White House warns companies to step up cybersecurity

By Doina Chiacu

WASHINGTON (Reuters) – The White House warned corporate executives and business leaders on Thursday to step up security measures to protect against ransomware attacks after intrusions disrupted operations at a meatpacking company and a southeastern oil pipeline.

There has been a significant hike in the frequency and size of ransomware attacks, Anne Neuberger, cybersecurity adviser at the National Security Council, said in a letter.

“The threats are serious and they are increasing. We urge you to take these critical steps to protect your organizations and the American public,” she added.

The recent cyberattacks have forced companies to see ransomware as a threat to core business operations and not just data theft, as ransomware attacks have shifted from stealing to disrupting operations, she said.

Strengthening the country’s resilience to cyberattacks was one of President Joe Biden’s top priorities, she added.

“The private sector also has a critical responsibility to protect against these threats. All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Neuberger wrote.

The letter came after a major meatpacker resumed U.S. operations on Wednesday following a ransomware attack that disrupted meat production in North America and Australia.

A Russia-linked hacking group that goes by the name of REvil and Sodinokibi was behind the cyberattack against JBS SA, a source familiar with the matter told Reuters.

The cyberattack followed one last month by a group with ties to Russia on Colonial Pipeline, the largest fuel pipeline in the United States, which crippled fuel delivery for several days in the U.S. Southeast.

Biden believes Russian President Vladimir Putin has a role to play in preventing these attacks and planned to bring up the issue during their summit this month, White House press secretary Jen Psaki said on Wednesday.

Neuberger’s letter outlined immediate steps companies can take to protect themselves from ransomware attacks, which can have ripple effects far beyond the company and its customers.

Those include best practices such as multifactor authentication, endpoint detection and response, encryption and a skilled security team. Companies should back up data and regularly test systems, as well as update and patch systems promptly.

Neuberger advised that companies test incident response plans and use a third party to test the security team’s work.

She said it was critical that corporate business functions and production operations be run on separate networks.

(Reporting by Doina Chiacu; Editing by David Holmes and Steve Orlofsky)

White House cyber adviser says it will take months to investigate Russian hack

By Christopher Bing

(Reuters) – The White House’s top cybersecurity adviser said on Wednesday an investigation into a sprawling Russian hacking operation against the United States, known as the SolarWinds hack, will take several more months to complete.

White House Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger said that a total of nine federal agencies and 100 private-sector companies had been affected by the hack, which first came to light in December.

She also said that a number of the affected private-sector companies were technology companies, which were breached to facilitate access to other victims.

The FBI, the Department of Homeland Security and several other U.S. government agencies have been digging into affected computer networks ever since the hacks’ discovery to find clues about the attackers. While multiple U.S. government officials have said the hackers came from Russia, they have offered little additional detail.

“We believe it took them months to plan and compromise,” said Neuberger. “It will take us some time to uncover this layer by layer.”

The Biden administration is currently working on set of cybersecurity policies to prevent a similar style attack, and Neuberger predicted some of these recommendations would become part of an upcoming “executive action.”

Government statements and public reporting have revealed that a diverse list of federal agencies were breached by the hackers, including the Justice, Treasury, Homeland Security and Commerce departments. In those cases, the hackers typically attempted to steal emails belonging to high-ranking officials, Reuters previously reported.

“When there is a compromise of this scope & scale, both across govt & across the U.S. technology sector to lead to follow on intrusions, it is more than a single incident of espionage,” said Neuberger. “It’s fundamentally of concern for the ability for this to become disruptive.”

The recent government cyberattack is commonly referred to as the SolarWinds hack because of how the cyber spies exploited software created and sold by Texas technology company SolarWinds, which makes a popular network management tool that is commonly deployed across both U.S. government and private sector computer networks.

While SolarWinds was the first known supply chain victim of this hacking campaign, cybersecurity experts and government officials have cautioned that other technology companies were similarly exploited as part of the same operation.

(Reporting by Christopher Bing; Editing by Chris Reese, Nick Macfie and Jonathan Oatis)

Hackers targeting groups involved in COVID-19 vaccine distribution, IBM warns

By Raphael Satter

WASHINGTON (Reuters) – IBM is sounding the alarm over hackers targeting companies critical to the distribution of COVID-19 vaccines, a sign that digital spies are turning their attention to the complex logistical work involved in inoculating the world’s population against the novel coronavirus.

The information technology company said in a blog post published on Thursday that it had uncovered “a global phishing campaign” focused on organizations associated with the COVID-19 vaccine “cold chain” – the process needed to keep vaccine doses at extremely cold temperatures as they travel from manufacturers to people’s arms.

The U.S. Cybersecurity and Infrastructure Security Agency reposted the report, warning members of Operation Warp Speed – the U.S. government’s national vaccine mission – to be on the lookout.

Understanding how to build a secure cold chain is fundamental to distributing vaccines developed by the likes of Pfizer Inc and BioNTech because the shots need to be stored at minus 70 degrees Celsius (-94 F) or below to avoid spoiling.

IBM’s cybersecurity unit said it had detected an advanced group of hackers working to gather information about different aspects of the cold chain, using meticulously crafted booby-trapped emails sent in the name of an executive with Haier Biomedical, a Chinese cold chain provider that specializes in vaccine transport and biological sample storage.

The hackers went through “an exceptional amount of effort,” said IBM analyst Claire Zaboeva, who helped draft the report. Hackers researched the correct make, model, and pricing of various Haier refrigeration units, Zaboeva said.

“Whoever put together this campaign was intimately aware of whatever products were involved in the supply chain to deliver a vaccine for a global pandemic,” she said.

Messages sent to the email addresses used by the hackers were not returned.

IBM said the bogus Haier emails were sent to around 10 different organizations but only identified one target by name: the European Commission’s Directorate-General for Taxation and Customs Union, which handles tax and customs issues across the EU and has helped set rules on the import of vaccines.

In a statement, the European Commission said it was aware that it had been targeted by a hacking campaign.

“We have taken the necessary steps to mitigate the attack and are closely following and analyzing the situation,” the statement said.

IBM said other targets included companies involved in the manufacture of solar panels, which are used to power vaccine refrigerators in warm countries, and petrochemical products that could be used to derive dry ice.

Who is behind the vaccine supply chain espionage campaign is not clear.

Reuters has previously documented how hackers linked to Iran, Vietnam, North Korea, South Korea, China, and Russia have on separate occasions been accused by cybersecurity experts or government officials of trying to steal information about the virus and its potential treatments.

IBM’s Zaboeva said there was no shortage of potential suspects. Figuring out how to swiftly distribute an economy-saving vaccine “should be topping the lists of nation states across the world,” she said.

(Reporting by Raphael Satter; editing by Grant McCool and Rosalba O’Brien)

Exclusive: Hackers test defenses of Trump campaign websites ahead of U.S. election, security staff warn

By Jack Stubbs

LONDON (Reuters) – Hackers have stepped up efforts to knock Trump campaign and business websites offline ahead of the U.S. election, in what a security firm working for the campaign said could be preparation for a larger digital assault, according to emails seen by Reuters.

The security assessment was prepared by staff at U.S. cybersecurity firm Cloudflare, which has been hired by President Donald Trump to help defend his campaign’s websites in an election contest overshadowed by warnings about hacking, disinformation and foreign interference.

Cloudflare is widely used by businesses and other organizations to help defend against distributed denial-of-service (DDoS) attacks, which aim to take down websites by flooding them with malicious traffic.

Internal Cloudflare emails sent to senior company managers – including CEO Matthew Prince – on July 9 state that the number and severity of attacks on Trump websites increased in the preceding two months and reached record levels in June. The emails did not give the total number of attacks.

“As we get closer to the election, attacks are increasing in both numbers (and) sophistication” and succeeded in disrupting access to the targeted websites for short periods of time between March 15 and June 6, the assessment said.

Cloudflare did not respond directly to questions about the emails or their contents. The company said it was providing security services to both U.S. presidential campaigns and declined to answer further questions about the nature or details of its work.

“We have seen an increase in cyber attacks targeting political candidates. We will continue to work to ensure these attacks do not disrupt free and fair elections,” it said in a statement when asked about the emails.

A spokesman for the Trump campaign did not respond to a request for comment. The Biden campaign declined to comment on its work with Cloudflare or any attacks on its websites.

A spokeswoman for the Trump Organization said no Trump websites had been taken offline by cyber attacks. She did not respond to further questions about the attacks or Trump’s work with Cloudflare.

Cloudflare’s security team did not comment on the identity of the hackers and Reuters was not able to determine who was responsible for the attacks.

DDoS attacks are viewed by cybersecurity experts as a relatively crude form of digital sabotage – easily deployed by anyone from tech-savvy teenagers to top-end cyber criminals.

But seven of the attacks on Trump websites, including donaldjtrump.com and a Trump-owned golf course, were judged to be more serious by the Cloudflare security team, the emails show.

The increasing number and sophistication of attempts suggested the attackers were “probing” the website defenses to establish what would be needed to take them fully offline, the security assessment said.

“We therefore cannot discount the possibility that there are attackers using this as an opportunity to collect information for more sophisticated attacks,” it added.

The Cloudflare team said they would continue to monitor the attacks and carry out “a further round of security hardening” to better protect the websites.

(Additional reporting by Joseph Menn in SAN FRANCISCO; Editing by Jonathan Weber and Edward Tobin)

North Korea hacking threatens U.S., other countries, international financial system: U.S. State Department

WASHINGTON (Reuters) – U.S. government officials warned on Wednesday about the threat of North Korean hackers, calling particular attention to banking and other finance.

The reason for the advisory – which was jointly issued by the U.S. Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation – was unclear. North Korean hackers have long been accused of targeting financial institutions, and the content of the warning appeared to draw on material already in the public domain.

Requests for comment sent to the U.S. agencies were not immediately returned. The North Korean mission to the United Nations in New York did not immediately respond to a request for comment.

North Korea is alleged to be behind an ambitious, years-long campaign of digital theft, including siphoning tens of millions of dollars in cash from ATMs, carrying out gigantic thefts at major banks, extorting computer users worldwide, and hijacking digital currency exchanges. The global money-grab has been a topic of increasing international concern.

Last year, for example, a U.N. report said that North Korea had generated an estimated $2 billion for its weapons of mass destruction programs using “widespread and increasingly sophisticated” hacking efforts.

In Wednesday’s advisory, U.S. officials said North Korea’s online activities “threaten the United States and countries around the world and, in particular, pose a significant threat to the integrity and stability of the international financial system.”

(Reporting by Lisa Lambert, Tim Ahmann, and Raphael Satter in Washington. Additional reporting by Michelle Nichols in New York. Editing by Steve Orlofsky)

Exclusive: Iran-linked hackers pose as journalists in email scam

By Raphael Satter and Christopher Bing

WASHINGTON (Reuters) – When Iranian-born German academic Erfan Kasraie received an email from The Wall Street Journal requesting an interview, he sensed something was amiss.

The Nov. 12 note purportedly came from Farnaz Fassihi, a veteran Iranian-American journalist who covers the Middle East. Yet it read more like a fan letter, asking Kasraie to share his “important achievements” to “motivate the youth of our beloved country.”

“This interview is a great honor for me,” the note gushed.

Another red flag: the follow-up email that instructed Kasraie to enter his Google password to see the interview questions.

The phony request was in reality an attempt to break into Kasraie’s email account. The incident is part of a wider effort to impersonate journalists in hacking attempts that three cybersecurity firms said they have tied to the Iranian government, which rejected the claim. The incidents come to light at a time when the U.S. government has warned of Iranian cyber threats in the wake of the U.S. air strike that killed Iran’s second most powerful official, Major-General Qassem Soleimani.

In a report https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten published Wednesday, London-based cybersecurity company Certfa tied the impersonation of Fassihi to a hacking group nicknamed Charming Kitten, which has long been associated with Iran. Israeli firm ClearSky Cyber Security provided Reuters with documentation of similar impersonations of two media figures at CNN and Deutsche Welle, a German public broadcaster. ClearSky also linked the hacking attempts to Charming Kitten, describing the individuals targeted as Israeli academics or researchers who study Iran. ClearSky declined to give the specific number of people targeted or to name them, citing client confidentiality.

Iran denies operating or supporting any hacking operation. Alireza Miryousefi, the spokesman for the Islamic Republic’s mission to the United Nations, said that firms claiming otherwise “are merely participants in the disinformation campaign against Iran.”

Reuters uncovered similar hacking attempts on two other targets, which the two cybersecurity firms, along with a third firm, Atlanta-based Secureworks, said also appeared to be the work of Charming Kitten. Azadeh Shafiee, an anchor for London-based satellite broadcaster Iran International, was impersonated by hackers in attempts to break into the accounts of a relative of hers in London and Prague-based Iranian filmmaker Hassan Sarbakhshian.

Sarbakhshian – who fled the Islamic Republic amid a crackdown that saw the arrest of several fellow photojournalists in 2009 – was also targeted with an email that claimed to be from Fassihi. The message asked him to sign a contract to sell some of his pictures to The Wall Street Journal. Sarbakhshian said in an interview that he was suspicious of the message and didn’t respond.

Neither did the ruse fool Kasraie, an academic who frequently appears on television criticizing Iran’s government.

“I understood 100 percent that it was a trap,” he said in an interview.

That’s not surprising given the hackers’ sloppy tactics. For instance, they missed the fact that Fassihi had left the Journal last year for a new job at The New York Times.

The Journal declined to comment. Fassihi referred questions to The Times, which in a statement called the impersonation “a vivid example of the challenges journalists are facing around the globe.”

U.S. officials and cybersecurity experts see Iran as a digital threat. Earlier this month, the U.S. Department of Homeland Security and the Federal Bureau of Investigation (FBI) issued alerts about the threat of Iranian cyberattacks following the controversial U.S. attack that killed Soleimani. Microsoft, which tracks attempts to undermine election security, in October accused Charming Kitten of targeting a U.S. presidential campaign; sources told Reuters https://reut.rs/38a9rEM at the time that the campaign was Donald Trump’s.

Homeland Security and FBI spokespeople declined to comment on the recent impersonations identified by Reuters. Certfa, ClearSky, and Secureworks said they could be tied to Charming Kitten through a study of the tactics, targets, and digital infrastructure involved – including servers, link shortening services, and domain registration patterns.

“This activity does align with prior Iranian cyber operations,” said Allison Wikoff, a Secureworks researcher who has tracked Charming Kitten for years.

In early 2019, the United States indicted Behzad Mesri – who ClearSky has linked to Charming Kitten through emails and social media activity – on charges of recruiting a former U.S. Air Force intelligence officer to spy on behalf of Iran. Mesri remains at large and could not be reached for comment.

Other impersonated journalists included CNN national security analyst Samantha Vinograd, whose identity was stolen in August and used in attempts to break into email accounts in Israel, ClearSky said. Another was Michael Hartlep, a Berlin-based videojournalist who has done freelance assignments for Deutsche Welle and Reuters. ClearSky found his name on an email inviting recipients to a bogus Deutsche Welle webinar on Iran’s role in the Middle East. The firm did not find evidence that the Reuters name was used in hacking attempts.

In another case, the hackers appear to have invented a journalist – “Keyarash Navidpour” – to send out a phony invitation on Jan. 4 to an online seminar that it claimed Deutsche Welle would hold about the killing of Soleimani the day before. No such journalist works for Deutsche Welle, said the news organization’s spokesman Christoph Jumpelt.

Vinograd referred questions to CNN, which did not return messages seeking comment. Hartlep told Reuters he worried such stunts might give sources second thoughts about answering a reporter’s queries.

“If this becomes the usual way of tricking people,” he said, “definitely it makes our work very hard.”

(Reporting by Raphael Satter and Christopher Bing in Washington; Additional reporting by Michelle Nichols in New York and Parisa Hafezi in London; Editing by Chris Sanders and Brian Thevenot)

U.S. charges two Russians in international hacking, malware conspiracy

U.S. charges two Russians in international hacking, malware conspiracy
By Jonathan Stempel and Raphael Satter

WASHINGTON (Reuters) – Two Russian residents have been criminally charged in the United States over an alleged multi-year, international scheme to steal money and property by using malware to hack into computers, according to an indictment made public on Thursday.

Maksim Yakubets was accused of being the leader of a group of conspirators involved with Bugat malware and botnet, while his close associate Igor Turashev allegedly handled various functions for the conspiracy, the indictment said.

The indictment identifies Yakubets as one of the earliest users of a family of malicious software tools called Bugat — better known as Dridex — which has been bedeviling American banks and businesses for more than eight years.

Cybersecurity experts say the malware, which first appeared in late 2011, is responsible for millions of dollars in damages worldwide. Experts have long speculated that the malware is the brainchild of a Russian hacking group.

The conspiracy allegedly began around November 2011, and several entities – including a school, an oil firm, First Commmonwealth Bank – were among the defendants’ victims, according to the indictment filed with the federal court in Pittsburgh. Two of the transactions were processed through Citibank in New York, the indictment says.

The indictment is dated Nov. 12 but was unsealed on Thursday.

U.S. and British authorities are expected later Thursday to detail charges against a Russian national over allegations of computer hacking and bank fraud schemes, according to a U.S. Department of Justice statement.

That announcement characterized the Russian national as being “allegedly responsible for two of the worst computer hacking and bank fraud schemes of the past decade.”

Malware is a software program designed to gather sensitive information, such as passwords and bank account numbers, from private computers by installing viruses and other malicious programs.

Spokespeople for First Commonwealth Bank and Citibank did not immediately respond to requests for comment.

(Reporting by Susan Heavy, Lisa Lambert and Jonathan Stempel; additional reporting by Raphael Satter Editing by Steve Orlofsky and Nick Zieminski)

Facebook suspends Russian Instagram accounts targeting U.S. voters

FILE PHOTO: Silhouettes of mobile users are seen next to a screen projection of Instagram logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo

Facebook suspends Russian Instagram accounts targeting U.S. voters
By Jack Stubbs and Christopher Bing

LONDON/WASHINGTON (Reuters) – Facebook Inc. said on Monday it has suspended a network of Instagram accounts operated from Russia that targeted Americans with divisive political messages ahead of next year’s U.S. presidential election, with operators posing as people within the United States.

Facebook said it also had suspended three separate networks operated from Iran. The Russian network “showed some links” to Russia’s Internet Research Agency (IRA), Facebook said, an organization Washington has said was used by Moscow to meddle in the 2016 U.S. election.

“We see this operation targeting largely U.S. public debate and engaging in the sort of political issues that are challenging and sometimes divisive in the U.S. right now,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy.

“Whenever you do that, a piece of what you engage on are topics that are going to matter for the election. But I can’t say exactly what their goal was.”

Facebook also announced new steps to fight foreign interference and misinformation ahead of the November 2020 election, including labeling state-controlled media outlets and adding greater protections for elected officials and candidates who may be vulnerable targets for hacking.

U.S. security officials have warned that Russia, Iran and other countries could attempt to sway the result of next year’s presidential vote. Officials say they are on high alert for signs of foreign influence campaigns on social media.

Moscow and Tehran have repeatedly denied the allegations.

Gleicher said the IRA-linked network used 50 Instagram accounts and one Facebook account to gather 246,000 followers, about 60% of which were in the United States.

The earliest accounts dated to January this year and the operation appeared to be “fairly immature in its development,” he said.

“They were pretty focused on audience-building, which is the thing you do first as you’re sort of trying to set up an operation.”

Ben Nimmo, a researcher with social media analysis company Graphika who Facebook commissioned, said the flagged accounts shared material that could appeal to Republican and Democratic voters alike.

Most of the messages plagiarized material authored by leading conservative and progressive pundits. This included recycling comments initially shared on Twitter that criticized U.S. congresswoman Alexandria Ocasio-Cortez, Democratic presidential candidate Joe Biden and current President Donald Trump.

“What’s interesting in this set is so much of what they were doing is copying and pasting genuine material from actual Americans,” Nimmo told Reuters. “This may be indicative of an effort to hide linguistic deficiencies, which have made them easier to detect in the past.”

Attorneys for Concord Management and Consulting LLC have denied any wrongdoing. U.S. prosecutors say the firm is controlled by Russian catering tycoon Evgeny Prigozhin and helped orchestrate the IRA’s operations.

Gleicher said the separate Iranian network his team identified used more than 100 fake and hacked accounts on Facebook and Instagram to target U.S. users and some French-speaking parts of North Africa. Some accounts also repurposed Iranian state media stories to target users in Latin American countries including Venezuela, Brazil, Argentina, Bolivia, Peru, Ecuador and Mexico.

The activity was connected to an Iranian campaign first identified in August last year, which Reuters showed aimed to direct internet users to a sprawling web of pseudo-news websites which repackaged propaganda from Iranian state media.

The accounts “typically posted about local political news and geopolitics including topics like public figures in the U.S., politics in the U.S. and Israel, support of Palestine and conflict in Yemen,” Facebook said.

(Reporting by Jack Stubbs; Additional reporting by Elizabeth Culliford in San Francisco; Editing by Chris Reese, Tom Brown and David Gregorio)

U.S. imposes sanctions on North Korean hacking groups blamed for global attacks

FILE PHOTO: A North Korean flag flies on a mast at the Permanent Mission of North Korea in Geneva October 2, 2014. REUTERS/Denis Balibouse/File Picture

WASHINGTON (Reuters) – The U.S. Treasury on Friday announced sanctions on three North Korean hacking groups it said were involved in the “WannaCry” ransomware attacks and hacking of international banks and customer accounts.

It named the groups as Lazarus Group, Bluenoroff, and Andariel and said they were controlled by the RGB, North Korea’s primary intelligence bureau, which is already subject to U.S. and United Nations sanctions.

The action blocks any U.S.-related assets of the groups and prohibits dealings with them. The Treasury statement said any foreign financial institution that knowingly facilitated significant transactions or services for them could also be subject to sanctions.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyberattacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury undersecretary for Terrorism and Financial Intelligence.

“We will continue to enforce existing U.S. and U.N. sanctions against North Korea and work with the international community to improve the cybersecurity of financial networks.”

The United States has been attempting to restart talks with North Korea, aimed at pressing the country to give up its nuclear weapons. The talks have been stalled over North Korean demands for concessions, including sanctions relief.

Earlier this month, North Korea denied U.N. allegations it had obtained $2 billion through cyberattacks on banks and cryptocurrency exchanges and accused the United States of spreading rumors.

The Treasury statement said Lazarus Group was involved in the WannaCry ransomware attack that the United States, Australia, Canada, New Zealand and the United Kingdom publicly attributed to North Korea in December 2017.

It said WannaCry affected at least 150 countries and shut down about 300,000 computers, including many in Britain’s National Health Service (NHS). The NHS attack led to the cancellation of more than 19,000 appointments and ultimately cost the service over $112 million, the biggest known ransomware attack in history.

The Treasury said Lazarus Group was also directly responsible for 2014 cyber-attacks on Sony Pictures Entertainment.

The statement cited industry and press reporting as saying that by 2018, Bluenoroff had attempted to steal over $1.1 billion from financial institutions and successfully carried out operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.

It said Bluenoroff worked with the Lazarus Group to steal approximately $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account.

Andariel, meanwhile, was observed by cyber security firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to later sell on the black market, the statement said.

Andariel was also responsible for developing and creating unique malware to hack into online poker and gambling sites and, according to industry and press reporting, targeted the South Korea government military in an effort to gather intelligence, it said.

(Reporting by David Brunnstrom and Lisa Lambert; Editing by Raissa Kasolowsky and Rosalba O’Brien)

Chinese government hackers suspected of moonlighting for profit

FILE PHOTO: An attendee looks on during the 2016 Black Hat cyber-security conference in Las Vegas, Nevada, U.S. August 3, 2016. REUTERS/David Becker/File Photo

By Joseph Menn, Jack Stubbs and Christopher Bing

LAS VEGAS (Reuters) – One of the most effective teams of Chinese government-backed hackers is also conducting financially-motivated side operations, cybersecurity researchers said on Wednesday.

U.S. firm FireEye said members of the group it called Advanced Persistent Threat 41 (APT41) penetrated and spied on global tech, communications and healthcare providers for the Chinese government while using ransomware against game companies and attacking cryptocurrency providers for personal profit.

The findings, announced at the Black Hat security conference in Las Vegas, show how some of the world’s most advanced hackers increasingly pose a threat to consumers and companies not traditionally targeted by state-backed espionage campaigns.

“APT41 is unique among the China-Nexus actors we track in that it uses tools typically reserved for espionage campaigns in what appears to be activity for personal gain,” said FireEye Senior Vice President Sandra Joyce.

Officials in China did not immediately respond to Reuters request for comment. Beijing has repeatedly denied Western accusations of conducting widespread cyber espionage.

FireEye said the APT 41 group used some of the same tools as another group it has previously reported on, which FireEye calls APT17 and Russian security firm Kaspersky calls Winnti.

Current and former Western intelligence officials told Reuters Chinese hacking groups were known to pursue commercial crimes alongside their state-backed operations.

FireEye, which sells cybersecurity software and services, said one member of APT41 advertised as a hacker for hire in 2009 and listed hours of availability outside of the normal workday, circumstantial evidence of moonlighting.

The group has used spear-phishing, or trick emails designed to elicit login information. But it has also deployed root kits, which are relatively rare and give hard-to-detect control over computers. In all, the group has used nearly 150 unique pieces of malware, FireEye said.

The most technically impressive feats included tainting millions of copies of a utility called CCleaner, now owned by security company Avast. Only a small number of specially selected, high-value computers were fully compromised, making detection of the hack more difficult.

Avast said that it had worked with security researchers and law enforcement to stop the attack and that no damage was detected. The company did not have any immediate further comment on Wednesday.

In March, Kaspersky found the group hijacked Asus’ software update process to reach more than 1 million computers, again targeting a much smaller number of end-users. Asus said the next day it had issued a fix for the attack, which affected “a small number of devices.”

“We have evidence that at least one telecom company may have been the intended target during the Asus compromise, which is consistent with APT41’s espionage targeting over the past two years,” said FireEye spokesman Dan Wire.

But FireEye and Slovakia-based cybersecurity company ESET said the gaming compromises aligned with financial motives more than national espionage. Among other things, the group won access to a game’s production environment and generated tens of millions of dollars’ worth of virtual currency, FireEye said.

(Reporting by Joseph Menn, Jack Stubbs and Chris Bing; Editing by Greg Mitchell and Nick Zieminski)