Hackers Hit Dozens of Countries With a Stolen N.S.A. Tool


“When people ask what keeps you up at night, it’s this,” said Chris Camacho, the chief strategy officer at Flashpoint, a New York security firm tracking the attacks.

The hacking tool was ransomware, a kind of malware that encrypts data, locks out the user and demands a ransom to release it. Security experts say the tool exploited a vulnerability that was discovered and developed by the National Security Agency of the United States.

The tool was leaked by a group calling itself the Shadow Brokers, which has been dumping stolen N.S.A. hacking tools online since last year. Microsoft rolled out a patch for the vulnerability in March, but hackers apparently took advantage of the fact that vulnerable targets — particularly hospitals — had yet to update their systems.

The malware was circulated by email. Targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.

Reuters reported that employees of Britain’s National Health Service had been warned about the ransomware threat earlier on Friday.

But by then it was already too late. As the disruptions rippled through at least 36 hospitals, doctors’ offices and ambulance companies across Britain on Friday, the health service declared the attack a “major incident,” a warning that local health services could be overwhelmed.

Britain’s health secretary, Jeremy Hunt, was briefed by cybersecurity experts, while Prime Minister Theresa May’s office said she was monitoring the situation.

Mrs. May said later on television that “we’re not away of any evidence that patient data has been compromised.”

Among the many other affected institutions were hospitals and telecommunications companies across Europe and Asia, according to MalwareHunterTeam, a security firm that tracks ransomware attacks.

But the extent of the ransomware attacks could be much broader, as the MalwareHunterTeam said it tracks only attacks that have been reported by the victims. Spain’s Telefónica and Russia’s MegaFon were among the largest of the businesses targeted.

Other countries where attacks were reported included Japan, the Philippines, Turkey and Vietnam.

The computers all appeared to be hit with the same ransomware and similar messages demanding about $300 to unlock their data.

Mr. Camacho noted that security detection technology could not easily catch the ransomware attacks, because the attackers encrypted the malicious file in email attachments. When employees at victim organizations clicked on the attachments, they inadvertently downloaded the ransomware onto their systems.

Security experts advised companies to immediately update their systems with the Microsoft patch.

Until organizations use the Microsoft patch, Mr. Camacho said, they could continue to be hit — not just by ransomware, but by all kinds of malicious tools that can manipulate, steal or delete their data. “There is going to be a lot more of these attacks,” he said. “We’ll see copycats, and not just for ransomware, but other attacks.”

Photo

A screengrab of the East and North Hertfordshire N.H.S. Trust’s website on Friday.

Credit
East And North Hertfordshire NHS/Press Association, via Associated Press

The attack on Britain’s National Health Service appeared to be the most brazen because it had life-or-death implications for hospitals and ambulance services.

Tom Donnelly, a spokesman for N.H.S. Digital, the arm of the health service that handles cybersecurity, said in a telephone interview that 16 organizations, including “hospitals and other kinds of clinician services,” had been hit. Officials later updated that number to at least 25.

The service’s digital arm said in a statement that the attack involved a variant of ransomware known as Wanna Decryptor.

The user is asked to pay a ransom to unlock the computer — an increasingly prevalent problem. Last year, a Los Angeles hospital paid $17,000 after such an attack; in January, hackers shut down the electronic key system at a hotel in Austria.

On social media, several images circulated on Friday showing computer screens bearing a message that the user could not enter without first paying a $300 ransom in Bitcoin. Many doctors reported that they could not retrieve their patients’ files.

N.H.S. Digital added, “At this stage we do not have any evidence that patient data has been accessed.”

It said that the N.H.S. did not appear to have been the main target of the attack.

The National Cyber Security Center, an arm of the GCHQ, the British electronic surveillance agency, said it was investigating the attack. “We are aware of a cyber incident, and we are working with N.H.S. Digital and the National Crime Agency to investigate,” it said in a statement.

As of 3:30 p.m., 16 organizations within N.H.S. England had reported being affected, the statement said.

The attack also affected N.H.S. institutions in Scotland, where Health Secretary Shona Robison said officials were “taking immediate steps to minimize the impact of the attack across N.H.S. Scotland and restrict any disruption.”

According to the BBC, hospitals in London and Nottingham, the town of Blackburn and the counties of Cumbria and Hertfordshire were affected.

In the northwestern seaside town of Blackpool, doctors resorted to pen and paper, with phone and computer systems having shut down, according to the local newspaper, The Blackpool Gazette.

A bit to the south, in the seaside town of Southport, images on Twitter showed ambulances backed up outside the town’s hospital.

In Stevenage, a town in Hertfordshire, north of London, the health service postponed all non-urgent activity and asked people not to come to the accident and emergency ward at the Lister Hospital.

Less was known about the scope of the attacks in Spain and Portugal, which affected companies like Telefónica.

Spain’s national cryptology center said it was dealing with “a massive ransomware attack” affecting Windows systems used by various organizations, without naming them.

Later on Friday, Portugal reported a similar attack. Carlos Cabreiro, the director of a police unit that fights cybercrime, told the newspaper Público that the country was facing “computer attacks on a large scale against different Portuguese companies, especially communication operators.”

Spain’s Industry Ministry said in a separate statement that the attack had not affected networks or customers using services offered by the companies targeted. Telefónica also indicated that the attack had targeted its internal network rather than its millions of customers. On Twitter, Chema Alonso, Telefónica’s chief data officer, called initial news reports “exaggerated.”

Several employees of MegaFon, one of the largest cellphone operators in Russia, said its systems had been attacked on Friday by malware like that used against the N.H.S., the news website Meduza.io reported.

Continue reading the main story



Source link

About admin

Check Also

Wildfires, Puerto Rico, Star Wars: Your Friday Evening Briefing

_____ Photo Credit Zach Gibson for The New York Times 3. What does it tell ...

Leave a Reply

Your email address will not be published. Required fields are marked *