Archive for the ‘Ukraine’ Category

Ukraine Scrambles to Contain New Cyber Threat After ‘NotPetya’ Attack – New York Times

M.E.Doc is used by 80 percent of Ukrainian companies and installed on about 1 million computers in the country. Interior Minister Arsen Avakov said police had blocked a second cyber attack from servers hosting the software.

The company previously denied its servers had been compromised but when asked on Wednesday whether a back door had been inserted, Chief Executive Olesya Bilousova said: "Yes, there was. And the fact is that this back door needs to be closed."

Any computer on the same network as machines using M.E.Doc was now vulnerable to another attack, she said.

"We need to pay the most attention to those computers which weren't affected (by last week's attack)," she told reporters.

"The virus is on them waiting for a signal. There are fingerprints on computers which didn't even use our product."

Dmytro Shymkiv, deputy head of Ukraine's presidential administration and a former director of Microsoft in Ukraine, said the latest evidence further pointed to an advanced and well-orchestrated attack.

"I am looking through the analysis that has been done on the M.E.Doc server, and from what I'm seeing, that's worrying. Worrying is a very light word for this," he said. "How many back doors are still open? We don't know."

He also said M.E.Doc's servers had not been updated since 2013, providing some indication as to how the hackers were able to access the system.

Intellect Service said Shymkiv's comments referred to a disk used to store M.E.Doc's software updates.

SMOKESCREEN

Cyber security experts said that while hackers have previously been known to insert viruses into software updates - thus tricking computers and system administrators into installing the malware on their own systems - the attack on Ukraine is the largest and most disruptive such assault to date.

"We are in a new phase of cyber security and the way that sophisticated actors behave," said Leo Taddeo, a former FBI cyber investigator and executive with cyber security firm Cyxtera Technologies. "I can't think of a supply chain attack that has been this thorough."

Investigators still are trying to establish who was behind last week's attack. Ukrainian politicians were quick to blame Russia, which denied it. A Trump administration official said the U.S. government was not yet ready to accuse Russia.

Security experts from U.S.-based Cisco Systems Inc. said they had examined Intellect's machines at its invitation and determined that an attacker had used a password stolen from an employee to log in on company computer.

After escalating the access rights of that user, the attacker rewrote configuration files, directing customers seeking updates to tampered versions stored elsewhere, at a French web hosting company.

The software with the back doors could spread through other means and the attackers might have used those back doors to install other tools, said Craig Williams, senior technical leader for Cisco's Talos intelligence unit. But since the infected machines were instructed to check in with a command machine that has been taken offline, they do not pose the greatest remaining risk.

Instead, the big worry is what else might have been pushed out by earlier tainted updates, Williams said. With Intellect's servers disabled for now, it cannot push out "clean" updates to fix what customers have installed.

Williams said Talos believed the hackers were connected to previous attacks on Ukraine's electric system and that it was "tempting" to ascribe the new attack to a national government, since there did not appear to be a profit motive.

"This wasnt made for any other purpose but to destabilize businesses in the Ukraine," Williams said.

Technology news site Motherboard reported on Wednesday that people claiming to be behind the attack had posted a message online offering to unlock all encrypted files for a bitcoin payment of $256,000. Reuters was unable to confirm the report.

Shymkiv said the assault was designed to look like a ransomware attack in order to disguise its true objective.

"Initially everybody thought, including me, that it was just an attack with a virus," he said. "It was not an attack with a virus, it was opening a back door, which was a hack of the computer networks on a broad scale and then eliminating the results with a virus."

"It's like a robber, you get to the house, you steal everything, and then you burn it."

(Additional reporting by Pavel Polityuk in Kiev, Jim Finkle in Toronto, Dustin Volz and Jonathan Landay in Washington D.C., and Joseph Menn in San Francisco; Editing by Gareth Jones and Bill Trott)

Read the original here:
Ukraine Scrambles to Contain New Cyber Threat After 'NotPetya' Attack - New York Times

Hackers who targeted Ukraine clean out bitcoin ransom wallet … – The Guardian

transferred to a second wallet on Tuesday night. Photograph: Bloomberg/Bloomberg via Getty Images

The hackers behind the NotPetya ransomware, which wiped computers in more than 60 countries in late June, have moved more than 8,000 worth of bitcoins out of the account used to receive the ransoms.

The transfer has added credence to messages purporting to be from the attackers offering to decrypt every single infected computer for a one-off payment of 200,000, after security researchers suggested they may be state-sponsored actors.

It is possible to see the movement of the ransom payments thanks to the public nature of the bitcoin currency: all transfers are recorded on the public blockchain, although the real-world identities of the individuals or organisations behind a particular payment address can be near-impossible to discern.

Currently, the blockchain records that the bulk of the ransom money, 7,872 worth of bitcoin, was simply transferred to a second wallet on Tuesday night, but two smaller payments, of 200 each, went to accounts used by two text-sharing websites, Pastebin and DeepPaste.

Around 10 minutes before the payments were made, someone made posts on both those sites claiming to be able to decrypt hard disks infected with the malware in exchange for a payment of 100 bitcoins.

The 200,000 offer has created more uncertainty about the motivations behind the ransomware. While it originally appeared to be created with the intention of earning a lot of money through ransom payments, researchers quickly pointed out that a number of features of the software made it appear that the ransom element was a smokescreen, with the real goal being widespread damage.

Significantly, the majority of infections occurred in Ukraine, due to the main attack vector being a compromised version of an accounting program, ME Doc, used to file taxes in the nation. That has led to many, including the Ukrainian government, suspecting Russian involvement as part of the ongoing cyberwar between the two countries.

Hackers offering to decrypt files for money suggests that the cash motivation may be more significant than thought but that too could be misdirection.

While the hackers continue to play games, the Ukrainian cybercrime unit is continuing its investigation. On Wednesday, it announced that it had seized ME Docs servers after new activity was detected there, and said it had acted to immediately stop the uncontrolled proliferation of malware.

Cyber police spokeswoman Yulia Kvitko suggested that ME Doc had sent or was preparing to send a new update and added that swift action had prevented any further damage. Our experts stopped (it) on time, she said.

It wasnt immediately clear how or why hackers might still have access to ME Docs servers. The company has not returned messages from reporters, but in several statements took to Facebook to dispute allegations that its poor security helped seed the malware epidemic.

Cyber police chief Coonel Serhiy Demydiuk previously said that ME Docs owners would be brought to justice, but Kvitko said there had been no arrests.

Read the original here:
Hackers who targeted Ukraine clean out bitcoin ransom wallet ... - The Guardian

Dutch to Try Suspects in ’14 Downing of Malaysia Airlines Jet Over Ukraine – New York Times

The Netherlands sought to form a United Nations tribunal, but Russia, which denies any involvement in the tragedy, rejected that approach as politicized.

The announcement on Wednesday clarified the plan for prosecutions. The five nations investigating the episode have now decided that the suspects should be prosecuted in the Netherlands, a process that will be rooted in ongoing international cooperation and support, the Dutch foreign minister, Bert Koenders, said in the statement. This means that the teams cooperation will continue into the prosecution phase.

Struck by a missile at cruising altitude, the airliner, a Boeing 777, broke apart and scattered bodies and debris over fields and villages in eastern Ukraine.

The Russian government has denied any involvement in the deployment of the missile system and the fighting in the region more broadly. It has offered alternative theories for the planes demise, including one in which a Ukrainian fighter jet shot it down. The investigators have rejected them.

Any criminal indictments in a Dutch court are very likely only to open a long legal and diplomatic standoff between the Netherlands and Russia, as the Russian Constitution prohibits the extradition of its citizens to stand trial abroad.

It is considered equally unlikely that any suspects would be turned over by the breakaway regions of eastern Ukraine, in the event that some of their soldiers were involved.

A version of this article appears in print on July 6, 2017, on Page A10 of the New York edition with the headline: Dutch to Try Suspects in Downing of Jet Over Ukraine.

See the article here:
Dutch to Try Suspects in '14 Downing of Malaysia Airlines Jet Over Ukraine - New York Times

What If Putin Makes Another Grab for More of Ukraine? – Newsweek

This article first appeared on the Atlantic Council site.

Will the low-intensity war in the Donbas continue its current course in the coming years? Or will Moscow turn up the heat there, as it occasionally does?

Its hard to say. It all comes down to geopolitics and what Putin wants to do, said Ihor Kozak, an independent Canadian defense and security expert who visited Ukraines frontlines in June, in a recent interview.

Daily Emails and Alerts- Get the best of Newsweek delivered to your inbox

Russia is purposefully building up its military capacity and installations, including a railway line along the Russian-Ukrainian border from Zhuravka to Millerovo new infrastructure that would make possible the quick movement of troops in the region.

Renowned Russian military expert Pavel Felgenhauer, who in June 2008 predicted Russias August 2008 assault on Georgia, warns that this project and the general buildup of the Russian army could lead to an open Russian invasion into mainland Ukraine.

The aim of such a foray could be to create a land connection between the occupied parts of the Donbas and Crimea that runs along the shores of the Azov Sea. This need may become especially acute if the Russian bridge through the Kerch Strait, which is currently under construction, turns out to be impossible to complete.

A tank from the Ukrainian Forces is stationed outside a building in the flashpoint eastern town of Avdiivka just north of the pro-Russian rebels' de facto capital of Donetsk on February 2, 2017. ALEKSEY FILIPPOV/AFP/Getty

In such a case, Putins annexation of Crimea may be questioned by the Russian public if propping up Crimea becomes too expensive. Such a risk may trigger further Russian military aggression against Ukraine, beginning with some engineered incident that would provide a pretext and secure public approval for further action.

With Russian elections slated for next year, Putin could decide he would benefit from a new military stunt to give him an electoral boost. An all-out war would have far-reaching repercussions for European security, including large new refugee flows into the European Union.

In connection with these risks, an intensification of negotiations within the Normandy Format, as one of the few continuing frameworks allowing contact between Ukraine, Germany, France, and Russia, is paramount.

On June 14, Secretary of State Rex Tillerson suggested that the United States doesnt want to be " handcuffed to the Minsk Agreements and wants to maintain flexibility. Yet such an approach could be wrong, if the United States is consumed by internal political strife in the foreseeable future.

The recent rise of Emmanuel Macron in France, and probable confirmation of Angela Merkel as chancellor after Germanys September elections, make the continuation of Minsk the best available path forward. Recent hawkish statements by both Merkel and Macron toward the Kremlin indicate a high likelihood of unity and steadiness of their positions.

Eastern and Central European EU member states have a great interest in a de-escalation of tensions in eastern Ukraine. Therefore, the EU should signal to the Kremlin that it will introduce tougher sanctions if Russia makes new advances into mainland Ukraine or the situation in the Donbas declines.

Brussels should make clear to Moscow its readiness to not only impose, in such a case, more export restrictions, but also to introduce a large-scale embargo on Russias voluminous pipeline oil deliveries into the EU.

In the meantime, European states both inside and outside of the EU should take more resolute individual actions against select members of the Russian political and economic elite. Often, this can be done by simply more consistently applying EU and national anticorruption legislation to Russian holders of bank accounts and property throughout Europe.

The West will also have to think more seriously about the development of additional security structures for Eastern Europeespecially Moldova, Ukraine, and Georgia.

The deep structural hole in post-Soviet international relations is a major reason for the current crisis within Europes geopolitical nowhere-land. Without a comprehensive solution to the security problems of Chisinau, Kiev, and Tbilisi, there can be no lasting stability, sustainable peace, or economic prosperity along the eastern borders of the EU and NATO.

As is well known, however, those two organizations are unlikely to enlarge eastward in the next few years. Therefore, Brussels, Washington, Berlin, Paris, Warsaw, and London should find alternative ways to provide at least some inclusion of Moldova, Georgia, and Ukraine into the European security system.

A model for a possible solution exists in the 2010 Agreement on Strategic Partnership and Mutual Assistance between Turkey and Azerbaijan. In Article 2 of this ratified treaty between a NATO member and an Eastern Partnership country, both parties agreed to swiftly help each other in case of an armed attack by a third sidesupport that explicitly includes the use of military means and capabilities.

NATO could signal to its eastern member states that they are free to make similar commitments toward Ukraine, Moldova, and Georgia, if they wish to do so. Ideally, this could lead to a new multilateral security coalition in Eastern Europe that would follow the example of the abortive Intermarium project proposed by Poland after World War I.

It is in the core national interests of all Western states to send louder, clearer, and bolder signals to both the embattled Central and East European nations and to Moscow.

Andreas Umland is a senior research fellow at the Institute for Euro-Atlantic Cooperation in Kiev, and general editor of the book series Soviet and Post-Soviet Politics and Society, published by ibidem Press in Stuttgart and distributed outside Europe by Columbia University Press .

Follow this link:
What If Putin Makes Another Grab for More of Ukraine? - Newsweek

Watch: Armed Ukrainian cyber-cops raid MeDoc in NotPetya probe – The Register

Image: Cyberpolice Ukraine

Video There's a new wrinkle to the NotPetya story: authorities in Ukraine have seized equipment from MeDoc, the accounting software maker implicated in spreading the malware.

The country's anti-cybercrime unit has seized the developer's servers after saying it had detected new activity, and was acting to immediately stop the uncontrolled proliferation of malware.

Associated Press's Raphael Satter quotes a police spokesperson, Yulia Kvitko, as saying the company's systems had either sent or were preparing to send a new (presumably compromised) update.

The cyber-plod says the company's management and staff fully assisted in the investigation, adding that equipment will be sent for detailed analysis. A video of the armed raid was posted on YouTube by the cops:

Youtube Video

Officers now recommend people stop using the software until further notice, turn off any computers it's installed on, and change their passwords. Cisco's security peeps have also published an analysis of how MeDoc's systems were commandeered to infect victims with NotPetya. ESET has also described in detail how the malware spread via a malicious MeDoc update.

In another twist, Kaspersky Lab analyst Aleks Gostev says the Bitcoin collected in the original attack has been withdrawn and a statement (which Vulture South can't verify) posted to an Onion text site.

The AP story says the Ukrainian infrastructure ministry alone has incurred millions in the costs of the attack, which hit two servers and hundreds of workstations.

Read more here:
Watch: Armed Ukrainian cyber-cops raid MeDoc in NotPetya probe - The Register