THE federal government promises it will remain vigilant, as a group orchestrating cyber attacks wreaks havoc worldwide.
On Friday, a massive wave of cyber attacks swept across 99 countries, with cyber security experts claiming it could be the biggest attack of its kind ever recorded.
Despite the fact that – so far – there have been no confirmed reports of attacks on Australian organisations, Cyber Security Minister Dan Tehan has admitted that doesn’t mean we’re not at risk.
“I cannot put my hand on my heart and say that means we are 100 per cent cyber secure,” he told reporters in Perth today.
“The technology changes, the vulnerabilities change.”
Earlier, Prime Minister Malcolm Turnbull insisted that even if we are targeted, the government is prepared.
“We are continuing to monitor the situation closely and stand ready to deal with any cyber-security threat to Australia’s critical infrastructure,” he said through a spokesman.
The attacks, believed to be part of an extortion plot, have so far created chaos in hospitals in Britain as well as the Spanish telecom giant Telefonica and the US delivery firm FedEx.
Cyber extortionists have tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.
The ransomware encrypted data on the computers, demanding payments of $US300 ($AU406) to $US600 ($AU812) to restore access.
The hackers have not come forward to claim responsibility but a mysterious hacking organisation, called Shadow Brokers, is being blamed for the attack — possibly in retaliation for US air strikes on Syria.
In April, Shadow Brokers released a piece of National Security Agency (NSA) code known as “Eternal Blue”, as part of a trove of hacking tools they said belonged to the US spy agency.
The Eternal Blue code gives access to all computers using Microsoft Windows, the world’s most popular computer operating system. The NSA had developed it to gain access to computers used by terrorists and enemy states.
It is believed that Eternal Blue, having been dumped by Shadow Brokers, was then picked up by a separate crime gang which used it to launch the extraordinary worldwide cyber security breach.
According to The Telegraph, some experts believe the timing of this cyber dump is significant and indicates that Shadow Brokers has links to the Russian government.
In an internet posting, six days before it hacked the NSA and released the Eternal Blue code on April 14 — and a day after the first air strikes — Shadow Brokers appeared to issue a warning to US President Donald Trump.
“Respectfully, what the f*** are you doing? The Shadow Brokers voted for you. The Shadow Brokers supports you. The Shadow Brokers is losing faith in you. Mr Trump helping the Shadow Brokers, helping you. Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected,” the group said in broken English in a statement, according to The Telegraph.
UPDATE YOUR SOFTWARE
Experts are now urging Microsoft users to update their software.
Microsoft has released software patches for the security holes, although not everyone has installed those updates.
“If your software is not patched, you can exploit that user. Anyone who applied the patch that Microsoft released likely wasn’t affected by this,” John Villasenor, a professor at the University of California, Los Angeles said.
Mr Villasenor also said users should regularly back up their data and ensure that security updates are installed on their computer as soon as they are released. Up-to-date backups make it possible to restore files without paying a ransom.
BIGGEST IN HISTORY
Cyber security experts are calling the hack the biggest attack of its kind ever recorded.
Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, has called it “the biggest ransomware outbreak in history”.
Another expert, Chris Wysopal of the software security firm Veracode, said he believes criminal organisations are behind the attack, given how quickly the malware spread.
“For so many organisations in the same day to be hit, this is unprecedented,” Mr Wysopal said.
There are currently no confirmed reports Australian organisations have been hit by the cyber breach but the federal government said it will remain vigilant.
“We are continuing to monitor the situation closely and stand ready to deal with any cyber-security threat to Australia’s critical infrastructure,” Prime Minister Malcolm Turnbull said through a spokesman on Saturday.
The prime minister’s right-hand man on cyber security, Alastair MacGibbon, is working with officials and health agencies to determine any impact on Australia.
But the US Department of Homeland Security’s computer emergency response team said it was aware of ransomware infections “in several countries around the world.”
“We are now seeing more than 75,000 detections … in 99 countries,” Jakub Kroustek of the security firm Avast said in a blog post around 2000 GMT.
Earlier, Kaspersky researcher Costin Raiu cited 45,000 attacks in 74 countries, saying that the malware, a self-replicating “worm,” was spreading quickly.
MALICIOUS EMAIL ATTACK
Forcepoint Security Labs said that “a major malicious email campaign” consisting of nearly five million emails per hour was spreading the new ransomware.
The malware’s name is WCry, but analysts were also using variants such as WannaCry.
Forcepoint said in a statement that the attack had “global scope”, affecting organisations in Australia, Belgium, France, Germany, Italy and Mexico.
In the United States, FedEx acknowledged it had been hit by malware and was “implementing remediation steps as quickly as possible.”
The UK’s state-run National Health Service declared a “major incident” after the attack, which forced some hospitals to divert ambulances and scrap operations.
In Spain, major firms including Telefonica were hit, with employees told to shut down workstations immediately through megaphone announcements.
Russia’s interior ministry also confirmed Friday some of its computers had been hit by a “virus attack”.
Ministry spokeswoman Irina Volk told Russian news agencies it had “recorded a virus attack on the ministry’s personal computers controlled by a Windows operating system”.
“The virus has been localised. Technical work is under way to destroy it and renew the means of virus protection,” she said.
Volk added that some 1,000 computers — less than one per cent of their total number — had been affected, Interfax reported.
An unnamed source told Interfax that the attack had not led to any information leaks.
The ministry’s statement comes as an increasing number of cyber strikes are reported around the world, including against dozens of British hospitals.
Russian telecom operator MegaFon said it had also been victim of a cyber attack on Friday that interrupted the work of its call centres.
“We needed to partly turn off whole networks internally so the virus didn’t spread,” RIA Novosti news agency quoted MegaFon public relations director Pyotr Lidov as saying.
At least 16 organisations within the NHS, some of them responsible for several hospitals each, reported being targeted.
“We are aware that a number of NHS organisations have reported that they have suffered from a ransomware attack. This is not targeted at the NHS, it’s an international attack and a number of countries and organisations have been affected,” Prime Minister Theresa May said.
Britain’s National Cyber Security Centre and its National Crime Agency were looking into the UK incidents.
Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 ($AU406) in Bitcoin, saying: “Oops, your files have been encrypted!”.
It demands payment in three days or the price is doubled, and if none is received in seven days, the files will be deleted, according to the screen message.
A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, Kaspersky said.
Although Microsoft released a security patch for the flaw earlier this year, many systems have yet to be updated, researchers said.
“Unlike most other attacks, this malware is spreading primarily by direct infection from machine to machine on local networks, rather than purely by email,” Lance Cottrell, chief scientist at the US technology group Ntrepid.
“The ransomware can spread without anyone opening an email or clicking on a link.”
NHS Incident Director Anne Rainsberry urged the British public to “use the NHS wisely while we deal with this major incident which is still ongoing”.
The sort of ransom demands seen on the NHS screens are not without precedent at medical facilities. In February 2016, a Los Angeles hospital, the Hollywood Presbyterian Medical Center, paid $17,000 ($AU23,000) in Bitcoin to hackers who took control of its computers for more than a week.
“Ransomware becomes particularly nasty when it infects institutions like hospitals, where it can put people’s lives in danger,” Avast analyst Kroustek said.
A spokesman for Barts Health NHS Trust in London said it was experiencing “major IT disruption” and delays at all four of its hospitals.
“We have activated our major incident plan to make sure we can maintain the safety and welfare of patients,” the spokesman said. “Ambulances are being diverted to neighbouring hospitals.” Two employees at St Bartholomew’s Hospital, which is part of Barts Health, told AFP that all the computers in the hospital had been turned off.
Caroline Brennan, 41, went to the hospital to see her brother, who had open heart surgery.
“They told us there was a problem. They said the system was down and that they cannot transfer anyone till the computer system was back up so he is still in the theatre.”
— With AFP, AP and AAP
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944