New com­puter virus spreads from Ukraine to dis­rupt world busi­ness

The Star (St. Lucia) - - BUSINESS -

Eric Auchard, Jack Stubbs and Alessan­dra Pren­tice

Anew cy­ber virus spread from Ukraine to wreak havoc around the globe on Wed­nes­day, crip­pling thou­sands of com­put­ers, dis­rupt­ing ports from Mum­bai to Los An­ge­les and halt­ing pro­duc­tion at a choco­late fac­tory in Aus­tralia.

The virus is be­lieved to have first taken hold on Tues­day in Ukraine where it silently in­fected com­put­ers af­ter users down­loaded a pop­u­lar tax ac­count­ing pack­age or vis­ited a lo­cal news site, na­tional po­lice and in­ter­na­tional cy­ber ex­perts said.

More than a day af­ter it first struck, com­pa­nies around the world were still wrestling with the fall­out while cy­ber se­cu­rity ex­perts scram­bled to find a way to stem the spread.

Dan­ish ship­ping giant A.P. Moller-Maersk said it was strug­gling to process or­ders and shift car­goes, con­gest­ing some of the 76 ports around the world run by its APM Ter­mi­nals sub­sidiary.

U.S. de­liv­ery firm FedEx Corp said its TNT Ex­press di­vi­sion had been sig­nif­i­cantly af­fected by the virus, which also wormed its way into South Amer­ica, af­fect­ing ports in Ar­gentina op­er­ated by China's Cofco.

The ma­li­cious code locked ma­chines and de­manded vic­tims post a ran­som worth $300 in bit­coins or lose their data en­tirely, sim­i­lar to the ex­tor­tion tac­tic used in the global Wan­naCry ran­somware at­tack in May.

More than 30 vic­tims paid up but se­cu­rity ex­perts are ques­tion­ing whether ex­tor­tion was the goal, given the rel­a­tively small sum de­manded, or whether the hack­ers were driven by de­struc­tive mo­tives rather than fi­nan­cial gain.

Hack­ers asked vic­tims to no­tify them by email when ran­soms had been paid but Ger­man email provider Pos­teo quickly shut down the ad­dress, a Ger­man gov­ern­ment cy­ber se­cu­rity of­fi­cial said.

Ukraine, the epi­cen­ter of the cy­ber strike, has re­peat­edly ac­cused Rus­sia of or­ches­trat­ing at­tacks on its com­puter sys­tems and crit­i­cal power in­fra­struc­ture since its pow­er­ful neigh­bor an­nexed the Black Sea penin­sula of Crimea in 2014.

The Krem­lin, which has con­sis­tently re­jected the ac­cu­sa­tions, said on Wed­nes­day it had no in­for­ma­tion about the ori­gin of the global cy­ber at­tack, which also struck Rus­sian com­pa­nies such as oil giant Ros­neft and a steel­maker.

"No one can ef­fec­tively com­bat cy­ber threats on their own, and, un­for­tu­nately, un­founded blan­ket ac­cu­sa­tions will not solve this prob­lem," said Krem­lin spokesman Dmitry Peskov.

ESET, a Slo­vakian com­pany that sells prod­ucts to shield com­put­ers from viruses, said 80 per­cent of the in­fec­tions de­tected among its global cus­tomer base were in Ukraine, with Italy sec­ond hard­est hit with about 10 per­cent.

The aim of the lat­est at­tack ap­peared to be dis­rup­tion rather than ran­som, said Brian Lord, for­mer deputy di­rec­tor of in­tel­li­gence and cy­ber op­er­a­tions at Bri­tain's GCHQ and now man­ag­ing di­rec­tor at pri­vate se­cu­rity firm PGI Cy­ber.

"My sense is this starts to look like a state op­er­at­ing through a proxy . . . as a kind of ex­per­i­ment to see what hap­pens," Lord told Reuters on Wed­nes­day.

While the mal­ware seemed to be a vari­ant of past cam­paigns, de­rived from code known as Eter­nal Blue be­lieved to have been de­vel­oped by the U.S. Na­tional Se­cu­rity Agency (NSA), ex­perts said it was not as vir­u­lent as May's Wan­naCry at­tack.

Se­cu­rity re­searchers said Tues­day's virus could leap from com­puter to com­puter once un­leashed within an or­ga­ni­za­tion but, un­like Wan­naCry, it could not ran­domly trawl the in­ter­net for its next vic­tims, lim­it­ing its scope to in­fect.

Busi­nesses that in­stalled Mi­crosoft's lat­est se­cu­rity patches from ear­lier this year and turned off Win­dows file­shar­ing fea­tures ap­peared to be largely un­af­fected.

There was spec­u­la­tion, how­ever, among some ex­perts that once the new virus had in­fected one com­puter it could spread to other ma­chines on the same net­work, even if those de­vices had re­ceived a se­cu­rity up­date.

Af­ter Wan­naCry, gov­ern­ments, se­cu­rity firms and in­dus­trial groups ad­vised busi­nesses and con­sumers to make sure all their com­put­ers were up­dated with Mi­crosoft se­cu­rity patches.

Aus­tria's gov­ern­ment­backed Com­puter Emer­gency Re­sponse Team (CERT) said "a small num­ber" of in­ter­na­tional firms ap­peared to be af­fected, with tens of thou­sands of com­put­ers taken down.

Se­cu­rity firms in­clud­ing Mi­crosoft, Cisco's Ta­los and Sy­man­tec said they had con­firmed some of the ini­tial in­fec­tions oc­curred when mal­ware was trans­mit­ted to users of a Ukrainian tax soft­ware pro­gram called MEDoc.

The sup­plier of the soft­ware, M.E.Doc de­nied in a post on Facebook that its soft­ware was to blame, though Mi­crosoft re­it­er­ated its sus­pi­cions af­ter­wards.

"Mi­crosoft now has ev­i­dence that a few ac­tive in­fec­tions of the ran­somware ini­tially started from the le­git­i­mate MEDoc up­dater process," it said in a tech­ni­cal blog post.

Rus­sian se­cu­rity firm Kasper­sky said a Ukrainian news site for the city of Bakhu­mut was also hacked and used to dis­trib­ute the ran­somware to vis­i­tors, en­crypt­ing data on their ma­chines.

A num­ber of the in­ter­na­tional firms hit have op­er­a­tions in Ukraine, and the virus is be­lieved to have spread within global cor­po­rate net­works af­ter gain­ing trac­tion within the coun­try.

Ship­ping giant A.P. MollerMaersk, which han­dles one in seven con­tain­ers shipped world­wide, has a lo­gis­tics unit in Ukraine.

Other large firms af­fected, such as French con­struc­tion ma­te­ri­als com­pany Saint Gobain and Mon­delez In­ter­na­tional Inc, which owns choco­late brand Cad­bury, also have op­er­a­tions in the coun­try.

Maersk was one of the first global firms to be taken down by the cy­ber at­tack and its op­er­a­tions at ma­jor ports such as Mum­bai in In­dia, Rot­ter­dam in the Nether­lands and Los An­ge­les on the U.S. west coast were dis­rupted.

Other com­pa­nies to suc­cumb in­cluded BNP Paribas Real Es­tate, a part of the French bank that pro­vides prop­erty and in­vest­ment man­age­ment ser­vices.

"The in­ter­na­tional cy­ber at­tack hit our non-bank sub­sidiary, Real Es­tate. The nec­es­sary mea­sures have been taken to rapidly con­tain the at­tack," the bank said on Wed­nes­day.

Pro­duc­tion at the Cad­bury fac­tory on the Aus­tralian is­land state of Tas­ma­nia ground to a halt late on Tues­day af­ter com­puter sys­tems went down.

Rus­sia's Ros­neft, one of the world's big­gest crude pro­duc­ers by vol­ume, said on Tues­day its sys­tems had suf­fered "se­ri­ous con­se­quences" but oil pro­duc­tion had not been af­fected be­cause it switched to backup sys­tems.

--- Reuters

Newspapers in English

Newspapers from Saint Lucia

© PressReader. All rights reserved.