U.S. charges two Russians in international hacking, malware conspiracy

U.S. charges two Russians in international hacking, malware conspiracy
By Jonathan Stempel and Raphael Satter

WASHINGTON (Reuters) – Two Russian residents have been criminally charged in the United States over an alleged multi-year, international scheme to steal money and property by using malware to hack into computers, according to an indictment made public on Thursday.

Maksim Yakubets was accused of being the leader of a group of conspirators involved with Bugat malware and botnet, while his close associate Igor Turashev allegedly handled various functions for the conspiracy, the indictment said.

The indictment identifies Yakubets as one of the earliest users of a family of malicious software tools called Bugat — better known as Dridex — which has been bedeviling American banks and businesses for more than eight years.

Cybersecurity experts say the malware, which first appeared in late 2011, is responsible for millions of dollars in damages worldwide. Experts have long speculated that the malware is the brainchild of a Russian hacking group.

The conspiracy allegedly began around November 2011, and several entities – including a school, an oil firm, First Commmonwealth Bank – were among the defendants’ victims, according to the indictment filed with the federal court in Pittsburgh. Two of the transactions were processed through Citibank in New York, the indictment says.

The indictment is dated Nov. 12 but was unsealed on Thursday.

U.S. and British authorities are expected later Thursday to detail charges against a Russian national over allegations of computer hacking and bank fraud schemes, according to a U.S. Department of Justice statement.

That announcement characterized the Russian national as being “allegedly responsible for two of the worst computer hacking and bank fraud schemes of the past decade.”

Malware is a software program designed to gather sensitive information, such as passwords and bank account numbers, from private computers by installing viruses and other malicious programs.

Spokespeople for First Commonwealth Bank and Citibank did not immediately respond to requests for comment.

(Reporting by Susan Heavy, Lisa Lambert and Jonathan Stempel; additional reporting by Raphael Satter Editing by Steve Orlofsky and Nick Zieminski)

Facebook suspends Russian Instagram accounts targeting U.S. voters

FILE PHOTO: Silhouettes of mobile users are seen next to a screen projection of Instagram logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo

Facebook suspends Russian Instagram accounts targeting U.S. voters
By Jack Stubbs and Christopher Bing

LONDON/WASHINGTON (Reuters) – Facebook Inc. said on Monday it has suspended a network of Instagram accounts operated from Russia that targeted Americans with divisive political messages ahead of next year’s U.S. presidential election, with operators posing as people within the United States.

Facebook said it also had suspended three separate networks operated from Iran. The Russian network “showed some links” to Russia’s Internet Research Agency (IRA), Facebook said, an organization Washington has said was used by Moscow to meddle in the 2016 U.S. election.

“We see this operation targeting largely U.S. public debate and engaging in the sort of political issues that are challenging and sometimes divisive in the U.S. right now,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy.

“Whenever you do that, a piece of what you engage on are topics that are going to matter for the election. But I can’t say exactly what their goal was.”

Facebook also announced new steps to fight foreign interference and misinformation ahead of the November 2020 election, including labeling state-controlled media outlets and adding greater protections for elected officials and candidates who may be vulnerable targets for hacking.

U.S. security officials have warned that Russia, Iran and other countries could attempt to sway the result of next year’s presidential vote. Officials say they are on high alert for signs of foreign influence campaigns on social media.

Moscow and Tehran have repeatedly denied the allegations.

Gleicher said the IRA-linked network used 50 Instagram accounts and one Facebook account to gather 246,000 followers, about 60% of which were in the United States.

The earliest accounts dated to January this year and the operation appeared to be “fairly immature in its development,” he said.

“They were pretty focused on audience-building, which is the thing you do first as you’re sort of trying to set up an operation.”

Ben Nimmo, a researcher with social media analysis company Graphika who Facebook commissioned, said the flagged accounts shared material that could appeal to Republican and Democratic voters alike.

Most of the messages plagiarized material authored by leading conservative and progressive pundits. This included recycling comments initially shared on Twitter that criticized U.S. congresswoman Alexandria Ocasio-Cortez, Democratic presidential candidate Joe Biden and current President Donald Trump.

“What’s interesting in this set is so much of what they were doing is copying and pasting genuine material from actual Americans,” Nimmo told Reuters. “This may be indicative of an effort to hide linguistic deficiencies, which have made them easier to detect in the past.”

Attorneys for Concord Management and Consulting LLC have denied any wrongdoing. U.S. prosecutors say the firm is controlled by Russian catering tycoon Evgeny Prigozhin and helped orchestrate the IRA’s operations.

Gleicher said the separate Iranian network his team identified used more than 100 fake and hacked accounts on Facebook and Instagram to target U.S. users and some French-speaking parts of North Africa. Some accounts also repurposed Iranian state media stories to target users in Latin American countries including Venezuela, Brazil, Argentina, Bolivia, Peru, Ecuador and Mexico.

The activity was connected to an Iranian campaign first identified in August last year, which Reuters showed aimed to direct internet users to a sprawling web of pseudo-news websites which repackaged propaganda from Iranian state media.

The accounts “typically posted about local political news and geopolitics including topics like public figures in the U.S., politics in the U.S. and Israel, support of Palestine and conflict in Yemen,” Facebook said.

(Reporting by Jack Stubbs; Additional reporting by Elizabeth Culliford in San Francisco; Editing by Chris Reese, Tom Brown and David Gregorio)

U.S. imposes sanctions on North Korean hacking groups blamed for global attacks

FILE PHOTO: A North Korean flag flies on a mast at the Permanent Mission of North Korea in Geneva October 2, 2014. REUTERS/Denis Balibouse/File Picture

WASHINGTON (Reuters) – The U.S. Treasury on Friday announced sanctions on three North Korean hacking groups it said were involved in the “WannaCry” ransomware attacks and hacking of international banks and customer accounts.

It named the groups as Lazarus Group, Bluenoroff, and Andariel and said they were controlled by the RGB, North Korea’s primary intelligence bureau, which is already subject to U.S. and United Nations sanctions.

The action blocks any U.S.-related assets of the groups and prohibits dealings with them. The Treasury statement said any foreign financial institution that knowingly facilitated significant transactions or services for them could also be subject to sanctions.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyberattacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury undersecretary for Terrorism and Financial Intelligence.

“We will continue to enforce existing U.S. and U.N. sanctions against North Korea and work with the international community to improve the cybersecurity of financial networks.”

The United States has been attempting to restart talks with North Korea, aimed at pressing the country to give up its nuclear weapons. The talks have been stalled over North Korean demands for concessions, including sanctions relief.

Earlier this month, North Korea denied U.N. allegations it had obtained $2 billion through cyberattacks on banks and cryptocurrency exchanges and accused the United States of spreading rumors.

The Treasury statement said Lazarus Group was involved in the WannaCry ransomware attack that the United States, Australia, Canada, New Zealand and the United Kingdom publicly attributed to North Korea in December 2017.

It said WannaCry affected at least 150 countries and shut down about 300,000 computers, including many in Britain’s National Health Service (NHS). The NHS attack led to the cancellation of more than 19,000 appointments and ultimately cost the service over $112 million, the biggest known ransomware attack in history.

The Treasury said Lazarus Group was also directly responsible for 2014 cyber-attacks on Sony Pictures Entertainment.

The statement cited industry and press reporting as saying that by 2018, Bluenoroff had attempted to steal over $1.1 billion from financial institutions and successfully carried out operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.

It said Bluenoroff worked with the Lazarus Group to steal approximately $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account.

Andariel, meanwhile, was observed by cyber security firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to later sell on the black market, the statement said.

Andariel was also responsible for developing and creating unique malware to hack into online poker and gambling sites and, according to industry and press reporting, targeted the South Korea government military in an effort to gather intelligence, it said.

(Reporting by David Brunnstrom and Lisa Lambert; Editing by Raissa Kasolowsky and Rosalba O’Brien)

Chinese government hackers suspected of moonlighting for profit

FILE PHOTO: An attendee looks on during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada, U.S. August 3, 2016. REUTERS/David Becker/File Photo

By Joseph Menn, Jack Stubbs and Christopher Bing

LAS VEGAS (Reuters) – One of the most effective teams of Chinese government-backed hackers is also conducting financially-motivated side operations, cybersecurity researchers said on Wednesday.

U.S. firm FireEye said members of the group it called Advanced Persistent Threat 41 (APT41) penetrated and spied on global tech, communications and healthcare providers for the Chinese government while using ransomware against game companies and attacking cryptocurrency providers for personal profit.

The findings, announced at the Black Hat security conference in Las Vegas, show how some of the world’s most advanced hackers increasingly pose a threat to consumers and companies not traditionally targeted by state-backed espionage campaigns.

“APT41 is unique among the China-Nexus actors we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain,” said FireEye Senior Vice President Sandra Joyce.

Officials in China did not immediately respond to Reuters request for comment. Beijing has repeatedly denied Western accusations of conducting widespread cyber espionage.

FireEye said the APT 41 group used some of the same tools as another group it has previously reported on, which FireEye calls APT17 and Russian security firm Kaspersky calls Winnti.

Current and former Western intelligence officials told Reuters Chinese hacking groups were known to pursue commercial crimes alongside their state-backed operations.

FireEye, which sells cybersecurity software and services, said one member of APT41 advertised as a hacker for hire in 2009 and listed hours of availability outside of the normal workday, circumstantial evidence of moonlighting.

The group has used spear-phishing, or trick emails designed to elicit login information. But it has also deployed root kits, which are relatively rare and give hard-to-detect control over computers. In all, the group has used nearly 150 unique pieces of malware, FireEye said.

The most technically impressive feats included tainting millions of copies of a utility called CCleaner, now owned by security company Avast. Only a small number of specially selected, high-value computers were fully compromised, making detection of the hack more difficult.

Avast said that it had worked with security researchers and law enforcement to stop the attack and that no damage was detected. The company did not have any immediate further comment on Wednesday.

In March, Kaspersky found the group hijacked Asus’ software update process to reach more than 1 million computers, again targeting a much smaller number of end-users. Asus said the next day it had issued a fix for the attack, which affected “a small number of devices.”

“We have evidence that at least one telecom company may have been the intended target during the Asus compromise, which is consistent with APT41’s espionage targeting over the past two years,” said FireEye spokesman Dan Wire.

But FireEye and Slovakia-based cybersecurity company ESET said the gaming compromises aligned with financial motives more than national espionage. Among other things, the group won access to a game’s production environment and generated tens of millions of dollars’ worth of virtual currency, FireEye said.

(Reporting by Joseph Menn, Jack Stubbs and Chris Bing; Editing by Greg Mitchell and Nick Zieminski)

Fake social media accounts spread pro-Iran messages during U.S. midterms: FireEye

FILE PHOTO: A staff member removes the Iranian flag from the stage after a group picture with foreign ministers and representatives of the U.S., Iran, China, Russia, Britain, Germany, France and the European Union during Iran nuclear talks at the Vienna International Center in Vienna, Austria, July 14, 2015. REUTERS/Carlos Barria

By Christopher Bing

(Reuters) – A network of fake social media accounts impersonated political candidates and journalists to spread messages in support of Iran and against U.S. President Donald Trump around the 2018 congressional elections, cybersecurity firm FireEye said on Tuesday.

The findings show how unidentified, possibly government-backed, groups could manipulate social media platforms to promote stories and other content that can influence the opinions of American voters, the researchers said.

This particular operation was largely focused on promoting “anti-Saudi, anti-Israeli, and pro-Palestinian themes,” according to the report by FireEye.

The campaign was organized through a series of fake personas that created various social media accounts, including on Twitter and Facebook. Most of these accounts were created last year and have since been taken down, the report said.

Spokespersons for Twitter and Facebook confirmed FireEye’s finding that the fake accounts were created on their platforms.

Lee Foster, a researcher with FireEye, said he found some of the fake personas – often masquerading as American journalists – had successfully convinced several U.S. news outlets to publish letters to the editor, guest columns and blog posts.

These writings displayed both progressive and conservative views, the report said, covering topics including the Trump administration’s designation of Iran’s Islamic Revolutionary Guard Corps (IRGC) as a terrorist organization.

“We’re assessing with low confidence that this network was organized to support Iranian political interests,” said Foster. “However, we’re not at the point where we can say who was doing it or where it’s coming from. The investigation is ongoing.”

Before the 2018 midterms election, the nameless group created Twitter accounts that also impersonated both Republican and Democratic congressional candidates. It is unclear if the fake accounts had any effect on their campaigns.

The imposter Twitter accounts often plagiarized messages from the politicians’ legitimate accounts, but also mixed in posts voicing support for policies believed to be favorable to Tehran. Affected politicians included Jineea Butler, a Republican candidate for New York’s 13th District, and Marla Livengood, a Republican candidate for California’s 9th District. Both Livengood and Butler lost in the election.

Livengood’s campaign called the situation “clearly an attempt by bad actors” to hurt her campaign, and noted that Livengood was “a strident opponent of nuclear weapons in Iran.”

Butler could not be immediately reached for comment.

Twitter said in a statement that it had “removed this network of 2,800 inauthentic accounts originating in Iran at the beginning of May,” adding that its investigation was ongoing.

Facebook said it had removed 51 Facebook accounts, 36 Pages, seven Groups and three Instagram accounts connected to the influence operation. Instagram is owned by Facebook.

The activity on Facebook was less expansive than that on Twitter and it appeared to be more narrowly focused, said Facebook head of cybersecurity policy Nathaniel Gleicher. The inauthentic Facebook accounts instead often privately messaged high profile figures, including journalists, policy-makers and Iranian dissidents, to promote certain issues.

Facebook also concluded the activity had originated in Iran.

(Reporting by Christopher Bing; editing by Rosalba O’Brien and Susan Thomas)

WhatsApp to refer security breach to U.S. authorities

FILE PHOTO: A logo of WhatsApp is pictured on a T-shirt worn by a WhatsApp-Reliance Jio representative during a drive by the two companies to educate users, on the outskirts of Kolkata, India, October 9, 2018. REUTERS/Rupak De Chowdhuri -

By Steven Scheer

JERUSALEM (Reuters) – Facebook’s WhatsApp said on Tuesday a security breach on its messaging app had signs of coming from a private company working on surveillance and it had referred the incident to the U.S. Department of Justice.

WhatsApp, one of the most popular messaging tools, is used by 1.5 billion people monthly and it has touted its high level of security and privacy, with messages on its platform being encrypted end to end so that WhatsApp and third parties cannot read or listen to them.

A WhatsApp spokesman said the attack was sophisticated and had all the hallmarks of a “private company working with governments on surveillance.”

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a spokesman said.

“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users,” he said. WhatsApp did not elaborate further.

WhatsApp informed its lead regulator in the European Union, Ireland’s Data Protection Commission (DPC), of a “serious security vulnerability” on its platform.

“The DPC understands that the vulnerability may have enabled a malicious actor to install unauthorized software and gain access to personal data on devices which have WhatsApp installed,” the regulator said in a statement.

“WhatsApp are still investigating as to whether any WhatsApp EU user data has been affected as a result of this incident,” the DPC said, adding that WhatsApp informed it of the incident late on Monday.

Cybersecurity experts said the vast majority of users were unlikely to have been affected.

Scott Storey, a senior lecturer in cybersecurity at Sheffield Hallam University, believes most WhatsApp users were not affected since this appears to be governments targeting specific people, mainly human rights campaigners.

“For the average end user, it’s not something to really worry about,” he said, adding that WhatsApp found the vulnerability and quickly fixed it. “This isn’t someone trying to steal private messages or personal details.”

Storey said that disclosing vulnerabilities is a good thing and likely would lead to other services looking at their security.

INCOMING CALL

Earlier, the Financial Times reported that a vulnerability in WhatsApp allowed attackers to inject spyware on phones by ringing up targets using the app’s phone call function.

It said the spyware was developed by Israeli cyber surveillance company NSO Group — best known for its mobile surveillance tools — and affects both Android and iPhones. The FT said WhatsApp could not yet give an estimate of how many phones were targeted.

The FT reported that teams of engineers had worked around the clock in San Francisco and London to close the vulnerability and it began rolling out a fix to its servers on Friday last week and issued a patch for customers on Monday.

Asked about the report, NSO said its technology is licensed to authorized government agencies “for the sole purpose of fighting crime and terror,” and that it does not operate the system itself while having a rigorous licensing and vetting process.

“We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system. Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said.

Social media giant Facebook bought WhatsApp in 2014 for $19 billion.

Facebook co-founder Chris Hughes last week wrote in The New York Times that fellow co-founder Mark Zuckerberg had far too much influence by controlling Facebook, Instagram and WhatsApp, three core communications platforms, and called for the company to be broken up.

Facebook’s shares were up 0.8 percent at $183.02 in pre-market trading.

(Additional reporting by Ari Rabinovitch, Tamara Mathias and Padraic Halpin; Editing by Louise Heavens/Keith Weir/Jane Merriman)

Cyberwarfare, populism top ‘black swan’ events at Milken conference

Thomas Barrack, Executive Chairman, Colony Northstar, speaks at the Milken Institute's 21st Global Conference in Beverly Hills, California, U.S. May 1, 2018. REUTERS/Lucy Nicholson

By Anna Irrera

BEVERLY HILLS, Calif. (Reuters) -Cyberwarfare and populism are some of the top risks that could threaten global stability and financial markets in the years ahead, investors and policymakers warned at the annual Milken Institute Global Conference this week, as they characterized them as black swan events.

Thomas Barrack, founder and executive chairman of Colony Northstar, said cybersecurity was his greatest concern because “if the system itself is hacked or breaks or causes trauma, I am not sure what happens.”

Representative Ed Royce, chairman of the U.S. House of Representatives Foreign Affairs Committee, echoed the sentiment, saying that “Russian weaponization of information” has been one of his main concerns.

“The impact that is having in terms of the effect on the democratic process there (in Eastern Europe) is very concerning,” Royce said. “Indeed, worldwide Russian efforts in this regard need to be effectively countered, and it’s been many years since we’ve done anything effective.”

Royce, who also expressed concerns about the proliferation of nuclear weapons, called for more aggressive action.

“We need on social media and with respects to our sanctions push-back and make them (Russia) feel the price for doing this,” Royce said.

American intelligence agencies have said that Russia interfered in the 2016 U.S. presidential race to try to help Donald Trump win the presidency. Trump has repeatedly denied receiving help from Moscow for his election campaign, and Russian has denied meddling in the election.

While government and business leaders worldwide have become more aware of cybersecurity risks, the threat may still be underappreciated, some speakers said.

“The cyberwarfare in this world is completely unknown, uncontemplated and has to be grasped as we think about where we are going,” Mary Callahan Erdoes, chief executive officer of JPMorgan Asset Management, said on Monday.

Others cited rising populism in the West as one of the biggest risks for the global economy and market stability.

“My black swan is politics, politics in the West which is getting bust,” said Peter Mandelson, a former European trade commissioner and British first secretary of state. “And bust politics has two effects. It generates populist nationalist pressures on government and regulators, draws them more into the economy, onto the backs of businesses and makes decision-making by investors and businesses much more difficult.”

Although speakers did share what might keep them up at night in the coming months, the outlook was generally upbeat at the event, with Citigroup Inc <C.N> CEO Michael Corbat describing the current state of affairs as being “OK.”

Ironically, the mood was so positive that some speakers worried about excessive optimism.

“I am really concerned regarding the overwhelming optimism, which we observed over the past two days,” said Hiro Mizuno, chief investment officer for Japan’s Government Pension Investment Fund. “People say nothing matters to the capital markets, so that is scary.”

Chris Stadler, managing partner at CVC Capital, added: “When you sit here and…you talk about all these things hitting on all cylinders and you don’t know what could change it, you’re coming close to an event.”

(Reporting by Anna Irrera; Additional reporting by Liana Baker; Editing by Jennifer Ablan and Leslie Adler)

Researchers say global cyber attack similar to North Korean hacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Ju-min Park and Dustin Volz

SEOUL/WASHINGTON (Reuters) – Cybersecurity researchers have found evidence they say could link North Korea with the WannaCry cyber attack that has infected more than 300,000 computers worldwide, as global authorities scrambled to prevent hackers from spreading new versions of the virus.

A researcher from South Korea’s Hauri Labs said on Tuesday their own findings matched those of Symantec <SYMC.O> and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.

Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.

The attacks, which slowed on Monday, are among the fastest-spreading extortion campaigns on record.

In China, foreign ministry spokeswoman Hua Chunying said she had no information to share, when asked about the origin of the attack and whether North Korea might be connected.

Several Asian countries have been affected by the malware, although the impact has not been as widespread as some had feared.

In Malaysia, cybersecurity firm LE Global Services said it identified 12 cases so far, including a large government-linked corporation, a government-linked investment firm and an insurance company. It did not name any of the entities.

“We may not see the real picture yet, as companies are not mandated to disclose security breaches to authorities in Malaysia,” said LE Global CEO Fong Choong Fook.

“The real situation may be serious. In one of the cases, the attack was traced back to early April.”

Vietnam’s state media said on Tuesday more than 200 computers had been affected.

Taiwan Power Co. <TAIWP.UL> said that nearly 800 of its computers were affected, although these were used for administration, not for systems involved in electricity generation.

EXPERTS URGE CAUTION

FireEye Inc <FEYE.O>, another large cyber security firm, said it was also investigating, but it was cautious about drawing a link to North Korea.

“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller said.

U.S. and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cyber security firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

An official at South Korea’s Korea Internet & Security Agency said on Tuesday the agency was sharing information with intelligence officials on recent cases reported for damages but was not in position to investigate the source of the attack.

The official declined to comment on intelligence-related matters.

A South Korean police official that handles investigations into hacking and cyber breaches said he was aware of reports on the North Korean link, but said police were not investigating yet.

Victims haven’t requested investigations but they want their systems to be restored, the official said.

North Korea has denied being behind the Sony and banking attacks. North Korean officials were not immediately available for comment and its state media has been quiet about the matter.

Hauri researcher Choi said the code bore similarities with those allegedly used by North Korean hackers in the Sony and bank heists. He said based on his conversations with North Korean hackers, the reclusive state had been developing and testing ransomware programs since August.

In one case, alleged hackers from North Korea demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall, Choi added.

The North Korean mission to the United Nations was not immediately available for comment on Monday.

While the attacks have raised concerns for cyber authorities and end-users worldwide, they have helped cybersecurity stocks as investors bet governments and corporations will spend more to upgrade their defenses.

Cisco Systems <CSCO.O> closed up 2.3 percent on Monday and was the second-biggest gainer in the Dow Jones Industrial Average.

(Additional reporting by Jess Macy Yu in Taipei, My Pham in Hanoi, Michael Martina in Beijing and Liz Lee in Kuala Lumpur; Writing by Jeremy Wagstaff in Singapore; Editing by Sam Holmes, Michael Perry and Mike Collett-White)

Germany to increase military for cybersecurity and fight against Islamic State

German Bundeswehr army demonstrate their skills at Kaserne Hochstaufen in Bad Reichenhall

BERLIN (Reuters) – Germany plans to add 7,000 military jobs and 4,400 civilians to its armed forces over the next seven years to help tackle demands such as cybersecurity and the fight against Islamic State, its defense minister said on Tuesday.

Ursula von der Leyen said the move marked the first increase in the size of the German military since the end of the Cold War and was part of a broader campaign that has revamped the way the military buys equipment and prepares its budgets.

“A quarter century of a shrinking military is over. It is time for the German armed forces to grow,” she told reporters.

Germany’s armed forces totaled 800,000 military and civilian personnel at the time of German unification in 1990, but since have shrunk to a target of 185,000 troops and 56,000 civilians, according to German government officials.

They said the goal now was to get away from the strict ceilings used in the past and move toward a more dynamic annual review of personnel needs.

Officials said a recent comprehensive review had shown that the German military needed 14,300 additional troops to cope with new missions. These include the at-sea rescue of refugees, operations in support of a U.S.-led air strike campaign against Islamic State insurgents in Iraq and Syria, and backing operations against other Islamist militants in Mali.

Of those, 5,000 would be filled through changes in existing personnel, with 7,000 to be added in new posts and the extension of existing contracts.

Current plans would leave about 2,300 of the required military positions vacant, although that estimate could be adjusted next year, officials said.

(Reporting by Berlin Newsroom; Editing by Mark Heinrich)

Ransomware: Extortionist hackers borrow customer-service tactics

Hollywood Presbyterian Medical Center

By Jim Finkle

TEWKSBURY, Mass (Reuters) – When hackers set out to extort the town of Tewksbury, Massachusetts with “ransomware,” they followed up with an FAQ explaining the attack and easy instructions for online payment.

After balking for several days, Tewksbury officials decided that paying the modest ransom of about $600 was better than struggling to unlock its own systems, said police chief Timothy Sheehan.

That case and others show how cyber-criminals have professionalized ransomware schemes, borrowing tactics from customer service or marketing, law enforcement officials and security firms say. Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.

The advancements, along with modest ransom demands, make it easier to pay than fight.

“It’s a perfect business model, as long as you overlook the fact that they are doing something awful,” said James Trombly, president of Delphi Technology Solutions, a Lawrence, Massachusetts, computer services firm that helped three clients over the past year pay ransoms in bitcoin, the virtual currency. He declined to identify the clients.

In the December 2014 attack on Tewksbury, the pressure to pay took on a special urgency because hackers disabled emergency systems. That same is true of additional attacks on police departments and hospitals since then. But all sectors of government and business are targeted, along with individuals, security firms said.

The total cost of ransomware attacks is hard to quantify. But the Cyber Threat Alliance, a group of leading cyber security firms, last year estimated that global damages from CryptoWall 3 – among the most popular of dozens of ransomware variants – totaled $325 million in the first nine months of 2015.

Some operations hire underground call centers or email-response groups to walk victims through paying and restoring their data, said Lance James, chief scientist with the cyber-intelligence firm Flashpoint.

Graphic artists and translators craft clear ransom demands and instructions in multiple languages. They use geolocation to make sure that victims in Italy get the Italian version, said Alex Holden, chief information security officer with Hold Security.

While ransomware attacks have been around longer than a decade, security experts say they’ve become far more threatening and prevalent in recent years because of state-of-the-art encryption, modules that infect backup systems, and the ability to infect large numbers of computers over a single network.

Law enforcement officials have long advised victims against paying ransoms. Paying ransoms is “supporting the business model,” encouraging more criminals to become extortionists, said Will Bales, a supervisory special agent for the Federal Bureau of Investigation.

But Bales, who helps run ransomware investigations nationwide from the Washington, DC office, acknowledged that the payoffs make economic sense for many victims.

“It is a business decision for the victim to make,” he said.

Run-of-the-mill ransomware attacks typically seek 1 bitcoin, now worth about $420, which is about the same as the hourly rate that some security consultants charge to respond to such incidents, according to security firms who investigate ransomware cases.

Some attacks seek more, as when hackers forced Hollywood Presbyterian Hospital in Los Angeles to pay $17,000 to end an outage in February.

Such publicized incidents will breed more attacks, said California State Senator Robert Hertzberg, who in February introduced legislation to make a ransomware schemes punishable by up to four years in prison. The Senate’s public safety committee was scheduled to review that bill on Tuesday.

Some victims choose not to pay. The Pearland Independent School District near Houston refused to fork over about $1,600 in ransom demanded in two attacks this year, losing about three days of work from teachers and students. Instead, the district invested tens of thousands of dollars on security software, said Jonathan Block, the district’s desktop support services manager.

“This threat is real and something that needs to be dealt with,” Block said.

The town of Tewksbury has also upgraded its security technology, but Sheehan says he fears more attacks.

“We are so petrified we could be put into this position again,” he said. “Everybody is vulnerable.”

(Reporting by Jim Finkle. Additional reporting by Dustin Volz. Editing by Jonathan Weber and Brian Thevenot.)