that, at best, it’s only a matter of time. Free artificial intelligence building blocks for training programs are readily available from Alphabet Inc’s Google and others, and the ideas work all too well in practice.

“I absolutely do believe we’re going there,” said Jon DiMaggio, a senior threat analyst at cybersecurity firm Symantec Corp. “It’s going to make it a lot harder to detect.”

The most advanced nation-state hackers have already shown that they can build attack programs that activate only when they have reached a target. The best-known example is Stuxnet, which was deployed by U.S. and Israeli intelligence agencies against a uranium enrichment facility in Iran.

The IBM effort, named DeepLocker, showed that a similar level of precision can be available to those with far fewer resources than a national government.

In a demonstration using publicly available photos of a sample target, the team used a hacked version of video conferencing software that swung into action only when it detected the face of a target.

“We have a lot of reason to believe this is the next big thing,” said lead IBM researcher Marc Ph. Stoecklin. “This may have happened already, and we will see it two or three years from now.”

At a recent New York conference, Hackers on Planet Earth, defense researcher Kevin Hodges showed off an “entry-level” automated program he made with open-source training tools that tried multiple attack approaches in succession.

“We need to start looking at this stuff now,” said Hodges. “Whoever you personally consider evil is already working on this.”

(Reporting by Joseph Menn; Editing by Jonathan Weber and Susan Fenton)