The Atlanta Journal-Constitution

Hackers use stolen NSA tool in massive attack

Dozens of countries hit; Britain’s health system crippled.

- Dan Bilefsky and Nicole Perlroth

LONDON — Hackers exploiting data stolen from the U.S. government conducted extensive cyberattac­ks on Friday that hit dozens of countries around the world, severely disrupting Britain’s public health system and wreaking havoc on tens of thousands of computers elsewhere, including Russia’s ministry for internal security.

Hospitals in Britain appeared to be the most severely affected by the attacks, which aimed to blackmail computer users by seizing their data. The attacks blocked doctors’ access to patient files and forced emergency rooms to divert people seeking urgent care.

Corporate computer systems in many other countries — including FedEx of the United States, one of the world’s leading internatio­nal shippers — were among those affected.

Kaspersky Lab, a Russian cybersecur­ity firm, said it had recorded at least 45,000 attacks in as many as 74 countries.

It was not immediatel­y clear who was behind the attacks, but the acts deeply alarmed cybersecur­ity experts and underscore­d the enormous vulnerabil­ities to internet invasions faced by disjointed networks of computer systems around the world.

“When people ask what keeps you up at night, it’s this,” said Chris Camacho, chief strategy officer at Flashpoint, a New York security firm tracking the attacks.

Russia’s powerful Interior Ministry, after denying reports that its computers had been targeted, confirmed in a statement that “around 1,000 computers were infected,” which it described as less than 1 percent of the total. The ministry, which oversees Russia’s police forces, said technician­s had stopped the attack and were updating the department’s anti-virus defense.

The attacks were reminiscen­t of the hack that took down dozens of websites last October, including Twitter, Spotify and PayPal, by exploiting devices connected to the internet, including printers and baby monitors.

The hacking tool used Friday was ransomware, a kind of malware that encrypts data, locks out the user and demands a ransom to release it. Security experts say the tool exploited a vulnerabil­ity in Microsoft systems that was discovered and developed by the National Security Agency of the United States.

The ransomware, known as WannaCry, was leaked by a group calling itself the Shadow Brokers, which has been dumping stolen NSA hacking tools online since last year. Microsoft rolled out a patch for the vulnerabil­ity in March, but hackers apparently took advantage of the fact that vulnerable targets — particular­ly hospitals — had yet to update their systems or had ignored advisories from Microsoft to do so.

The malware was circulated by email. Targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.

Reuters reported that employees of Britain’s National Health Service had been warned about the ransomware threat earlier Friday. But by then it was already too late. As the disruption­s rippled through at least 36 hospitals, doctors’ offices and ambulance companies across Britain, the health service declared the attack a “major incident” and warned that local health services could be overwhelme­d.

Britain’s health secretary, Jeremy Hunt, was briefed by cybersecur­ity experts, while Prime Minister Theresa May’s office said she was monitoring the situation.

May said later on television that “we’re not aware of any evidence that patient data has been compromise­d.”

Among the many other affected institutio­ns were hospitals and telecommun­ications companies across Europe and Asia, according to MalwareHun­terTeam, a security firm that tracks ransomware attacks.

But the extent of the ransomware attacks could be much broader, as the MalwareHun­terTeam said it tracks only attacks that have been reported by the victims. Spain’s Telefónica and Russia’s MegaFon were among the largest of the businesses targeted.

Other countries where attacks were reported included Japan, the Philippine­s, Turkey and Vietnam.

The computers all appeared to have been hit with the same ransomware and similar messages demanding about $300 to unlock their data.

Camacho noted that security detection technology could not easily catch the ransomware attacks because the attackers encrypted the malicious file in email attachment­s. When employees at victim organizati­ons clicked on the attachment­s, they inadverten­tly downloaded the ransomware onto their systems.

Security experts advised companies to immediatel­y update their systems with the Microsoft patch.

Until organizati­ons use the Microsoft patch, Camacho said, they could continue to be hit — not just by ransomware, but by all kinds of malicious tools that can manipulate, steal or delete their data.

“There is going to be a lot more of these attacks,” he said. “We’ll see copycats, and not just for ransomware, but other attacks.”

The attack on Britain’s National Health Service appeared to be the most brazen because it had life-ordeath implicatio­ns for hospitals and ambulance services.

Tom Donnelly, a spokesman for NHS Digital, the arm of the health service that handles cybersecur­ity, said 16 organizati­ons, including “hospitals and other kinds of clinician services,” had been hit. Officials later updated that number to at least 25.

According to the BBC, hospitals in London and Nottingham, the town of Blackburn and the counties of Cumbria and Hertfordsh­ire were affected.

In the northweste­rn seaside town of Blackpool, doctors resorted to pen and paper, with phone and computer systems having shut down, according to the local newspaper, The Blackpool Gazette.

A bit to the south, in the seaside town of Southport, images on Twitter showed ambulances backed up outside the town’s hospital. In Stevenage, a town in Hertfordsh­ire, north of London, the health service postponed all nonurgent activity and asked people not to come to the accident and emergency ward at the Lister Hospital.

Less was known about the scope of the attacks in Spain and Portugal, which affected companies like Telefónica.

Spain’s national cryptology center said it was dealing with “a massive ransomware attack” affecting Windows systems used by various organizati­ons, without naming them.

Later on Friday, Portugal reported a similar attack. Carlos Cabreiro, director of a police unit that fights cybercrime, told the newspaper Público that the country was facing “computer attacks on a large scale against different Portuguese companies, especially communicat­ion operators.”

Spain’s Industry Ministry said in a separate statement that the attack had not affected networks or customers using services offered by the companies targeted. Telefónica also indicated that the attack had targeted its internal network rather than its millions of customers. On Twitter, Chema Alonso, Telefónica’s chief data officer, called initial news reports “exaggerate­d.”

Several employees of MegaFon, one of the largest cellphone operators in Russia, said its systems had been attacked Friday by malware like that used against the NHS, the news website Meduza.io reported.

?? @FENDIFILLE ?? This image provided by the Twitter page of @fendifille shows a computer at a British hospital that was hit by ransomware Friday. The attackers are demanding payments via bitcoin to unlock computers.
@FENDIFILLE This image provided by the Twitter page of @fendifille shows a computer at a British hospital that was hit by ransomware Friday. The attackers are demanding payments via bitcoin to unlock computers.

Newspapers in English

Newspapers from United States