Mediaboss Marketing

Like the WannaCry attacks in May, the latest global hacking took control of computers and demanded digital ransom from their owners to regain access. The new attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry episode, as well as two other methods to promote its spread, according to researchers at the computer security company Symantec.

The National Security Agency has not acknowledged its tools were used in WannaCry or other attacks. But computer security specialists are demanding that the agency help the rest of the world defend against the weapons it created.

The N.S.A. needs to take a leadership role in working closely with security and operating system platform vendors such as Apple and Microsoft to address the plague that theyve unleashed, said Golan Ben-Oni, the global chief information officer at IDT, a Newark-based conglomerate hit by a separate attack in April that used the agencys hacking tools. Mr. Ben-Oni warned federal officials that more serious attacks were probably on the horizon.

The vulnerability in Windows software used by Eternal Blue was patched by Microsoft in March, but as the WannaCry attacks demonstrated, hundreds of thousands of groups around the world failed to properly install the fix.

Just because you roll out a patch doesnt mean itll be put in place quickly, said Carl Herberger, vice president for security at Radware. The more bureaucratic an organization is, the higher chance it wont have updated its software.

Because the ransomware used at least two other ways to spread on Tuesday including stealing victims credentials even those who used the Microsoft patch could be vulnerable and potential targets for later attacks, according to researchers at F-Secure, a Finnish cybersecurity firm, and others.

A Microsoft spokesman said the companys latest antivirus software should protect against the attack.

Governments and companies in Europe and the United States have been impacted. Here are several:

The Ukrainian government said several of its ministries, local banks and metro systems had been affected. A number of other European companies, including Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency, also said they had been targeted.

Ukrainian officials pointed a finger at Russia on Tuesday, although Russian companies were also affected. Home Credit bank, one of Russias top 50 lenders, was paralyzed, with all of its offices closed, according to the RBC news website. The attack also affected Evraz, a steel manufacturing and mining company that employs about 80,000 people, the RBC website reported.

In the United States, the multinational law firm DLA Piper also reported being hit. Hospitals in Pennsylvania were being forced to cancel operations after the attack hit computers at Heritage Valley Health Systems, a Pennsylvania health care provider, and its hospitals in Beaver and Sewickley, Penn., and satellite locations across the state.

The ransomware also hurt Australian branches of international companies. DLA Pipers Australian offices warned clients that they were dealing with a serious global cyber incident and had disabled email as a precautionary measure. Local news reports said that in Hobart, Tasmania, on Tuesday evening, computers in a Cadbury chocolate factory, owned by Mondelez International, had displayed ransomware messages that demanded $300 in bitcoins.

Qantas Airways booking system failed for a time on Tuesday, but the company said the breakdown was due to an unrelated hardware issue.

The Australian government has urged companies to install security updates and isolate any infected computers from their networks.

This ransomware attack is a wake-up call to all Australian businesses to regularly back up their data and install the latest security patches, said Dan Tehan, the cybersecurity minister. We are aware of the situation and monitoring it closely.

A National Security Agency spokesman referred questions about the attack to the Department of Homeland Security. The Department of Homeland Security is monitoring reports of cyberattacks affecting multiple global entities and is coordinating with our international and domestic cyber partners, Scott McConnell, a department spokesman, said in a statement.

Computer specialists said the ransomware was very similar to a virus that emerged last year called Petya. Petya means Little Peter, in Russian, leading some to speculate the name referred to Sergei Prokofievs 1936 symphony Peter and the Wolf, about a boy who captures a wolf.

Reports that the computer virus was a variant of Petya suggest the attackers will be hard to trace. Petya was for sale on the so-called dark web, where its creators made the ransomware available as ransomware as a service a play on Silicon Valley terminology for delivering software over the internet, according to the security firm Avast Threat Labs.

That means anyone could launch the ransomware with the click of a button, encrypt someones systems and demand a ransom to unlock it. If the victim pays, the authors of the Petya ransomware, who call themselves Janus Cybercrime Solutions, get a cut of the payment.

That distribution method means that pinning down the people responsible for Tuesdays attack could be difficult.

The attack is an improved and more lethal version of WannaCry, said Matthieu Suiche, a security researcher who helped contain the spread of the WannaCry ransomware when he created a kill switch that stopped the attacks.

In just the last seven days, Mr. Suiche noted, WannaCry had tried to hit an additional 80,000 organizations but was prevented from executing attack code because of the kill switch. Petya does not have a kill switch.

Petya also encrypts and locks entire hard drives, whereas the earlier ransomware attacks locked only individual files, said Chris Hinkley, a researcher at the security firm Armor.

The hackers behind Petya demanded $300 worth of the cybercurrency Bitcoin to unlock victims machines. By Tuesday afternoon, online records showed that 30 victims had paid the ransom, although it was not clear whether they had regained access to their files. Other victims may be out of luck, after Posteo, the German email service provider, shut down the hackers email account.

In Ukraine, people turned up at post offices, A.T.M.s and airports to find blank computer screens, or signs about closures. At Kievs central post office, a few bewildered customers milled about, holding parcels and letters, looking at a sign that said, Closed for technical reasons.

The hackers compromised Ukrainian accounting software mandated to be used in various industries in the country, including government agencies and banks, according to researchers at Cisco Talos, the security division of the computer networking company. That allowed them to unleash their ransomware when the software, which is also used in other countries, was updated.

The ransomware spread for five days across Ukraine, and around the world, before activating Tuesday evening.

If I had to guess, I would think this was done to send a political message, said Craig Williams, the senior technical researcher at Talos.

One Kiev resident, Tetiana Vasylieva, was forced to borrow money from a relative after failing to withdraw money at four automated teller machines. At one A.T.M. in Kiev belonging to the Ukrainian branch of the Austrian bank Raiffeisen, a message on the screen said the machine was not functioning.

Ukraines Infrastructure Ministry, the postal service, the national railway company, and one of the countrys largest communications companies, Ukrtelecom, had been affected, Volodymyr Omelyan, the countrys infrastructure minister, said in a Facebook post.

Officials for the metro system in Kiev said card payments could not be accepted. The national power grid company Kievenergo had to switch off all of its computers, but the situation was under control, according to the Interfax-Ukraine news agency. Metro Group, a German company that runs wholesale food stores, said its operations in Ukraine had been affected.

At the Chernobyl plant, the computers affected by the attack collected data on radiation levels and were not connected to industrial systems at the site, where, although all reactors have been decommissioned, huge volumes of radioactive waste remain. Operators said radiation monitoring was being done manually.

Cybersecurity researchers questioned whether collecting ransom was the true objective of the attack.

Its entirely possible that this attack could have been a smoke screen, said Justin Harvey, the managing director of global incident response at Accenture Security. If you are an evildoer and you wanted to cause mayhem, why wouldnt you try to first mask it as something else?

An earlier version of this article referred incorrectly to the occupation of Justin Harvey. He is the managing director of global incident response at Accenture Security, not the chief security officer for the Fidelis cybersecurity company.

Reporting was contributed by Liz Alderman, Andrew E. Kramer, Iuliia Mendel, Ivan Nechepurenko and Isabella Kwai.

A version of this article appears in print on June 28, 2017, on Page A1 of the New York edition with the headline: A Cyberattack Hits Ukraine, Then Spreads.

Go here to see the original:
Cyberattack Hits Ukraine Then Spreads Internationally - The ...

More than three years have passed since Ukraines Euromaidan Revolution, in which protestors took to the streets and ousted their corrupt leader Viktor Yanukovych. But reform has been slow in coming. To be fair, President Petro Poroshenko faces a Herculean task: protecting Ukraine from Russias ongoing aggression in the east while reforming the country in a way that is in keeping with the idealsdemocracy, transparency, and rule of lawthat united Ukrainians during Euromaidan. So far, however, Poroshenko has not handled this dilemma very well. He has used a heavy hand in cracking down on anything Russian and seems, ironically, increasingly determined to adopt Moscows authoritarian methods even as he speaks the language of Brussels in advocating for democratic change.

Of course, Russias aggression toward Ukraine is not limited to the fighting at their borders. Russian propaganda plays an even greater role in influencing Ukrainian politics than it does in Western countries. One false report that has been recently circulating, for example, claims that the Ukrainian Security Service (SBU) is using drug addicts as spies in the countrys east. Another alleges that Ukraines newest public holiday, known as Volunteers Day, glorifies the killing of separatists in the breakaway republics of Donetsk and Luhansk. Poroshenkos approach to countering Russian propaganda, however, has been blunt and ineffective. Rather than demonstrate to disillusioned Ukrainians, especially in the east, that the postrevolutionary state represents their interests, he has sought to censor any content associated with Russia under the guise of national security.

Last month, Poroshenko issued a decree banning a number of Russian sites, including the social networking platform Vkontakte and search engine Yandexthe Russian equivalents of Facebook and Google. It also banned the mail service Mail.ru. All three were among Ukraines most widely used websites on the eve of the ban. In 2016, Vkontakte, for instance, was used by 70 percent of Ukrainian Internet users. The ban followed a similar measure implemented in January when

Go here to read the rest:
Ukraine's Stalled Revolution - Foreign Affairs

Cybersecurity experts based their reasoning partly on having identified the group of Ukrainian users who were initially and improbably targeted: tax accountants.

All are required by law to use a tax preparation software such as that made by a Ukrainian company, M.E.Doc. The software that runs on Microsoft Windows-based computers was recently updated. Microsoft issued a statement on Wednesday saying it now has evidence that a few active infections of the ransomware initially started from the legitimate M.E.Doc updater process.

Cybersecurity experts said that whoever launched the assault on the eve of a holiday celebrating Ukrainian independence must have known that M.E.Doc software, which is integrated into Ukrainian government computers, was their gateway.

You dont hit the day before Constitution Day for no reason, said Craig Williams, the senior technical researcher with the Talos division of Cisco, the American technology company, which helped pinpoint the origin of the Tuesday attack.

Brian Lord, a former deputy director for intelligence and computer operations at Britains Government Communications Headquarters, the countrys equivalent to the National Security Agency, said, This isnt about the money.

This attack is about disabling how large companies and governments can operate, he added. You get a double whammy of the initial cyberattack and then organizations being forced to shut down their operations.

For Mr. Klimenko, the software update seemed to go fine until hours later. The screen became red, he said in an interview. A warning appeared, and everything on the hard drive was scrambled.

Mr. Klimenko quickly realized he had lost all past-year filings, a catastrophe for an accountant. Now I cannot confirm that I filed, he said. Honestly, I dont understand what happened.

Yet to be determined is the source of the virus. But Russia was seen as the prime suspect because it has been engaged in overt and covert warfare with Ukraine since the 2014 revolution that deposed a Kremlin-friendly government. A Russian role has yet to be proven and may never be. Nevertheless, analysts said on Wednesday that if the attackers object was to sow chaos at the highest levels in Ukraine, M.E.Doc provided an ideal way. Its software is not only widely installed at government agencies and banks, but is mandatory at many Ukrainian businesses and government agencies.

M.E.Doc said in a statement that it could not confirm whether the virus had been distributed through the update, but that it was cooperating with Ukraines cyberpolice on the investigation.

In another indication that Ukraine was a prime target, the national police said on Wednesday that more than 1,500 companies had filed complaints or appealed for help because of computer intrusions. That was far more than in other countries, although Russia seemed to be the second-most widely affected.

While analysts remained cautious about assigning blame, there was little reticence in official circles in Ukraine, particularly as it became clear that the country was the primary target. The timing was an especially clear sign of political intent, they said.

Adding to their suspicions, just a few hours before the computer strike, a Ukrainian military intelligence officer, Maksim Shapoval, was killed by a car bomb in Kiev. It was the latest in a string of assassinations of opponents and critics of Russia in the Ukrainian capital.

War in cyberspace, seeding fear and horror among millions of personal computer users, and inflicting direct material damage from destabilizing the work of businesses and the state, is just one part of the hybrid war of the Russian empire against Ukraine, Anton Gerashenko, a member of Parliament, wrote on Facebook. The assassination of Mr. Shapoval is another, he wrote. Mr. Gerashenko called the spread of the virus the most massive computer attack in the history of Ukraine. He said it was only masked as an effort to extort money from computer users, with the real goal economic disruption.

In this view, what began as a strike at Ukraine later and perhaps inadvertently spread to other countries merely as collateral damage.

The timing of the attack was suspect in another way, coming after a rare stretch of upbeat news in Ukraine. Last week, the European Union waived visa requirements for Ukrainians, at least those few fortunate enough to have the means to travel. That was a euphoric moment for many Ukrainians, some of whom could be seen celebrating with raised fists after gliding through immigration lanes in European airports.

President Petro O. Poroshenko met in Washington with President Trump, undermining what politicians here say is an overarching Russian goal of weakening Ukraine by highlighting the incompetence and corruption of the government.

The attack also comes in the context of a long-running trade war between Russia and Ukraine, on the sidelines of the actual shooting war in eastern Ukraine between the government and Russian-backed separatists.

In recent months, the authorities in Kiev have banned Russian software imports and blocked coal shipments from areas under rebel control. The coal embargo cut off a vital financial lifeline in the east, forcing Russia to take some of the coal.

The police have established a computer headquarters with the domestic intelligence agency, the S.B.U., and Cisco to analyze the attack in hopes of tying it to Russia. Though cybersecurity experts have not linked the malware to any particular state or criminal group, a Russian computer attack targeting Ukraines economy would be consistent with the recent economic skirmishing, analysts say.

If you look at Ukrainian cyberspace, M.E.Doc is an excellent carrier for a virus, Ivan Lozowy, director of the Institute of Statehood and Democracy, said in a telephone interview. The software is used by businesses large and small, and it can transmit a virus to government computers, where it is designed to file returns. The Russians are interested in Ukraine having as many problems as possible, he said.

Follow Andrew E. Kramer on Twitter @AndrewKramerNYT.

Mark Scott contributed reporting from Rome, and Nicole Perlroth from San Francisco.

A version of this article appears in print on June 29, 2017, on Page A1 of the New York edition with the headline: Attackers May Seek Ukrainian Chaos, Not Cash.

Read the original post:
Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows - New York Times

Viktor Yanukovych on February 21, 2014. Getty Images, file

Hiring the American consultants that year cost Manafort's firm more than $667,000. Manafort's firm paid contractors more than $1.2 million in total between 2012 and 2014, according to the filing.

Related:

In addition to the more than $17 million in payments, the firm reported expensing more than $2.6 million in travel, meals, and living expenses.

The filing lists one meeting with an elected U.S official, with Rep. Dana Rohrabacher, R.-Calif., in March 2013, and an email to former Ambassador to Ukraine John Tefft in October 2012.

Manafort spokesman Jason Maloni did not respond to requests for comment. On Tuesday,

Maloni told NBC News in April that Manafort began talking to officials about the advisability of registering under FARA prior to the 2016 presidential election, and that he "received formal guidance recently from the authorities."

In March, former White House National Security Advisor Mike Flynn filed a disclosure saying he had worked for Turkish business interests in 2016. Flynn was a Trump campaign aide while engaging in lobbying that "could be construed to have principally benefited the Republic of Turkey" according to the filing.

View post:
Former Trump Aide Manafort Registers as Foreign Agent for Ukraine Work - NBCNews.com

JUDY WOODRUFF: As we reported earlier, governments and industries the world over are trying to deal with effects of the latest in a series of cyber-attacks. The so-called ransomware assault is the second such strike in the last six weeks.

Hari Sreenivasan in New York has more.

HARI SREENIVASAN: This attack originated yesterday in Ukraine, and rapidly spread through Europe and beyond. The virus is called Petya, and it takes over infected computers, effectively locking out users.

A payment is required to return control of the machine and data. In early May, a similar virus called WannaCry spread to over 150 countries.

This new attack shows signs of greater technical sophistication, but both apparently used, in part, a tool developed by the U.S. National Security Agency, a tool that was leaked into the open last year.

With me now for more on this is Rodney Joffe. He is the senior vice president and national security executive for Neustar, a cyber-security firm.

Rodney, it seems that we have not learned that much from what happened two months ago, but it seems that the attackers have learned a little bit more.

RODNEY JOFFE, Neustar, Inc.: Theres no question that this is more sophisticated.

When we look at the code, when we look at the mechanism that was used, this one is much more sophisticated. It actually uses three different vectors we have seen so far. The vector youre talking about that was used in WannaCry is the third option that is used by this one. It uses two others, but the damage is much more significant in this case.

This is not looking like so much like ransomware anymore, but its starting to look like its a deliberate attempt to cause havoc by destroying machines.

HARI SREENIVASAN: Is this something that a hacker collective would do, or is this something that a state government would be interested in doing, destabilizing Ukraine from all of these companies that do business with it or pay taxes to it?

RODNEY JOFFE: You know, its real tough these days to tell where the dividing line is between the criminals and nation states, and they really do work hand in hand, especially in Eastern Europe.

But if you look this, the criminals are obviously out there for financial gain. This was set up in such a way that theres very little chance of much in terms of financial gain.

I think, as of last evening, by the way, there was $10,500 that had actually paid into this wallet. And I have got to tell you that the effort that went into writing the code and distributing it clearly cost a lot more than $10,500.

HARI SREENIVASAN: What is the measurable impact on Ukraine going forward?

RODNEY JOFFE: I think that the biggest problem that theyre going to be facing is the fact that the ability to pay taxes to the state is seriously affected.

We have seen images that were tweeted of things like supermarkets where the checkout systems had been compromised and were showing the screen. We also see the very large obviously, the multinational shipping line that has now been affected.

So, it looks like a deliberate attempt to cause some kind of significant financial impact, not just on the citizens of Ukraine, but on Ukraine itself.

HARI SREENIVASAN: You know, when you said you noticed differences in the design between the WannaCry and this, do we have any indication that paying these people off actually gets you your data back, or was it not even designed to do that?

RODNEY JOFFE: Theoretically, it was designed to do that, but its clear so far that the mechanism that was put in place to actually collect ransom is nowhere near the sophistication of the malware itself.

And you dont think that someone would have made that kind of mistake, built something that was very, very effective to compromise, and no real ability to collect.

We havent seen or heard of anyone so far who has been able to decrypt it. And what we also know is that, within a very short time after the malware was discovered, the single e-mail address that was needed to communicate with was actually shut down by the provider.

So thats one reason that I believe that no one is going to be able to easily get their data back. The second thing is that there are reports that are surfacing now, as folks have looked at the code, that there is at least one bug in the code that actually makes it so that decryption is not possible.

HARI SREENIVASAN: Are the rest of us basically collateral damage when it comes to whats happening, say, between Ukraine and Russia? This is falling on the day now where this is Constitution Day for Ukraine. Theyre celebrating their independence from Russia, what, 21 years ago.

RODNEY JOFFE: We clearly are collateral damage. This was obviously targeted at Ukraine.

But it is affecting others. However, one of the things that we have learned in the past is that, in many ways, the people behind a lot of the malware dont care about the collateral damage. They have a single target or a single objective, and they dont really seem to care. We have seen that for years. This is no different.

HARI SREENIVASAN: Rodney Joffe joining us from Washington, D.C., tonight, thanks so much.

RODNEY JOFFE: Thanks for having me.

Originally posted here:
How a sophisticated malware attack is wreaking havoc on Ukraine ... - PBS NewsHour