EU investigates hacked diplomatic communications

A European Union flag is seen outside the EU Commission headquarters in Brussels, Belgium November 14, 2018. REUTERS/Francois Lenoir/File Photo

BRUSSELS (Reuters) – The European Union is investigating a cyber hack of its diplomatic communications, allegedly by Chinese hackers, that revealed EU concern about U.S. Donald Trump, Russia and Iran, the bloc said on Wednesday.

“The Council Secretariat is aware of allegations regarding a potential leak of sensitive information and is actively investigating the issue,” the body that represents EU governments in Brussels said in a statement.

The Secretariat declined to comment further but said it “takes the security of its facilities, including its IT systems, extremely seriously”, referring to concerns about vulnerabilities in its data systems across 28 EU states.

The New York Times reported late on Tuesday that hackers had broken into the EU’s diplomatic communications for years, downloading cables that showed worries about the Trump administration, struggles to deal with Russia and China, and the threat of Iran reviving its nuclear programme.

More than 1,100 cables were supplied to the Times by security firm Area 1 after it discovered the breach, the newspaper said, adding that Area 1 investigators believed the hackers worked for China’s People’s Liberation Army.

The cables include memorandums of conversations with leaders in Saudi Arabia, Israel and other countries that were shared across the European Union, according to the report.

One cable, the Times said, showed European diplomats describing a meeting between U.S. President Donald Trump and Russian counterpart Vladimir Putin in Finland as “successful (at least for Putin)”.

Another, written after a July 16 meeting, relayed a detailed report and analysis of talks between European officials and Chinese President Xi Jinping, who was quoted comparing Trump’s “bullying” of Beijing to a “no-rules freestyle boxing match”.

A third, from March 7, shows Caroline Vicini, the deputy head of the EU mission in Washington, recommending that the trade bloc’s diplomats describe the United States as “our most important partner”, even as it challenged Trump “in areas where we disagreed with the U.S. (e.g., on climate, trade, Iran nuclear deal)”.

The hackers also infiltrated the networks of the United Nations, the American Federation of Labor and Congress of Industrial Organizations (AFL-CIO), and ministries of foreign affairs and finance worldwide, the Times report added.

(Reporting by Rama Venkat in Bengaluru and Robin Emmott in Brussels; editing by Andrew Roche)

ATM makers warn of ‘jackpotting’ hacks on U.S. machines

: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017.

By Jim Finkle

(Reuters) – Diebold Nixdorf Inc and NCR Corp, two of the world’s largest ATM makers, have warned that cyber criminals are targeting U.S. cash machines with tools that force them to spit out cash in hacking schemes known as “jackpotting.”

The two ATM makers did not identify any victims or say how much money had been lost. Jackpotting has been rising worldwide in recent years, though it is unclear how much cash has been stolen because victims and police often do not disclose details.

The attacks were reported earlier on Saturday by the security news website Krebs on Security, which said they had begun last year in Mexico.

The companies confirmed to Reuters on Saturday they had sent out the alerts to clients.

NCR said in a Friday alert that the cases were the first confirmed “jackpotting” losses in the United States. It said its equipment had not been targeted in the recent attacks, but that it was still a concern for the entire ATM industry.

“This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack,” the alert said.

Diebold Nixdorf said in a separate Friday alert that U.S. authorities had warned the company that hackers were targeting one of its ATM models, known as Opteva, which went out of production several years ago.

A confidential U.S. Secret Service alert sent to banks said the hackers targeted stand-alone ATMs typically located in pharmacies, big box retailers and drive-thru ATMs, Krebs on Security reported.

Diebold Nixdorf’s alert described steps that criminals had used to compromise ATMs. They include gaining physical access, replacing the hard drive and using an industrial endoscope to depress an internal button required to reset the device.

Reuters was unable to obtain a copy of the Secret Service report and an agency representative declined comment. Officials with the Federal Bureau of Investigation could not immediately be reached.

Russian cyber security firm Group IB has reported that cyber criminals remotely attacked cash machines in more than a dozen countries across Europe in 2016. Similar attacks were also reported that year in Thailand and Taiwan.

(Reporting by Jim Finkle in Toronto; Additional reporting by Dustin Volz in Washington; Editing by Susan Thomas)

Cyber alert: EU ministers test responses in first computer war game

Cyber alert: EU ministers test responses in first computer war game

By Robin Emmott

TALLINN (Reuters) – European Union defense ministers tested their ability to respond to a potential attack by computer hackers in their first cyber war game on Thursday, based on a simulated attack on one of the bloc’s military missions abroad.

In the simulation, hackers sabotaged the EU’s naval mission in the Mediterranean and launched a campaign on social media to discredit the EU operations and provoke protests.

Each of the defense ministers tried to contain the crisis over the course of the 90-minute, closed-door exercise in Tallinn that officials sought to make real by creating mock news videos giving updates on an escalating situation.

German Defence Minister Ursula von der Leyen said the “extremely exciting” war game showed the need for EU governments to be more aware of the impact of cyber attacks on critical infrastructure in the EU.

“The adversary is very, very difficult to identify, the attack is silent, invisible,” Von der Leyen told reporters. “The adversary does not need an army, but only a computer with internet connection”.

After a series of global cyber attacks disrupted multinational firms, ports and public services on an unprecedented scale this year, governments are seeking to stop hackers from shutting down more critical infrastructure or crippling corporate and government networks.

“We needed to raise awareness at the political level,” Jorge Domecq, the chief executive of the European Defence Agency that helped organize the exercise with Estonia, told Reuters.

Especially concerned about Russia since it seized Crimea from Ukraine in 2014, Estonia has put cyber security at the forefront of its six-month EU presidency and proposed the exercise.

Estonia was hit by cyber attacks on private and government Internet sites in 2007. One of the world’s most Internet-savvy countries, with 95 percent of government services online, Estonia has a separate cyber command in its armed forces. But it is not without its vulnerabilities.

International researchers have found a security risk with the chips embedded in Estonian identity cards that could allow hackers to steal people’s identities, although officials said there was no evidence of a hack.


NATO last year recognized cyberspace as a domain of warfare and said it justified activating the alliance’s collective defense clause. The European Union has broadened its information-sharing between governments and is expected to present a new cyber defense plan.

The EU exercise made ministers consider how to work more closely with NATO, whose Secretary-General Jens Stoltenberg was there as an observer, diplomats present said.

“Over the last year, we saw a 60 percent increase in the number of cyber attacks against NATO networks,” Stoltenberg told reporters. “A timely exchange of information (with the EU) is key to responding to any cyber attacks.”

EU cyber exercises are not new, but officials said the idea of Thursday’s exercise was to put the onus on defense ministers to act by simulating a temporary loss of military operational command, even if they would have more support in a real-life situation.

Using tablet computers, ministers answered multiple-choice questions as they reacted to the situation, including some on whether they would make public statements or keep the situation secret.

“Do you announce to the whole country that you are under a cyber attack. Is it an incident, a threat or an attack? These are the questions that ministers were forced to consider, probably for the first time,” Estonian Defence Minister Juri Luik told Reuters.

(Reporting by Robin Emmott; Editing by Hugh Lawson)

U.S. muni market slowly starts paying heed to cyber risks

FILE PHOTO: An advertisement about the Microsoft Cybercrime Center plays behind a window reflecting a nearby building at the Microsoft office in Cambridge, Massachusetts, U.S. May 15, 2017. REUTERS/Brian Snyder/File Photo

By Hilary Russ

NEW YORK (Reuters) – A rise in cyber attacks on U.S. public sector targets so far has had little impact in the $3.8 trillion municipal debt market, with no issuer as yet hit by a downgrade or higher borrowing costs because of a cyber security threat.

That is beginning to change.

S&P Global has begun to quiz states, cities and towns about their cyber defenses, and some credit analysts are starting to factor cyber security when they look at bonds. Moody’s Investors Service is also trying to figure out how to best evaluate cyber risk.

The shift follows a particularly steep rise in ransomware attacks, when criminals hold an entity’s computer system hostage until a small ransom is paid.

The number of global ransomware detections rose 36 percent in 2016 from the year before, to 463,841, with the United States most heavily affected, according to cyber security firm Symantec Corp.

Such attacks, which have also hit companies and federal entities, have spared no kind of municipal issuer large or small, from police departments to school districts and transit agencies. Ransomware attacks on state and local governments and their agencies have risen in proportion with the overall increase, according to cyber insurance provider Beazley Group.

“State and local governments are a huge target, quite frankly an easy target for bad guys,” said Bob Anderson, managing director for information security at Navigant management consulting firm in Washington and a former global cyber investigator at the Federal Bureau of Investigation.

Last month’s “WannaCry” ransomware attack, which hobbled global businesses and Britain’s National Health Service, may also be prompting renewed focus on cyber security, though it had minimal impact in the United States.

Considering a potential cyber attack as a similar risk to a natural disaster, S&P has already been reviewing cyber security defenses of utilities, hospitals and colleges because they were early public sector targets for hackers.

Now it is also beginning to ask cities and states about the costs and level of security measures and the financial impact of successful attacks, said Geoffrey Buswick, who manages S&P’s public sector ratings.


The answers feed into broader categories that affect an issuer’s ratings, particularly governance, liquidity and operations.

Many breaches are handled quickly and financial damage is limited, but not every attack will necessarily end that way, Buswick said. “We’re trying to get sense of who has their head in the sand and who doesn’t.”

Fitch Ratings said it does not consider cyber security in its ratings, and many investors still are not concerned enough to ask for details.

In part, that is because it can be difficult to assess the operational and financial fallout of such attacks. Some high profile breaches so far have also done limited damage to issuers’ finances.

Case in point is the state of South Carolina, which in August 2012 suffered possibly the worst cyber attack yet of any city or state.

When hackers stole the personal data of more than 3.5 million taxpayers, the state had to investigate, provide credit monitoring and consumer fraud protection, and implement a slew of post-breach upgrades, according to State Senator Thomas Alexander.

The total cost is around $76 million and counting, he said. That is enough to pay for several school programs combined. But against South Carolina’s annual general fund budget of roughly $8 billion, the costs made no dent in its standing as a borrower.

Many issuers do not disclose any information to potential investors in bond documents about cyber risks or defenses. But a few, particularly hospitals and utilities, have started doing so.

In a February prospectus, the Maryland Health and Higher Educational Facilities Authority, the state’s largest public debt issuer, included nearly a full page devoted to the growing risk of cyber attacks.

“Because we’re such a large issuer, and because healthcare is often treated much more like a corporate credit, the legal counsels to the transaction weigh in on the bondholder risk section,” said Annette Anselmi, the authority’s Executive Director, noting that such disclosures also evolve depending on what kinds of questions the market is asking.

Hospitals are also ahead on cyber security disclosure because they rely on huge amounts of data, said Court Street Group analyst Joseph Krist.

Eventually, he expects others to follow suit.

“We went through this with getting munis to … disclose more pension information. Those were frankly long and painful processes. It just has to get to a critical mass.”

(Reporting by Hilary Russ; Additional reporting by Jim Finkle in Toronto; Editing by Daniel Bases and Tomasz Janowski)

French researchers find last-ditch cure to unlock WannaCry files

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Eric Auchard

FRANKFURT (Reuters) – French researchers said on Friday they had found a last-chance way for technicians to save Windows files encrypted by WannaCry, racing against a deadline as the ransomware threatens to start locking up victims’ computers first infected a week ago.

WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection.

A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed.

The researchers warned that their solution would only work in certain conditions, namely if computers had not been rebooted since becoming infected and if victims applied the fix before WannaCry carried out its threat to lock their files permanently.

The group includes Adrien Guinet, who works as a security expert, Matthieu Suiche, who is an internationally known hacker, and Benjamin Delpy, who helped out by night, in his spare time, outside his day job at the Banque de France.

Suiche has published a blog with technical details summarizing what the group of passing online acquaintances has developed. He links to a tool called Wannakey built by Guinet, the creator of the original concept.


Guinet, a security researcher at Paris-based Quarks Lab, published the basic technique for decrypting WannaCry files on Thursday, which Delpy then figured out how to turn into a practical tool to salvage files.

Suiche, based in the United Arab Emirates and one of the world’s top security researchers, provided advice and testing to ensure the fix worked across all various versions of Windows.

Wannakey was quickly tested and shown to work on Windows 7 and older Windows versions XP and 2003, Suiche said, adding that he believes the hastily developed fix also works with Windows 2008 and Vista.

“(The method) should work with any operating system from XP to Win7,” Suiche told Reuters via direct message on Twitter.

“This is not a perfect solution. But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups,” Suiche said of network back-up and retrieval systems which allow users with infected computers to restore them after re-imaging their PCs.

Classic customer help desk procedures typically advise users reporting computer problems to reboot their machines, but fast-acting users who pulled the plug on their PCs or otherwise did not attempt to repair them can benefit, the researchers said.

(Editing by Maria Sheahan and Gareth Jones)

UK government in dark over who behind cyber attack

FILE PHOTO: A National Health Service (NHS) sign is seen in the grounds of St Thomas' Hospital, in front of the Houses of Parliament in London June 7, 2011. REUTERS/Toby Melville/File Photo

LONDON (Reuters) – The British government does not yet know who was behind Friday’s global cyber attack that disrupted the country’s health system, interior minister Amber Rudd said on Saturday.

“We’re not able to tell you who’s behind the attack. That work is still ongoing,” she told BBC radio.

She said Britain’s National Cyber Security Center was working with the country’s health service to ensure the attack was contained, while the National Crime Agency was working with them to find out where it came from.

Rudd said the government did not know if the attack was directed by a foreign government.

On Friday, cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files. Nearly 100 countries were impacted.

Rudd said the attack was not specifically targeted at Britain’s health service.

“(The virus) feels random in terms of where it’s gone to and where it’s been opened,” she said.

Though 45 health service organizations in England and Scotland were affected by malicious software, no patient data has been accessed or transferred, said Rudd.

The minister said lessons had to be learned from the attack.

“There will be lessons to learn … Why is it certain regions are affected more than others? Is it to do with the software? Is it to do with better IT?”

Separately on Saturday, finance chiefs from the Group of Seven rich countries will commit to join forces to fight the growing threat of international cyber attacks, according to a draft statement of a meeting they are holding in Bari, Italy.

(Reporting by James Davey; Editing by Mark Potter)

British hospitals, Spanish firms among targets of huge cyberattack

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A huge cyberattack brought disruption to Britain’s health system on Friday and infected many Spanish companies with malicious software, and security researchers said a dozen other countries may be affected.

Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments. People in affected areas were being advised to seek medical care only in emergencies.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” said the Barts Health group, which manages major London hospitals. Routine appointments had been canceled and ambulances were being diverted to neighboring hospitals.

Telecommunications giant Telefonica was among the targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

Authorities in both countries said the attack was conducted using ‘ransomware’ – malicious software that infects machines, locks them up by encrypting data and demands a ransom to restore access. They identified the type of malware as ‘Wanna Cry’, also known as ‘Wanna Decryptor’.

A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement. Still, the news prompted security teams at large financial services firms and businesses around the world to review their plans for defending against ransomware attacks, according to executives with private cyber security firms.

A spokeswoman for Portugal Telecom said: “We were the target of an attack, like what is happening in all of Europe, a large scale-attack, but none of our services were affected.”

British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with preliminary evidence of infections from 14 countries so far, also including Russia, Indonesia and Ukraine.


A spokesman for British Prime Minister Theresa May said she was being kept informed of the incident, which came less than four weeks before a parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

The full extent of Friday’s disruption in Britain remained unclear.

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital, the computer arm of the health service, said in a statement.

Britain’s National Cyber Security Centre, part of the GCHQ spy agency, said it was aware of a cyber incident and was working with NHS Digital and the police to investigate.

A reporter from the Health Service Journal said the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

It was not immediately clear how many Spanish organizations had been compromised by the attacks, if any critical services had been interrupted or whether victims had paid cyber criminals to regain access to their networks.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Kate Holton, Andy Bruce, Michael Holden and David Milliken; Editing by Mark Trevelyan and Ralph Boulton)

English hospitals say hit by suspected national cyber attack

FILE PHOTO: A National Health Service (NHS) sign is seen in the grounds of St Thomas' Hospital, in front of the Houses of Parliament in London June 7, 2011. REUTERS/Toby Melville/File Photo

By Costas Pitas and Alistair Smout

LONDON (Reuters) – Hospitals across England were being forced to divert emergency cases on Friday after suffering a suspected national cyber attack.

Among them was the Barts Health group which manages major central London hospitals including The Royal London and St Bartholomew’s.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” it said.

“We have activated our major incident plan to make sure we can maintain the safety and welfare of patients. Ambulances are being diverted to neighboring hospitals.”

Patients requiring emergency treatment across England were diverted away from the hospitals affected and the public was advised to only seek medical care for acute medical conditions.

Reuters was unable to independently verify whether the hospitals were the subject of a concerted cyber attack ahead of the June 8 election.

Britain’s National Crime Agency said it was aware of the reports of a cyber attack but made no further comment.

The National Health Service (NHS) said it was responding to the incidents.

“We are aware of a cyber security incident and we are working on a response,” said a spokesman for NHS Digital, a division of the NHS which handles information technology issues.

There was no immediate comment from the Health Ministry.

Earlier on Friday, Spain’s government warned that a large number of companies had been attacked by cyber criminals who infected computers with malicious software known as “ransomware” that locks up computers and demands ransoms to restore access.

(Additional reporting by Kate Holton, Andy Bruce, Michael Holden and David Milliken; Writing by Guy Faulconbridge; editing by Stephen Addison)

China draft cyber law mandates security assessment for outbound data

BEIJING (Reuters) – China’s top cyber authority on Tuesday released a draft law that would require firms exporting data to undergo an annual security assessment, in the latest of several recent safeguards against threats such as hacking and terrorism.

Any business transferring data of over 1000 gigabytes or affecting over 500,000 users will be assessed on its security measures and on the potential of the data to harm national interests, showed the draft from the Cyberspace Administration of China (CAC).

The law would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.

The proposed law, which focuses on personal information security, comes just a day after state media reported government rewards of $1,500 to $73,000 for citizens who report suspected spies.

It is also an extension of legislation passed in November formalizing a range of controls over firms that handle data in industries the government deems critical to national interests.

Business groups have criticized the November law, which is effective from June, calling rules “vague” and claiming they unfairly target foreign companies with stringent requirements.

Chinese officials denied that the November law targets foreign firms.

Under the rules released on Tuesday, sensitive geographic data such as information on marine environments would also be subject to scrutiny. Destination countries and the likelihood of oversees tampering would also be factored in to any assessments.

The draft is open for public comment until May 11.

(Reporting by Cate Cadell; Editing by Christopher Cushing)

UK and Swedish watchdogs warn of international cyber attack

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

STOCKHOLM (Reuters) – A large-scale cyber attack from a group targeting organizations in Japan, the United States, Sweden and many other European countries through IT services providers has been uncovered, the Swedish computer security watchdog said on Wednesday.

The cyber attack, uncovered through a collaboration by Britain’s National Cyber Security Centre, PwC and cyber security firm BAE Systems, targeted managed service providers to gain access to their customers’ internal networks since at least May 2016 and potentially as early as 2014.

The exact scale of the attack, named Cloud Hopper from an organization called APT10, is not known but is believed to involve huge amounts of data, Sweden’s Civil Contingencies Agency said in a statement. The agency did not say whether the cyber attacks were still happening.

“The high level of digitalization in Sweden, along with the amount of services outsourced to managed service providers, means that there is great risk that several Swedish organizations are affected by the attacks,” the watchdog said.

The agency said those behind the attacks had used significant resources to identify their targets and sent sophisticated phishing e-mails to infect computers.

It also said Swedish IP addresses had been used to coordinate the incursions and retrieve stolen data and that APT10 specifically targeted IT, communications, healthcare, energy and research sectors.

(Reporting by Johan Ahlander; Editing by Niklas Pollard and Stephen Powell)