Tag Archives: Hacker

Exclusive: Malware broker behind U.S. hacks is now teaching computer skills in China

By Steve Stecklow and Alexandra Harney

SHANGHAI (Reuters) – A Chinese malware broker who was sentenced in the United States this year for dealing in malicious software linked to major hacks is back at his old workplace: teaching high-school computer courses, including one on internet security.

Yu Pingan, who spent 18 months in a San Diego federal detention center, had pleaded guilty to conspiracy to commit computer hacking. A high school instructor, he had been arrested at Los Angeles International Airport in August 2017 upon arriving with a group of teachers to observe a U.S. university. A Reuters reporter found him teaching at his old school here last month.

Yu was sentenced by a federal judge in February to time served and allowed to return to China. The victims of the hacking conspiracy included microchip supplier Qualcomm Inc, aerospace and defense firm Pacific Scientific Energetic Materials Co, and gaming company Riot Games, according to the judgment. Exactly what was stolen in the computer breaches wasn’t disclosed in public court filings.

Qualcomm declined to comment. A Riot Games spokesman said the company lost no data. Pacific Scientific didn’t respond to requests for comment.

Yu specializes in computer network security and programming, according to court records. The malware he provided in the conspiracy included a rare software tool called Sakula that granted hackers remote control over computers. It’s unclear who authored the malware or how Yu obtained it.

Sakula has been linked to some of the most notorious cyber attacks of the decade. In addition to the intrusions detailed in the case against Yu, these include hacks of U.S. health insurer Anthem Inc, where millions of patient records were exposed, and the U.S. Office of Personnel Management, in which the personal information of millions of current and former U.S. government employees and contractors was compromised. Yu wasn’t accused of involvement in those two breaches.

His prosecution was one of a series of criminal cases against Chinese nationals Washington has brought in recent years, in response to what the Americans say is a concerted campaign by China’s military and security ministry to steal technology from Western companies.

In another case involving Sakula malware, the U.S. last year alleged that two Chinese intelligence officers and a team of recruited hackers repeatedly intruded into Western companies’ computer systems for more than five years.

Many of the Chinese defendants in the series of hacking cases haven’t been apprehended. Yu is one of the few alleged Chinese hackers to have been arrested and convicted in the U.S. crackdown.

In addition to jail time, Yu was ordered to pay nearly $1.1 million in restitution to five companies that were victims of the hacking. The fine was to be paid in installments of $100 a month, with no interest, according to the judgment. The payment schedule would take more than 900 years to complete.

Jeremy Warren, a San Diego criminal defense attorney who represented Yu, said: “With a Chinese national, a school teacher, there’s no real expectation of payment.”

Yu’s 18 months in federal prison, he said, was no “walk in the park.”

China’s Ministry of Foreign Affairs said it had “no understanding” of the Yu case. “We resolutely oppose any type of cyber attack, and we investigate and crack down on any cyber attack occurring inside China or making use of Chinese internet infrastructure,” the ministry spokesperson’s office said.

The ministry added that it had no knowledge of other cases alleging Chinese hacking of U.S. companies, and it accused Washington of displaying a “cold war mentality” in its tech-related prosecutions.

Yu, according to court filings by U.S. prosecutors, went by the nickname “Goldsun.” He was accused of conspiring with other Chinese individuals to use malware to hack into the computer networks of companies in the U.S. and elsewhere.

An affidavit from Federal Bureau of Investigation Special Agent Adam James alleged that Yu provided Sakula and other malware used in the case. Citing seized communications between Yu and two unindicted co-conspirators, James alleged that Yu had installed “an unauthorized backdoor” on an unidentified company’s computer network to gain remote access.

The conspirators’ cyber intrusions included so-called “watering hole attacks,” in which malicious software infects the computers of visitors to compromised websites. “This is akin to a predator waiting to ambush prey at the location the prey goes to drink water,” a court document stated.

Last month, Reuters found Yu, who is 39, teaching at Shanghai Commercial School, a state-run vocational technical high school in central Shanghai. U.S. officials told Reuters that Yu had been teaching there prior to his arrest.

Digital signs outside classrooms indicated Yu was teaching at least two basic computer courses, including one called “Basic English for Internet Security.” One of his former students, a computer science major who is now in China’s military, said he couldn’t answer questions about Yu because of “political reasons” and that the school had instructed him not to discuss the matter.

On Nov. 1, a Reuters reporter saw Yu at an office on the school’s campus. Dressed in a red and blue plaid Oxford shirt, he declined to answer questions. Yu called a school official, who arrived with a security guard and escorted the reporter off the campus. The school official called Yu’s situation a private matter.

“It’s his own experience, and it has nothing to do with the school,” she said.

(Reported by Steve Stecklow in London and Alexandra Harney in Shanghai. Additional reporting by Emily Chow in Shanghai and the Beijing and Shanghai Newsrooms. Edited by Janet McBride.)

Capital One says information of over 100 million individuals in U.S., Canada hacked

FILE PHOTO: The logo and ticker for Capital One are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., May 21, 2018. REUTERS/Brendan McDermid

(Reuters) – Capital One Financial Corp said on Monday that personal information including names and addresses of about 100 million individuals in the United States and 6 million people in Canada were obtained by a hacker who has been arrested.

The suspect, a 33-year-old former Seattle technology company software engineer identified as Paige Thompson, made her initial appearance in U.S. District Court in Seattle on Monday, the U.S. Attorney’s office said.

According to a complaint filed in the District Court for the Western District of Washington at Seattle, Thompson posted information from her hack, which occurred between March 12 and July 17, on coding platform GitHub. Another user saw the post and notified Capital One of the breach.

Law enforcement officials were able to track Thompson down as the page she posted on contained her full name as part of its digital address, the complaint said. Capital One said it identified the hack on July 19.

A representative for the U.S. Attorney’s office said it was not immediately clear what the suspect’s motive was.

The incident is expected to cost between $100 million and $150 million in 2019, mainly because of customer notifications, credit monitoring and legal support, Capital One said.

The hacker did not gain access to credit card account numbers, but about 140,000 Social Security numbers and 80,000 linked bank account numbers were compromised, Capital One said. Other personal information accessed included phone numbers and credit scores.

About 1 million social insurance numbers of the company’s Canadian credit card customers were also compromised.

The Capital One hacker was able to gain access to the data through a misconfigured web application firewall, the U.S. Attorney’s office said.

Credit-reporting company Equifax Inc said last week it would pay up to $700 million to settle claims it broke the law during a 2017 data breach when roughly 147 million people had information, including Social Security numbers and driver’s license data, compromised.

Capital One shares fell 4 percent in late extended trading.

(Reporting by Uday Sampath in Bengaluru; Editing by Sonya Hepinstall and Peter Cooney)

Kansas nuclear operator is victim in hacking spree: Bloomberg

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

By Jim Finkle

(Reuters) – Hackers recently breached a Kansas nuclear power operator as part of a campaign that breached at least a dozen U.S. power firms, Bloomberg News reported on Thursday, citing current and former U.S. officials who were not named.

The Wolf Creek nuclear facility in Kansas was breached in the attack, according to Bloomberg.

A representative with the Wolf Creek Nuclear Operating Corp declined to say if the plant was hacked, but said it continued to operate safely.

“There has been absolutely no operational impact to Wolf Creek. The reason that is true is because the operational computer systems are completely separate from the corporate network,” company spokeswoman Jenny Hageman said in an email to Reuters.

The report identified the first known victims of a hacking campaign targeting the power sector that was first reported by Reuters on June 30. The attacks were described in a confidential June 28 U.S government alert to industrial firms, warning them of a hacking campaign targeting the nuclear, power and critical infrastructure sectors.

The U.S. Department of Homeland Security and Federal Bureau of Investigation said that hackers had succeeded in compromising networks of some targets, but did not name victims. The government also released a 30-page bulletin with advice on how firms could bolster security to defend against the attacks.

The alert said that hackers have been observed using tainted emails to harvest credentials to gain access to networks of their targets.

“Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,” the report said.

Homeland Security and the FBI issued a statement to Reuters late on Thursday saying that the alert was part of an ongoing effort to advise industry of cyber threats.

“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” the agencies said.

A nuclear industry spokesman told Reuters on Saturday that hackers have never gained access to a nuclear plant.

The Homeland Security technical bulletin included details of code used in a hacking tool that suggest the hackers sought to use the password of a Wolf Creek employee to access the network.

Hageman declined to say if hackers had gained access to that employee’s account. The employee could not be reached for comment.

(Reporting by Jim Finkle in Toronto; Additional reporting by Dustin Volz in Washington; Editing by Bernard Orr)

Spam campaign targets Google users with malicious link

A security guard keeps watch as he walks past a logo of Google in Shanghai, China, April 21, 2016. REUTERS/Aly Song/File Photo

By Jim Finkle and Alastair Sharp

(Reuters) – Alphabet Inc <GOOGL.O> warned its users to beware of emails from known contacts asking them to click on a link to Google Docs after a large number of people turned to social media to complain that their accounts had been hacked.

Google said on Wednesday that it had taken steps to protect users from the attacks by disabling offending accounts and removing malicious pages.

The attack used a relatively novel approach to phishing, a hacking technique designed to trick users into giving away sensitive information, by gaining access to user accounts without needing to obtain their passwords. They did that by getting an already logged-in user to grant access to a malicious application posing as Google Docs.

“This is the future of phishing,” said Aaron Higbee, chief technology officer at PhishMe Inc. “It gets attackers to their goal … without having to go through the pain of putting malware on a device.”

He said the hackers had also pointed some users to another site, since taken down, that sought to capture their passwords.

Google said its abuse team “is working to prevent this kind of spoofing from happening again.”

Anybody who granted access to the malicious app unknowingly also gave hackers access to their Google account data including emails, contacts and online documents, according to security experts who reviewed the scheme.

“This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party,” said Justin Cappos, a cyber security professor at NYU Tandon School of Engineering.

Cappos said he received seven of those malicious emails in three hours on Wednesday afternoon, an indication that the hackers were using an automated system to perpetuate the attacks.

He said he did not know the objective, but noted that compromised accounts could be used to reset passwords for online banking accounts or provide access to sensitive financial and personal data.

(Reporting by Alastair Sharp and Jim Finkle in Toronto; editing by Grant McCool)

British Born ISIS Hacker and Recruiter Killed in Drone Strike

A British citizen who intelligence officials say was a head of terrorist group ISIS’ cyberwarfare division has been killed in a U.S. drone strike.

Juaniad Hussain, also called Abu Hussain al-Britani, died in an airstrike in Raqqa, Syria.  U.S. officials say they have a “high level of confidence” that Hussain is dead.

Hussain has been confirmed as the target of the attack as he moved in a convoy.  The strike was part of a 48 hour campaign aimed at the terrorist’s power structure in their self-proclaimed capital.

“This is a great intelligence success,” one U.S. official told CNN.

Cybersecurity experts say that while Hussain was more of a nuisance than serious hacker, he was especially dangerous in recruiting hackers and others to join the terrorist group.

“He wasn’t a serious threat. He was most likely a nuisance hacker,” Adam Meyers, vice president of cybersecurity firm CrowdStrike, told the London Independent.   “It was his involvement in recruitment, communications and other ancillary support that would have made him a target.”

Hussain had spent six months in prison for hacking the personal address book of British Prime Minister Tony Blair in 2012.  He left for Syria soon after the sentence.

Hackers Take Control of Jeep Cherokee From Miles Away

Two hackers have shown an exploit in the Jeep Cherokee that would allow them to take control of the vehicle from miles away.

In one demonstration, they caused the vehicle to crash.

Two cybersecurity experts, Charlie Miller and Chris Valasek, worked with Wired magazine to expose a flaw in the computer software that allows remote takeover the vehicle by anyone with knowledge of computer hacking.

In one test, Wired magazine staffer Andy Greenberg was driving 70 miles an hour near downtown St. Louis when the air conditioning suddenly blasted at maximum,  the radio changed to a new radio station and blasted full volume and the windshield wipers turned on while blasting wiper fluid making it almost impossible to see the road.

The hackers then put a picture of themselves on the car’s digital display.

The hackers had previously performed similar experiments with a Ford Escape and Toyota Prius, although they were in the backseats of the car.

In these tests, they were more than 10 miles away in the basement of one of the two security experts.

A test conducted away from traffic for safety reasons showed the hackers could lock up brakes, disable driving and transmission and kill the engine.  In one test, the driver was helpless as the car crashed off the road into a ditch.

The hackers can also track the car’s GPS, measure speed and drop pins on a map to track the car’s movements.

Chrysler responded while they appreciate the efforts to show exploits that can be corrected, they were not pleased the information was released.

“Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” the company’s statement reads. “We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”