U.S. charges two Russians in international hacking, malware conspiracy

U.S. charges two Russians in international hacking, malware conspiracy
By Jonathan Stempel and Raphael Satter

WASHINGTON (Reuters) – Two Russian residents have been criminally charged in the United States over an alleged multi-year, international scheme to steal money and property by using malware to hack into computers, according to an indictment made public on Thursday.

Maksim Yakubets was accused of being the leader of a group of conspirators involved with Bugat malware and botnet, while his close associate Igor Turashev allegedly handled various functions for the conspiracy, the indictment said.

The indictment identifies Yakubets as one of the earliest users of a family of malicious software tools called Bugat — better known as Dridex — which has been bedeviling American banks and businesses for more than eight years.

Cybersecurity experts say the malware, which first appeared in late 2011, is responsible for millions of dollars in damages worldwide. Experts have long speculated that the malware is the brainchild of a Russian hacking group.

The conspiracy allegedly began around November 2011, and several entities – including a school, an oil firm, First Commmonwealth Bank – were among the defendants’ victims, according to the indictment filed with the federal court in Pittsburgh. Two of the transactions were processed through Citibank in New York, the indictment says.

The indictment is dated Nov. 12 but was unsealed on Thursday.

U.S. and British authorities are expected later Thursday to detail charges against a Russian national over allegations of computer hacking and bank fraud schemes, according to a U.S. Department of Justice statement.

That announcement characterized the Russian national as being “allegedly responsible for two of the worst computer hacking and bank fraud schemes of the past decade.”

Malware is a software program designed to gather sensitive information, such as passwords and bank account numbers, from private computers by installing viruses and other malicious programs.

Spokespeople for First Commonwealth Bank and Citibank did not immediately respond to requests for comment.

(Reporting by Susan Heavy, Lisa Lambert and Jonathan Stempel; additional reporting by Raphael Satter Editing by Steve Orlofsky and Nick Zieminski)

Explainer: What do you do after a data breach?

FILE PHOTO: The logo and ticker for Capital One are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., May 21, 2018. REUTERS/Brendan McDermid/File Photo

(Reuters) – A hacker has stolen the personal information of over 100 million people from Capital One Financial Corp, the company said this week, in the latest high-profile breach of sensitive consumer data.

Security experts say data breaches will continue to happen as cyber criminals and state-backed hackers target the protected information held by companies and government agencies.

Such attacks leave consumers vulnerable to fraud and identity theft. Here are some steps you can take to assess the severity of the breach and better secure yourself:

WHAT WAS COMPROMISED?

Breaches often cover a wide range of data. Information which is already publicly available, such as your name or email address, is seen as less of a concern.

Other details, however, can be extremely sensitive and need to remain private. For example, full credit card numbers, which could be used to make fraudulent purchases in your name, or passwords for your online accounts.

Even if stolen, the data may still be protected by encryption. Hacks by foreign governments are also usually seen as less dangerous for general consumers compared to data thefts by financially-motivated criminal gangs because most spy agencies do not sell or trade such information.

Much of the information stolen from Capital One was already public, including names and addresses of over 100 million people in the United States and Canada. But the breach also included 140,000 Social Security numbers which could be used to steal people’s identities.

To assess the severity of the breach, try and determine what information was compromised and in what format it was stolen.

AM I AFFECTED?

Try to establish if your data is likely to have been compromised in the breach. Are you a customer of the affected company? Do you know what data they hold on you? Does the breach only concern data collected in a specific time period?

Answering those questions will allow you to judge the level of risk, but remember some organizations may hold your data without you being aware. Those include credit-reporting companies such as Equifax Inc <EFX.N>, which suffered a breach in 2017 that affected 147 million people.

Breached companies are usually obliged to notify the people who are impacted, but this does not always happen immediately. Affected companies will typically post guidance for consumers on their own websites about data breaches.

Under the European Union’s General Data Protection Regulation (GDPR), companies have to inform victims of severe data breaches “without undue delay.” They must then describe in “clear and plain language” the nature of the breach, the likely consequences and what measures being taken to deal with it.

IS THIS A SCAM?

If you think you data was compromised, be on high alert for scams and fraud.

Watch your bank account balances and payment card statements carefully, especially if you believe your financial information has been compromised. If you spot any unusual activity, contact your bank or card provider immediately and inform the appropriate law enforcement agency.

Be aware of so-called “phishing” websites purporting to offer information about the breach, or even compensation, but actually set up by criminals to try and trick you into revealing more personal details or making a payment to the wrong account.

Fraudsters may also contact you directly, by phone or email, and could now be armed with large amounts of detailed personal information which will make them harder to spot. If you’re unsure about someone’s identity, find the affected company’s contact information and contact them independently.

Experts recommend changing passwords frequently and using a combination of letters, characters and symbols to maintain a complex passphrase that is less likely to be guessed.

(Reporting by Jack Stubbs and Christopher Bing; Editing by Jonathan Weber and Susan Thomas)

Hackers hit aluminum maker Hydro, knock some plants offline

A note warning visitors about a cyber attack is seen at the headquarters of aluminum producer Norsk Hydro in Oslo, Norway March 19, 2019. NTB Scanpix/Terje Pedersen via REUTERS

By Gwladys Fouche and Terje Solsvik

OSLO (Reuters) – Norsk Hydro, one of the world’s largest producers of aluminum, battled on Tuesday to contain a cyber attack which hit parts of its production, sending its shares lower and aluminum prices higher.

The company shut several metal extrusion plants, which transform aluminum ingots into components for car makers, builders and other industries, while its giant smelters in countries including Norway, Qatar and Brazil were being operated manually.

The attack began on Monday evening and escalated overnight, hitting Hydro’s IT systems for most of its activities and forcing staff to issue updates via social media.

FILE PHOTO: An aluminium coil is seen during opening of a production line for the car industry at a branch of Norway's Hydro aluminum company in Grevenbroich, Germany May 4, 2017. REUTERS/Wolfgang Rattay/File Photo

FILE PHOTO: An aluminum coil is seen during the opening of a production line for the car industry at a branch of Norway’s Hydro aluminum company in Grevenbroich, Germany May 4, 2017. REUTERS/Wolfgang Rattay/File Photo

The Norwegian National Security Authority (NNSA), the state agency in charge of cybersecurity, said the attack used a virus known as LockerGoga, a relatively new strain of so-called ransomware which encrypts computer files and demands payment to unlock them.

Citing a message sent by the NNSA, public broadcaster NRK said on its website hackers had demanded ransom money from Hydro to stop the attack, but the company has not confirmed this.

The malware is not widely used by cybercrime groups, researchers said, but has been linked to an attack on French engineering consultancy Altran Technologies in January.

“Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation,” the company said in a statement.

It added that the attack had not affected the safety of its staff and it was too early to assess the impact on customers.

News of the attack pushed aluminum prices up 1.2 percent to a three-month high of $1,944 a tonne in early trade on the London Metal Exchange, before giving up some gains to trade at $1,938 by 1253 GMT.

The event was a rare case of an attack on industrial operations in Norway. The last publicly acknowledged cyber attack in the Nordic country was on software firm Visma, when hackers allegedly working on behalf of Chinese intelligence breached its network to steal secrets from its clients.

PLANT CLOSURES

Companies and governments have become increasingly concerned about the damage hackers can cause to industrial systems and critical national infrastructure following a number of high-profile cyber attacks.

In 2017, hackers later accused by the United States of working for the North Korean government unleashed billions of dollars worth of damage with the Wannacry ransomware virus, which crippled hospital, banks and other companies worldwide.

Pyongyang has denied the allegations.

Other cyber attacks have downed electricity grids and transport systems in recent years, and an attack on Italian oil services firm Saipem late last year destroyed more than 300 of the company’s computers.

Hydro makes products across the aluminum value chain, from the refinement of alumina raw material via metal ingots to bespoke components used in cars and construction.

“Some extrusion plants that are easy to stop and start have chosen to temporarily shut production,” said a Hydro spokesman.

The company’s hydroelectric power plants were running as normal on isolated IT systems unaffected by the outage.

Norsk Hydro’s main website page was unavailable on Tuesday, although some of the web pages belonging to subsidiaries could still be accessed. The company was giving updates on the situation on its Facebook page.

“Hydro’s main priority now is to limit the effects of the attack and to ensure continued people safety,” it wrote in a Facebook post.

Hydro shares fell 3.4 percent in early trade before a partial recovery to trade down 0.4 percent by 1253 GMT. They were still lagging the Oslo benchmark index, which was up 0.7 percent.

Hydro, which has 36,000 employees in 40 countries, made a net profit of 4.3 billion Norwegian crowns ($505 million) last year on sales of 159.4 billion.

(Additional reporting by Nerijus Adomaitis in Oslo, with Jack Stubbs and Barbara Lewis in London; Editing by Kirsten Donovan and David Holmes)

Mystery hacker steals data on 1,000 North Korean defectors in South

FILE PHOTO: A North Korean flag flutters on top of a 160-metre tower in North Korea's propaganda village of Gijungdong, in this picture taken from the Tae Sung freedom village near the Military Demarcation Line (MDL), inside the demilitarised zone separating the two Koreas, in Paju, South Korea, April 24, 2018. REUTERS/Kim Hong-Ji

By Hyonhee Shin

SEOUL (Reuters) – The personal information of nearly 1,000 North Koreans who defected to South Korea has been leaked after unknown hackers got access to a resettlement agency’s database, the South Korean Unification Ministry said on Friday.

The ministry said it discovered last week that the names, birth dates and addresses of 997 defectors had been stolen through a computer infected with malicious software at an agency called the Hana center, in the southern city of Gumi.

“The malware was planted through emails sent by an internal address,” a ministry official told reporters on condition of anonymity, due to the sensitivity of the issue, referring to a Hana center email account.

The Hana center is among 25 institutes the ministry runs around the country to help some 32,000 defectors adjust to life in the richer, democratic South by providing jobs, medical and legal support.

Defectors, most of whom risked their lives to flee poverty and political oppression, are a source of shame for North Korea. Its state media often denounces them as “human scum” and accuses South Korean spies of kidnapping some of them.

The ministry official declined to say if North Korea was believed to have been behind the hack, or what the motive might have been, saying a police investigation was under way to determine who did it.

North Korean hackers have in the past been accused of cyber attacks on South Korean state agencies and businesses.

North Korea stole classified documents from the South’s defense ministry and a shipbuilder last year, while a cryptocurrency exchange filed for bankruptcy following a cyber attack linked to the North.

North Korean state media has denied those cyber attacks.

The latest data breach comes at a delicate time for the two Koreas which have been rapidly improving their relations after years of confrontation.

The Unification Ministry said it was notifying the affected defectors and there were no reports of any negative impact of the data breach.

“We’re sorry this has happened and will make efforts to prevent it from recurring,” the ministry official said.

Several defectors, including one who became a South Korean television celebrity, have disappeared in recent years only to turn up later in North Korean state media, criticizing South Korea and the fate of defectors.

(Reporting by Hyonhee Shin; Editing by Robert Birsel)

U.S., allies to condemn China for economic espionage, charge hackers: source

FILE PHOTO: U.S. President Donald Trump takes part in a welcoming ceremony with China's President Xi Jinping at the Great Hall of the People in Beijing, China, November 9, 2017. REUTERS/Damir Sagolj/File Photo

WASHINGTON (Reuters) – The United States and about a dozen allies are expected on Thursday to condemn China for efforts to steal other countries’ trade secrets and technologies and to compromise government computers, according to a person familiar with the matter.

Australia, Britain, Canada, Japan, the Netherlands, New Zealand and Sweden are expected to be involved in the U.S. effort, according to the source, who spoke on condition of anonymity.

The U.S. Justice Department also is expected later on Thursday to unveil criminal charges against hackers affiliated with China’s main intelligence service for an alleged cyber-spying campaign targeting U.S. and other countries’ networks, according to the source.

The Washington Post first reported the coming action on Thursday.

The suspected hackers are expected to be charged with spying on some of the world’s largest companies by hacking into technology firms to which they outsource email, storage and other computing tasks. The attacks began as early as 2017.

Cloudhopper is considered a major cyber threat by private-sector cybersecurity researchers and government investigators because of the scale of the intrusions.

Over the past several years, as companies around the globe have sought to cut down information technology spending, they have increasingly relied on outside contractors to store and transfer their data.

When a managed service provider is hacked, it can unintentionally provide attackers access to secondary victims who are customers of that company and have their computer systems connected to them, according to experts.

The timing of the action may further escalate tensions between Washington and Beijing after the arrest of Meng Wanzhou, the chief financial officer of Chinese telecommunications giant Huawei Technologies, in Canada at the request of the United States.

The action also comes just weeks after the United States and China agreed to talks aimed at resolving an ongoing trade dispute that threatens global economic growth.

(Reporting by Diane Bartz, Lisa Lambert and Susan Heavey; Editing by Will Dunham)

British Airways says a further 185,000 payment cards possibly hit in cyber attack

FILE PHOTO - People queue with their luggage for the British Airways check-in desk at Gatwick Airport in southern England, Britain, May 28, 2017. REUTERS/Hannah McKay

(Reuters) – International Airlines Group said an investigation into the theft of customers’ data at its unit British Airways showed the hackers may have stolen personal information from an additional 185,000 payment cards.

BA said in September that around 380,000 card payments were compromised, with hackers obtaining names, street and email addresses, credit card numbers, expiry dates and security codes – sufficient information to steal from accounts.

On Thursday, British Airways revised that number down, saying that only 244,000 of those originally identified were affected, but said additional customers could have been affected.

On the whole, the total number of payment cards potentially affected stood at 429,000 as of Thursday.

The hackers obtained names, street and email addresses, credit card numbers, expiry dates and in some cases, security codes – sufficient information to steal from accounts.

(Reporting by Arathy S Nair in Bengaluru; Editing by Elaine Hardcastle)

Japan hit by another cryptocurrency heist, $60 million stolen

The silhouette of Japan's highest mountain Mount Fuji is seen beyond buildings in Tokyo in a file photo. REUTERS/Issei Kato

By Taiga Uranaka

TOKYO (Reuters) – Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.

Tech Bureau, which had already been slapped with two business improvement orders by regulators this year, said its Zaif exchange was hacked over a two-hour period on Sept. 14. It detected server problems on Sept. 17, confirmed the hack the following day, and notified authorities, the exchange said on Thursday.

Following the hack, Tech Bureau said it had agreed with JASDAQ-listed Fisco Ltd to receive a 5 billion yen ($44.59 million) investment in exchange for majority ownership. The proceeds from the investment would be used to replace the digital currencies stolen from client accounts.

However, Fisco said in a statement the 5 billion yen in “financial assistance” may change in value if the amount affected by the heist changes upon further investigation.

Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.

Japan’s crypto exchanges have been under close regulatory scrutiny after the theft of $530 million in digital coins at Tokyo-based cryptocurrency exchange Coincheck Inc. in January. Coincheck has since been acquired by Japanese online brokerage Monex Group Inc.

In the industry-wide check that followed the Coincheck theft, FSA said it found sloppy management at many exchanges, including the lack of proper safeguards for client assets and basic anti-money laundering measures.

In the Tech Bureau theft, virtual currencies worth about 6.7 billion yen ($59.67 million), including Bitcoin, Monacoin and Bitcoin Cash, were stolen from the exchange’s “hot wallet”. About 2.2 billion yen worth of the stolen currency was its own while the remaining 4.5 billion yen belonged to customers, it said.

Hot wallets are connected to the internet. Industry experts consider them to be more vulnerable to hacks than “cold wallets”, which are not connected to the internet.

The latest hack is likely to affect the FSA’s ongoing regulatory review of the industry. Other countries are also grappling with how to regulate crypto market.

Japan last year became the first country to regulate cryptocurrency exchanges, as it encourages technological innovation while ensuring consumer protection. Exchanges have to register with FSA and required reporting and other responsibilities.

FSA said last week more than 160 entities have expressed interest in entering the cryptocurrency exchange business but FSA has not issued any approval since December last year.

Toshihide Endo, FSA commissioner told Reuters in an interview last month that the agency is trying to strike a balance between safeguarding clients and technological innovation.

“We have no intention to curb (the crypto industry) excessively,” he said. “We would like to see it grow under appropriate regulation.”

($1 = 112.1400 yen)

(Additional reporting by Chang-Ran Kim and Takahiko Wada; Editing by Shri Navaratnam and Sam Holmes)

U.S. to indict North Koreans over WannaCry, Sony cyber attacks

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Christopher Bing

WASHINGTON (Reuters) – The U.S. Justice Department is poised to charge North Korean hackers over the 2017 global WannaCry ransomware attack and the 2014 cyber attack on Sony Corp, a U.S. official told Reuters on Thursday.

The charges, part of a strategy by the U.S. government to deter future cyber attacks by naming and shaming the alleged perpetrators, will also allege that the North Korean hackers broke into the central bank of Bangladesh in 2016, according to the official.

In 2014, U.S. officials said unnamed North Korean hackers were responsible for a major cyber intrusion into Sony, which resulted in leaked internal documents and data being destroyed.

The attacks came after Pyongyang sent a letter to the United Nations, demanding that Sony not move forward with a movie comedy that portrayed the U.S.-backed assassination of a character made to look like North Korean leader Kim Jong Un.

The FBI said at the time it had recovered evidence connecting North Korea to the attack and others in South Korea.

Last year, the WannaCry ransomware attack affected thousands of businesses across the globe through a computer virus that encrypted files on affected systems, including Britain’s National Health Service, where nonfunctional computer systems forced the cancellation of thousands of appointments.

(Reporting by Christopher Bing; Additional writing by Susan Heavey; Editing by Chizu Nomiyama and Jeffrey Benkoe)

FBI says foreign hackers have compromised home router devices

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration

By Sarah N. Lynch

WASHINGTON (Reuters) – The FBI warned on Friday that foreign cyber criminals had compromised “hundreds of thousands” of home and small office router devices around the world which direct traffic on the internet by forwarding data packets between computer networks.

In a public service announcement, the FBI it has discovered that the foreign cyber criminals used a VPNFilter malware that can collect peoples’ information, exploit their devices and also block network traffic.

The announcement did not provide any details about where the criminals might be based, or what their motivations could be.

“The size and scope of the infrastructure by VPNFilter malware is significant,” the FBI said, adding that it is capable of rendering peoples’ routers “inoperable.”

It said the malware is hard to detect, due to encryption and other tactics.

The FBI urged people to reboot their devices to temporarily disrupt the malware and help identify infected devices.

People should also consider disabling remote management settings, changing passwords to replace them with more secure ones and upgrading to the latest firmware.

(Reporting by Sarah N. Lynch; Editing by David Gregorio)

Cyber firms, Ukraine warn of planned Russian attack

Power lines are seen near the Trypillian thermal power plant in Kiev region, Ukraine November 23, 2017. REUTERS/Valentyn Ogirenko

By Jim Finkle and Pavel Polityuk

TORONTO/KIEV (Reuters) – Cisco Systems Inc warned on Wednesday that hackers have infected at least 500,000 routers and storage devices in dozens of countries with sophisticated malicious software – activity Ukraine said was preparation for a future Russian cyber attack.

Cisco’s Talos cyber intelligence unit has high confidence that the Russian government is behind the campaign, according to Cisco researcher Craig Williams, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.

Ukraine’s SBU state security service said the activity showed Russia was readying a large-scale cyber attack against Ukraine ahead of the Champions League soccer final, due to be held in Kiev on Saturday.

“Security Service experts believe the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation aimed at destabilizing the situation during the Champions League final,” it said in a statement after Cisco’s findings were released.

Russia has previously denied assertions by Ukraine, the United States, other nations and Western cyber-security firms that it is behind a massive global hacking program, which has included attempts to harm Ukraine’s economy and interfering in the 2016 U.S. presidential election.

The Kremlin did not immediately respond to a request for comment submitted by Reuters on Wednesday.

Cisco said the new malware, dubbed VPNFilter, could be used for espionage, to interfere with internet communications or launch destructive attacks on Ukraine, which has previously blamed Russia for massive hacks that took out parts of its energy grid and shuttered factories.

“With a network like this you could do anything,” Williams told Reuters.

CONSTITUTION DAY ATTACK

The warning about the malware – which includes a module that targets industrial networks like ones that operate the electric grid – will be amplified by alerts from members of the Cyber Threat Alliance (CTA), a nonprofit group that promotes the fast exchange of data on new threats between rivals in the cyber security industry.

Members include Cisco, Check Point Software Technologies Ltd, Fortinet Inc, Palo Alto Networks Inc, Sophos Group Plc  and Symantec Corp.

“We should be taking this pretty seriously,” CTA Chief Executive Officer Michael Daniel said in an interview.

The devices infected with VPNFilter are scattered across at least 54 countries, but Cisco determined the hackers are targeting Ukraine following a surge in infections in that country on May 8, Williams told Reuters.

Researchers decided to go public with what they know about the campaign because they feared the surge in Ukraine, which has the largest number of infections, meant Moscow is poised to launch an attack there next month, possibly around the time the country celebrates Constitution Day on June 28, Williams said.

Some of the biggest cyber attacks on Ukraine have been launched on holidays or the days leading up to them.

They include the June 2017 “NotPetya” attack that disabled computer systems in Ukraine before spreading around the globe, as well as hacks on the nation’s power grid in 2015 and 2016 that hit shortly before Christmas.

VPNFilter gives hackers remote access to infected machines, which they can use for spying, launching attacks on other computers or downloading additional types of malware, Williams said.

The researchers discovered one malware module that targets industrial computers, such as ones used in electric grids, other infrastructure and in factories. It infects and monitors network traffic, looking for login credentials that a hacker can use to seize control of industrial processes, Williams said.

The malware also includes an auto-destruct feature that hackers can use to delete the malware and other software on infected devices, making them inoperable, he said.

(Writing by Jim Finkle and Jack Stubbs; Editing by Mark Heinrich)