image

Cybersecurity

Chernobyl nuclear site hit by powerful ransomware cyber attack sweeping globe

The worldwide extortion scheme targeting Windows users began in Russia and Ukraine

PUBLISHED : Wednesday, 28 June, 2017, 12:40am
UPDATED : Wednesday, 28 June, 2017, 9:15am

A major global cyber attack on Tuesday disrupted computers at the Chernobyl nuclear site, Russia’s biggest oil company, Ukrainian banks and multinational firms with a virus similar to the ransomware that last month infected more than 300,000 computers.

The rapidly spreading cyber extortion campaign underscored growing concerns that businesses have failed to secure their networks from increasingly aggressive hackers, who have shown they are capable of shutting down critical infrastructure and crippling corporate and government networks.

It included code known as “Eternal Blue,” which cyber security experts widely believe was stolen from the US National Security Agency (NSA) and was also used in last month’s ransomware attack, named “WannaCry.”

The next ransomware attack will likely be worse than WannaCry warns security tech and author

“Cyber attacks can simply destroy us,” said Kevin Johnson, chief executive of cyber security firm Secure Ideas. “Companies are just not doing what they are supposed to do to fix the problem.”

The virus hit the radiation-monitoring at Ukraine’s shuttered Chernobyl power plant, site of the world’s worst nuclear accident, forcing it into manual operation. The station’s systems were turned off “due to the cyberattack”, said Ukraine’s agency in charge of the exclusion zone around the plant. A spokesman said employees now “go out and measure the (radiation) levels with hand-held meters.”

The ransomware virus crippled computers running Microsoft Corp’s Windows by encrypting hard drives and overwriting files, then demanded US$300 in bitcoin payments to restore access. More than 30 victims paid into the bitcoin account associated with the attack, according to a public ledger of transactions listed on blockchain.info.

Microsoft said the virus could spread through a flaw that was patched in a security update in March.

“We are continuing to investigate and will take appropriate action to protect customers,” a spokesman for the company said, adding that Microsoft antivirus software detects and removes it.

Russia and Ukraine were most affected by the thousands of attacks, according to security software maker Kaspersky Lab, with other victims spread across countries including Britain, France, Germany, Italy, Poland and the United States. The total number of attacks was unknown.

WannaCry ransomware attack shows the wisdom of having an offline Plan B

Security experts said they expected the impact to be smaller than WannaCry since many computers had been patched with Windows updates in the wake of WannaCry last month to protect them against attacks using Eternal Blue code.

Still, the attack could be more dangerous than traditional strains of ransomware because it makes computers unresponsive and unable to reboot, Juniper Networks said in a blog post analysing the attack.

Researchers said the attack may have borrowed malware code used in earlier ransomware campaigns known as “Petya” and “GoldenEye.”

Following last month’s attack, governments, security firms and industrial groups aggressively advised businesses and consumers to make sure all their computers were updated with Microsoft patches to defend against the threat.

The US Department of Homeland Security said it was monitoring the attacks and coordinating with other countries. It advised victims not to pay the extortion, saying that doing so does not guarantee access will be restored.

In a statement, the White House National Security Council said there was currently no risk to public safety. The United States was investigating the attack and determined to hold those responsible accountable, it said.

The NSA did not respond to a request for comment. The spy agency has not publicly said whether it built Eternal Blue and other hacking tools leaked online by an entity known as Shadow Brokers.

Several private security experts have said they believe Shadow Brokers is tied to the Russian government, and that the North Korean government was behind WannaCry. Both countries’ governments deny charges they are involved in hacking.

The first attacks were reported from Russia and Ukraine, around 2pm Moscow time (7pm HK time).

Russia’s Rosneft, one of the world’s biggest crude producers by volume, said its systems had suffered “serious consequences,” but added oil production had not been affected because it switched over to backup systems.

Ukrainian Deputy Prime Minister Pavlo Rozenko said the government’s computer network went down and the central bank reported disruption to operations at banks and firms including the state power distributor.

Danish shipping giant AP Moller-Maersk said it was among the victims, reporting outages at facilities including its Los Angeles terminal.

WPP, the world’s largest advertising agency, said it was also infected. A WPP employee who asked not to be named said that workers were told to shut down their computers: “The building has come to a standstill.”

A Ukrainian media company said its computers were blocked and it was asked to pay US$300 in the crypto-currency bitcoin to regain access.

“Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the message said, according to a screenshot posted on Ukraine’s Channel 24.

Russia’s central bank said there were isolated cases of lenders’ IT systems being infected. One consumer lender, Home Credit, had to suspend client operations.

Other companies that identified themselves as victims included French construction materials firm Saint Gobain , US drugmaker Merck & Co and Mars Inc’s Royal Canin pet food business.

India-based employees at Beiersdorf, makers of Nivea skin care products, and Reckitt Benckiser, which owns Enfamil and Lysol, said the ransomware attack had impacted some of their systems in the country, as the infection began spreading to Asia.

Targets of the new global ransomware attack

CHERNOBYL

The normal radiation monitoring system at Ukraine’s Chernobyl nuclear disaster site were taken offline due to a massive cyberattack, forcing employees to use hand-held counters to measure levels, officials said.

ROSNEFT

Russia’s top oil producer Rosneft said its servers had been hit been a large-scale cyber attack but its oil production was unaffected.

A.P. MOLLER-MAERSK

Danish shipping giant A.P. Moller-Maersk, which handles one out of seven containers shipped globally, said a cyber attack had caused outages at its computer systems across the world.

Maersk’s port operator APM Terminals was also hit. Dutch broadcaster RTV Rijnmond reported that 17 shipping container terminals run by APM Terminals had been hacked, including two in Rotterdam and 15 in other parts of the world.

WPP

Britain’s WPP, the world’s biggest advertising company, said computer systems within several of its agencies had been hit by a suspected cyber attack.

MERCK & Co.

Pharmaceutical company Merck & Co. said in a tweet its computer network was compromised as part of a global hack.

RUSSIAN BANKS

Russia’s central bank said there had been “computer attacks” on Russian banks and that in isolated cases their IT systems had been infected.

All Russian branches of Home Credit consumer lender are closed because of a cyber attack, an employee of a Home Credit call centre in Russia said.

UKRAINIAN BANKS, POWER GRID

A number of Ukrainian banks and companies, including the state power distributor, were hit by a cyber attack that disrupted some operations, the Ukrainian central bank said.

UKRAINIAN INTERNATIONAL AIRPORT

Yevhen Dykhne, director of the capital’s Boryspil Airport, said it had been hit. “In connection with the irregular situation, some flight delays are possible,” Dykhne said in a post on Facebook.

SAINT GOBAIN

French construction materials company Saint Gobain said it had been a victim of a cyber attack, and it had isolated its computer systems to protect data.

DEUTSCHE POST

German postal and logistics company Deutsche Post said systems of its Express division in the Ukraine have in part been affected by a cyber attack.

METRO

Germany’s Metro said its wholesale stores in the Ukraine had been hit by a cyber attack and the retailer was assessing the impact.

MONDELEZ INTERNATIONAL

Food company Mondelez International said employees in different regions were experiencing technical problems but it was unclear whether this was due to a cyber attack.

EVRAZ

Russian steelmaker Evraz said its information systems had been hit by a cyber attack but its output was not affected.

NORWAY

A ransomware cyber attack is taking place in Norway and is affecting an unnamed international company, the Nordic country’s national security authority.

Additional reporting by Agencies