Hackers targeting groups involved in COVID-19 vaccine distribution, IBM warns

By Raphael Satter

WASHINGTON (Reuters) – IBM is sounding the alarm over hackers targeting companies critical to the distribution of COVID-19 vaccines, a sign that digital spies are turning their attention to the complex logistical work involved in inoculating the world’s population against the novel coronavirus.

The information technology company said in a blog post published on Thursday that it had uncovered “a global phishing campaign” focused on organizations associated with the COVID-19 vaccine “cold chain” – the process needed to keep vaccine doses at extremely cold temperatures as they travel from manufacturers to people’s arms.

The U.S. Cybersecurity and Infrastructure Security Agency reposted the report, warning members of Operation Warp Speed – the U.S. government’s national vaccine mission – to be on the lookout.

Understanding how to build a secure cold chain is fundamental to distributing vaccines developed by the likes of Pfizer Inc and BioNTech because the shots need to be stored at minus 70 degrees Celsius (-94 F) or below to avoid spoiling.

IBM’s cybersecurity unit said it had detected an advanced group of hackers working to gather information about different aspects of the cold chain, using meticulously crafted booby-trapped emails sent in the name of an executive with Haier Biomedical, a Chinese cold chain provider that specializes in vaccine transport and biological sample storage.

The hackers went through “an exceptional amount of effort,” said IBM analyst Claire Zaboeva, who helped draft the report. Hackers researched the correct make, model, and pricing of various Haier refrigeration units, Zaboeva said.

“Whoever put together this campaign was intimately aware of whatever products were involved in the supply chain to deliver a vaccine for a global pandemic,” she said.

Messages sent to the email addresses used by the hackers were not returned.

IBM said the bogus Haier emails were sent to around 10 different organizations but only identified one target by name: the European Commission’s Directorate-General for Taxation and Customs Union, which handles tax and customs issues across the EU and has helped set rules on the import of vaccines.

In a statement, the European Commission said it was aware that it had been targeted by a hacking campaign.

“We have taken the necessary steps to mitigate the attack and are closely following and analyzing the situation,” the statement said.

IBM said other targets included companies involved in the manufacture of solar panels, which are used to power vaccine refrigerators in warm countries, and petrochemical products that could be used to derive dry ice.

Who is behind the vaccine supply chain espionage campaign is not clear.

Reuters has previously documented how hackers linked to Iran, Vietnam, North Korea, South Korea, China, and Russia have on separate occasions been accused by cybersecurity experts or government officials of trying to steal information about the virus and its potential treatments.

IBM’s Zaboeva said there was no shortage of potential suspects. Figuring out how to swiftly distribute an economy-saving vaccine “should be topping the lists of nation states across the world,” she said.

(Reporting by Raphael Satter; editing by Grant McCool and Rosalba O’Brien)

North Korean, Russian hackers target COVID-19 researchers: Microsoft

By Raphael Satter

WASHINGTON (Reuters) – Hackers working for the Russian and North Korean governments have targeted more than half a dozen organizations involved in COVID-19 treatment and vaccine research around the globe, Microsoft said on Friday.

The software company said a Russian hacking group commonly nicknamed “Fancy Bear” – along with a pair of North Korean actors dubbed “Zinc” and “Cerium” by Microsoft – were implicated in recent attempts to break into the networks of seven pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States.

Microsoft said the majority of the targets were organizations that were in the process of testing COVID-19 vaccines. Most of the break-in attempts failed but an unspecified number succeeded, it added.

Few other details were provided by Microsoft. It declined to name the targeted organizations, say which ones had been hit by which actor, or provide a precise timeline or description of the attempted intrusions.

The Russian embassy in Washington – which has repeatedly disputed allegations of Russian involvement in digital espionage – said in an email that there was “nothing that we can add” to their previous denials.

North Korea’s representative to the United Nations did not immediately respond to messages seeking comment. Pyongyang has previously denied carrying out hacking abroad.

The allegations of cyber espionage come as world powers are jockeying behind the scenes in the race to produce a vaccine for the virus.

They also highlight how Microsoft is pressing its case for a new set of global rules barring digital intrusions aimed at healthcare providers.

Microsoft executive Tom Burt said in a statement his company was timing its announcement with Microsoft President Brad Smith’s appearance at the virtual Paris Peace Forum, where he would call on world leaders “to affirm that international law protects health care facilities and to take action to enforce the law.”

(Reporting by Raphael Satter Additional reporting by Christopher Bing in Washington, Jack Stubbs in London, and Michelle Nichols in New York; Editing by Tom Brown and Grant McCool)

Exclusive: Hackers test defenses of Trump campaign websites ahead of U.S. election, security staff warn

By Jack Stubbs

LONDON (Reuters) – Hackers have stepped up efforts to knock Trump campaign and business websites offline ahead of the U.S. election, in what a security firm working for the campaign said could be preparation for a larger digital assault, according to emails seen by Reuters.

The security assessment was prepared by staff at U.S. cybersecurity firm Cloudflare, which has been hired by President Donald Trump to help defend his campaign’s websites in an election contest overshadowed by warnings about hacking, disinformation and foreign interference.

Cloudflare is widely used by businesses and other organizations to help defend against distributed denial-of-service (DDoS) attacks, which aim to take down websites by flooding them with malicious traffic.

Internal Cloudflare emails sent to senior company managers – including CEO Matthew Prince – on July 9 state that the number and severity of attacks on Trump websites increased in the preceding two months and reached record levels in June. The emails did not give the total number of attacks.

“As we get closer to the election, attacks are increasing in both numbers (and) sophistication” and succeeded in disrupting access to the targeted websites for short periods of time between March 15 and June 6, the assessment said.

Cloudflare did not respond directly to questions about the emails or their contents. The company said it was providing security services to both U.S. presidential campaigns and declined to answer further questions about the nature or details of its work.

“We have seen an increase in cyber attacks targeting political candidates. We will continue to work to ensure these attacks do not disrupt free and fair elections,” it said in a statement when asked about the emails.

A spokesman for the Trump campaign did not respond to a request for comment. The Biden campaign declined to comment on its work with Cloudflare or any attacks on its websites.

A spokeswoman for the Trump Organization said no Trump websites had been taken offline by cyber attacks. She did not respond to further questions about the attacks or Trump’s work with Cloudflare.

Cloudflare’s security team did not comment on the identity of the hackers and Reuters was not able to determine who was responsible for the attacks.

DDoS attacks are viewed by cybersecurity experts as a relatively crude form of digital sabotage – easily deployed by anyone from tech-savvy teenagers to top-end cyber criminals.

But seven of the attacks on Trump websites, including donaldjtrump.com and a Trump-owned golf course, were judged to be more serious by the Cloudflare security team, the emails show.

The increasing number and sophistication of attempts suggested the attackers were “probing” the website defenses to establish what would be needed to take them fully offline, the security assessment said.

“We therefore cannot discount the possibility that there are attackers using this as an opportunity to collect information for more sophisticated attacks,” it added.

The Cloudflare team said they would continue to monitor the attacks and carry out “a further round of security hardening” to better protect the websites.

(Additional reporting by Joseph Menn in SAN FRANCISCO; Editing by Jonathan Weber and Edward Tobin)

Hackers and hucksters reinvigorate ‘Anonymous’ brand amid protests

By Joseph Menn

SAN FRANCISCO (Reuters) – The amorphous internet activist movement known as Anonymous staged an online resurgence in the past week on the back of real-world protests against police brutality.

Born from internet chat boards more than a dozen years ago, the collective was once known for organizing low-skill but effective denial-of-service attacks that temporarily shut down access to payment processors that had stopped handling donations to the anti-secrecy site WikiLeaks.

But accounts using variations of the Anonymous name recently claimed credit for temporarily knocking a Minneapolis police website offline and, inaccurately, for hacking police passwords.

At the same time, millions of Twitter accounts began following longstanding Anonymous posters and retweeting them, helping boost Anonymous into Twitter’s Trending column and greater attention. Many of the boosted tweets opposed police actions, defended Black Lives Matter or faulted President Donald Trump.

It is unclear who or what is driving the resurgence, and exactly why. McGill University anthropology professor Gabriella Coleman, who wrote a book on Anonymous, said she was told by insiders that some key figures from a decade ago are involved and they are being assisted by mechanical amplification.

“The ability to create so many new accounts is classic Anonymous social-technological hacking,” Coleman said. “It’s low-hanging fruit.”

Even one of the heavily boosted old accounts, YourAnonNews, tweeted that it had no idea what was going on. It experimented by tweeting nonsense and asking not to be retweeted, only to see those tweets repeated hundreds of thousands of times.

A Twitter spokeswoman said the company had seen no evidence of “substantial coordinated activity” among longstanding Anonymous accounts but deleted one spammy new one brought to its attention by a researcher Tuesday.

“We have seen a few accounts change their profile names, photos, etc. in an attempt to visibly associate with the group and gain followers,” said Twitter spokeswoman Liz Kelley.

Anyone can call themselves a member of Anonymous and adopt its Guy Fawkes mask, other imagery and slogans, such as “we are legion.” It has no acknowledged leaders, making it more of a brand than an ordinary assemblage.

One account with 120,000 followers, AnonNewz, had deleted all prior tweets before June 1, when it started promoting protests. But it had neglected to delete its old “likes,” which were about Korean pop music, and it had interacted in the past with other K-pop fans touting giveaways.

After researcher Marcus Hutchins of cybersecurity company Kryptos Logic tweeted about the account, Twitter suspended it.

Twitter told Reuters it removed AnonNewz for “spam and coordination with other spammy accounts.”

(Reporting by Joseph Menn; Editing by Greg Mitchell and Leslie Adler)

U.S. accuses China-linked hackers of stealing coronavirus research

By Raphael Satter

(Reuters) – China-linked hackers are breaking into American organizations carrying out research into COVID-19, U.S. officials said on Wednesday, warning both scientists and public health officials to be on the lookout for cyber theft.

In a joint statement, the Federal Bureau of Investigation and the Department of Homeland Security said the FBI was investigating digital break-ins at U.S. organizations by China-linked “cyber actors” that it had monitored “attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”

The statement offered no further details on the identities of the targets or the hackers.

The Chinese Embassy in Washington did not immediately respond to a request for comment. China routinely denies longstanding American allegations of cyberespionage.

Coronavirus-related research and data have emerged as a key intelligence priority for hackers of all stripes. Last week Reuters reported that Iran-linked cyberspies had targeted staff at U.S. drugmaker Gilead Sciences Inc., whose antiviral drug remdesivir is the only treatment so far proven to help COVID-19 patients.

In March and April, Reuters reported on advanced hackers’ attempts to break into the World Health Organization as the pandemic spread across the globe.

(Reporting by Raphael Satter; Editing by Howard Goller)

State-backed hackers targeting coronavirus responders, U.S. and UK warn

By Jack Stubbs and Christopher Bing

LONDON/WASHINGTON (Reuters) – Government-backed hackers are attacking healthcare and research institutions in an effort to steal valuable information about efforts to contain the new coronavirus outbreak, Britain and the United States said on Tuesday in a joint warning.

In a statement, Britain’s National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the hackers had targeted pharmaceutical companies, research organisations and local governments.

The NCSC and CISA did not say which countries were responsible for the attacks. But one U.S. official and one UK official said the warning was in response to intrusion attempts by suspected Chinese and Iranian hackers, as well as some Russian-linked activity.

The two officials spoke on condition of anonymity to discuss non-public details of the alert. Tehran, Beijing and Moscow have all repeatedly denied conducting offensive cyber operations and say they are the victims of such attacks themselves.

State hacking groups “frequently target organisations in order to collect bulk personal information, intellectual property and intelligence that aligns with national priorities,” the NCSC and CISA said.

“For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research.”

The warning follows efforts by a host of state-backed hackers to compromise governments, businesses and health agencies in search of information about the new disease and attempts to combat it.

Reuters has reported in recent weeks that Vietnam-linked hackers targeted the Chinese government over its handling of the coronavirus outbreak and that multiple groups, some with ties to Iran, tried to break into the World Health Organization.

The officials said the alert was not triggered by any specific incident or compromise, but rather intended as a warning – both to the attackers and the targeted organizations that need to better defend themselves.

“These are organizations that wouldn’t normally see themselves as nation-state targets, and they need to understand that now they are,” said one of the officials.

The agencies said hackers had been seen trying to identify and exploit security weaknesses caused by staff working from home as a result of the coronavirus outbreak.

In other incidents, the attackers repeatedly tried to compromise accounts with a series of common and frequently-used passwords – a technique known as “password spraying”.

“It’s no surprise that bad actors are doing bad things right now, in particular targeting organizations supporting COVID-19 response efforts,” a CISA spokesman said.

“We’re seeing them use a variety of tried and true techniques to gain access to accounts and compromise credentials.”

(Writing by Jack Stubbs; Editing by Peter Graff; Editing by Alex Richardson and Peter Graff)

Hacking against corporations surges as workers take computers home

By Joseph Menn

SAN FRANCISCO (Reuters) – Hacking activity against corporations in the United States and other countries more than doubled by some measures last month as digital thieves took advantage of security weakened by pandemic work-from-home policies, researchers said.

Corporate security teams have a harder time protecting data when it is dispersed on home computers with widely varying setups and on company machines connecting remotely, experts said.

Even those remote workers using virtual private networks (VPNs), which establish secure tunnels for digital traffic, are adding to the problem, officials and researchers said.

Software and security company VMWare Carbon Black said this week that ransomware attacks it monitored jumped 148% in March from the previous month, as governments worldwide curbed movement to slow the novel coronavirus, which has killed more than 130,000.

“There is a digitally historic event occurring in the background of this pandemic, and that is there is a cybercrime pandemic that is occurring,” said VMWare cybersecurity strategist Tom Kellerman.

“It’s just easier, frankly, to hack a remote user than it is someone sitting inside their corporate environment. VPNs are not bullet-proof, they’re not the be-all, end-all.”

Using data from U.S.-based Team Cymru, which has sensors with access to millions of networks, researchers at Finland’s Arctic Security found that the number of networks experiencing malicious activity was more than double in March in the United States and many European countries compared with January, soon after the virus was first reported in China.

The biggest jump in volume came as computers responded to scans when they should not have. Such scans often look for vulnerable software that would enable deeper attacks.

The researchers plan to release their country-by-country findings next week.

Rules for safe communication, such as barring connections to disreputable web addresses, tend to be enforced less when users take computers home, said analyst Lari Huttunen at Arctic.

That means previously safe networks can become exposed. In many cases, corporate firewalls and security policies had protected machines that had been infected by viruses or targeted malware, he said. Outside of the office, that protection can fall off sharply, allowing the infected machines to communicate again with the original hackers.

That has been exacerbated because the sharp increase in VPN volume led some stressed technology departments to permit less rigorous security policies.

“Everybody is trying to keep these connections up, and security controls or filtering are not keeping up at these levels,” Huttunen said.

The U.S. Department of Homeland Security’s (DHS) cybersecurity agency agreed this week that VPNs bring with them a host of new problems.

“As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors,” wrote DHS’ Cybersecurity and Infrastructure Security Agency.

The agency said it is harder to keep VPNs updated with security fixes because they are used at all hours, instead of on a schedule that allows for routine installations during daily boot-ups or shutdowns.

Even vigilant home users may have problems with VPNs. The DHS agency on Thursday said some hackers who broke into VPNs provided by San Jose-based Pulse Secure before patches were available a year ago had used other programs to maintain that access.

Other security experts said financially motivated hackers were using pandemic fears as bait and retooling existing malicious programs such as ransomware, which encrypts a target’s data and demands payment for its release.

(Reporting by Joseph Menn in San Franciso and Raphael Satter in Washington; Editing by Peter Henderson and Christopher Cushing)

Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike

By Raphael Satter, Jack Stubbs and Christopher Bing

WASHINGTON/LONDON (Reuters) – Elite hackers tried to break into the World Health Organization earlier this month, sources told Reuters, part of what a senior agency official said was a more than two-fold increase in cyberattacks.

WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear, but the effort was unsuccessful. He warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.

The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.

Urbelis said he picked up on the activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO’s internal email system.

“I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” he said.

Urbelis said he didn’t know who was responsible, but two other sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007.

Messages sent to email addresses maintained by the hackers went unreturned.

When asked by Reuters about the incident, the WHO’s Aggio confirmed that the site spotted by Urbelis had been used in an attempt to steal passwords from multiple agency staffers.

“There has been a big increase in targeting of the WHO and other cybersecurity incidents,” Aggio said in a telephone interview. “There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

The WHO published an alert last month – available here warning that hackers are posing as the agency to steal money and sensitive information from the public.

The motives in the case identified by Reuters aren’t clear. United Nations agencies, the WHO among them, are regularly targeted by digital espionage campaigns and Aggio declined to say who precisely at the organization the hackers had in their sights.

Cybersecurity firms including Romania’s Bitdefender and Moscow-based Kaspersky said they have traced many of DarkHotel’s operations to East Asia – an area that has been particularly affected by the coronavirus. Specific targets have included government employees and business executives in places such as China, North Korea, Japan, and the United States.

Costin Raiu, head of global research and analysis at Kaspersky, could not confirm that DarkHotel was responsible for the WHO attack but said the same malicious web infrastructure had also been used to target other healthcare and humanitarian organizations in recent weeks.

“At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country,” he said.

Officials and cybersecurity experts have warned that hackers of all stripes are seeking to capitalize on international concern over the spread of the coronavirus.

Urbelis said he has tracked thousands of coronavirus-themed web sites being set up daily, many of them obviously malicious.

“It’s still around 2,000 a day,” he said. “I have never seen anything like this.”

(Additional reporting by Hyonhee Shin in Seoul; Editing by Chris Sanders and Edward Tobin)

U.S. charges two Russians in international hacking, malware conspiracy

U.S. charges two Russians in international hacking, malware conspiracy
By Jonathan Stempel and Raphael Satter

WASHINGTON (Reuters) – Two Russian residents have been criminally charged in the United States over an alleged multi-year, international scheme to steal money and property by using malware to hack into computers, according to an indictment made public on Thursday.

Maksim Yakubets was accused of being the leader of a group of conspirators involved with Bugat malware and botnet, while his close associate Igor Turashev allegedly handled various functions for the conspiracy, the indictment said.

The indictment identifies Yakubets as one of the earliest users of a family of malicious software tools called Bugat — better known as Dridex — which has been bedeviling American banks and businesses for more than eight years.

Cybersecurity experts say the malware, which first appeared in late 2011, is responsible for millions of dollars in damages worldwide. Experts have long speculated that the malware is the brainchild of a Russian hacking group.

The conspiracy allegedly began around November 2011, and several entities – including a school, an oil firm, First Commmonwealth Bank – were among the defendants’ victims, according to the indictment filed with the federal court in Pittsburgh. Two of the transactions were processed through Citibank in New York, the indictment says.

The indictment is dated Nov. 12 but was unsealed on Thursday.

U.S. and British authorities are expected later Thursday to detail charges against a Russian national over allegations of computer hacking and bank fraud schemes, according to a U.S. Department of Justice statement.

That announcement characterized the Russian national as being “allegedly responsible for two of the worst computer hacking and bank fraud schemes of the past decade.”

Malware is a software program designed to gather sensitive information, such as passwords and bank account numbers, from private computers by installing viruses and other malicious programs.

Spokespeople for First Commonwealth Bank and Citibank did not immediately respond to requests for comment.

(Reporting by Susan Heavy, Lisa Lambert and Jonathan Stempel; additional reporting by Raphael Satter Editing by Steve Orlofsky and Nick Zieminski)

Explainer: What do you do after a data breach?

FILE PHOTO: The logo and ticker for Capital One are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., May 21, 2018. REUTERS/Brendan McDermid/File Photo

(Reuters) – A hacker has stolen the personal information of over 100 million people from Capital One Financial Corp, the company said this week, in the latest high-profile breach of sensitive consumer data.

Security experts say data breaches will continue to happen as cyber criminals and state-backed hackers target the protected information held by companies and government agencies.

Such attacks leave consumers vulnerable to fraud and identity theft. Here are some steps you can take to assess the severity of the breach and better secure yourself:

WHAT WAS COMPROMISED?

Breaches often cover a wide range of data. Information which is already publicly available, such as your name or email address, is seen as less of a concern.

Other details, however, can be extremely sensitive and need to remain private. For example, full credit card numbers, which could be used to make fraudulent purchases in your name, or passwords for your online accounts.

Even if stolen, the data may still be protected by encryption. Hacks by foreign governments are also usually seen as less dangerous for general consumers compared to data thefts by financially-motivated criminal gangs because most spy agencies do not sell or trade such information.

Much of the information stolen from Capital One was already public, including names and addresses of over 100 million people in the United States and Canada. But the breach also included 140,000 Social Security numbers which could be used to steal people’s identities.

To assess the severity of the breach, try and determine what information was compromised and in what format it was stolen.

AM I AFFECTED?

Try to establish if your data is likely to have been compromised in the breach. Are you a customer of the affected company? Do you know what data they hold on you? Does the breach only concern data collected in a specific time period?

Answering those questions will allow you to judge the level of risk, but remember some organizations may hold your data without you being aware. Those include credit-reporting companies such as Equifax Inc <EFX.N>, which suffered a breach in 2017 that affected 147 million people.

Breached companies are usually obliged to notify the people who are impacted, but this does not always happen immediately. Affected companies will typically post guidance for consumers on their own websites about data breaches.

Under the European Union’s General Data Protection Regulation (GDPR), companies have to inform victims of severe data breaches “without undue delay.” They must then describe in “clear and plain language” the nature of the breach, the likely consequences and what measures being taken to deal with it.

IS THIS A SCAM?

If you think you data was compromised, be on high alert for scams and fraud.

Watch your bank account balances and payment card statements carefully, especially if you believe your financial information has been compromised. If you spot any unusual activity, contact your bank or card provider immediately and inform the appropriate law enforcement agency.

Be aware of so-called “phishing” websites purporting to offer information about the breach, or even compensation, but actually set up by criminals to try and trick you into revealing more personal details or making a payment to the wrong account.

Fraudsters may also contact you directly, by phone or email, and could now be armed with large amounts of detailed personal information which will make them harder to spot. If you’re unsure about someone’s identity, find the affected company’s contact information and contact them independently.

Experts recommend changing passwords frequently and using a combination of letters, characters and symbols to maintain a complex passphrase that is less likely to be guessed.

(Reporting by Jack Stubbs and Christopher Bing; Editing by Jonathan Weber and Susan Thomas)