A Russian ransomware group whose leaders were indicted by the Justice Department in December is retaliating against the U.S. government, many of America’s largest companies and a major news organization, identifying employees working from home during the pandemic and attempting to get inside their networks with malware intended to cripple their operations.
Sophisticated new attacks by the hacking group — which the Treasury Department claims has at times worked for Russian intelligence — were identified in recent days by Symantec Corporation, a division of Broadcom, one of the many firms that monitors corporate and government networks.
In an urgent warning issued Thursday night, the company reported that Russian hackers had exploited the sudden change in American work habits to inject code into corporate networks with a speed and breadth not previously witnessed.
Ransomware allows the hackers to demand that companies pay millions to have access to their own data restored.
While ransomware has long been a concern for American officials, after devastating attacks on the cities of Atlanta and Baltimore and towns across Texas and Florida, it has taken on new dimensions in an election year. The Department of Homeland Security has been racing to harden the voter registration systems run by cities and states, fearing that they, too, could be frozen, and voter rolls made inaccessible, in an effort to throw the Nov. 3 election into chaos.
“Security firms have been accused of crying wolf, but what we have seen in the past few weeks is remarkable,” said Eric Chien, Symantec’s technical director, who was known as one of the engineers who first identified the Stuxnet code that the United States and Israel used to cripple Iran’s nuclear centrifuges a decade ago. “Right now this is all about making money, but the infrastructure they are deploying could be used to wipe out a lot of data — and not just at corporations.”
A leaked May 1 F.B.I. warning said ransomware attacks on American corporations were threatening to take out election infrastructure. “The F.B.I. assesses that ransomware infections delivered through M.S.P.s,” the acronym for internet service providers, “to U.S. county and state government networks will likely threaten the availability of data on interconnected election servers, even if that is not the actors’ intention,” it said.
A cyberattack attack late last year on a Louisiana internet services company allowed hackers to target the Louisiana secretary of state and nine court clerk offices the week before an election. And in Tillamook County, Ore., in January, ransomware attackers prevented voter registration personnel from accessing voter registration data as they readied the data for the May primaries.
Symantec declined to name the companies that were the targets of the Russian hackers, citing the usual confidentiality of its client base. But it said it had already identified 31, including major American brands and Fortune 500 firms. It is unclear whether any of those companies have received ransomware demands, which would only come if the malicious code was activated by its authors. Mr. Chien said the warning was issued because “these hackers have a decade of experience and they aren’t wasting time with small, two-bit outfits. They are going after the biggest American firms, and only American firms.”
The hackers call themselves “Evil Corp.,” a play off the “Mr. Robot” television series. In December, the Justice Department said they had “been engaged in cybercrime on an almost unimaginable scale,” deploying malware to steal tens of millions of dollars from online banking systems. The Treasury Department placed sanctions on them, and the State Department offered $5 million for information leading to the arrest or conviction of the group’s leader.
The indictment is one of many in the past few years against Russian groups, including intelligence agents and the Internet Research Agency, accused of interfering in the 2016 election. Those indictments were intended as a deterrent. But Moscow has protected Evil Corp.’s hackers from extradition, and they are unlikely to stand trial in the United States. In the Treasury Department sanctions announcement, the United States contended that some of the group’s leaders have done work for the F.S.B., the successor to the Soviet K.G.B.
The December indictment and the sanctions both named Maksim V. Yakubets, said by the Treasury Department to be “working for the Russian F.S.B.” three years ago, and “tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.”
Symantec said it had briefed federal officials on the findings, which are echoed by at least one other company monitoring corporate networks. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency did not immediately respond to questions about whether it had seen the same activity, or planned to issue a parallel warning.
The Coronavirus Outbreak
Frequently Asked Questions and Advice
Updated June 24, 2020
What’s the best material for a mask?
Scientists around the country have tried to identify everyday materials that do a good job of filtering microscopic particles. In recent tests, HEPA furnace filters scored high, as did vacuum cleaner bags, fabric similar to flannel pajamas and those of 600-count pillowcases. Other materials tested included layered coffee filters and scarves and bandannas. These scored lower, but still captured a small percentage of particles.
Is it harder to exercise while wearing a mask?
A commentary published this month on the website of the British Journal of Sports Medicine points out that covering your face during exercise “comes with issues of potential breathing restriction and discomfort” and requires “balancing benefits versus possible adverse events.” Masks do alter exercise, says Cedric X. Bryant, the president and chief science officer of the American Council on Exercise, a nonprofit organization that funds exercise research and certifies fitness professionals. “In my personal experience,” he says, “heart rates are higher at the same relative intensity when you wear a mask.” Some people also could experience lightheadedness during familiar workouts while masked, says Len Kravitz, a professor of exercise science at the University of New Mexico.
I’ve heard about a treatment called dexamethasone. Does it work?
The steroid, dexamethasone, is the first treatment shown to reduce mortality in severely ill patients, according to scientists in Britain. The drug appears to reduce inflammation caused by the immune system, protecting the tissues. In the study, dexamethasone reduced deaths of patients on ventilators by one-third, and deaths of patients on oxygen by one-fifth.
What is pandemic paid leave?
The coronavirus emergency relief package gives many American workers paid leave if they need to take time off because of the virus. It gives qualified workers two weeks of paid sick leave if they are ill, quarantined or seeking diagnosis or preventive care for coronavirus, or if they are caring for sick family members. It gives 12 weeks of paid leave to people caring for children whose schools are closed or whose child care provider is unavailable because of the coronavirus. It is the first time the United States has had widespread federally mandated paid leave, and includes people who don’t typically get such benefits, like part-time and gig economy workers. But the measure excludes at least half of private-sector workers, including those at the country’s largest employers, and gives small employers significant leeway to deny leave.
Does asymptomatic transmission of Covid-19 happen?
So far, the evidence seems to show it does. A widely cited paper published in April suggests that people are most infectious about two days before the onset of coronavirus symptoms and estimated that 44 percent of new infections were a result of transmission from people who were not yet showing symptoms. Recently, a top expert at the World Health Organization stated that transmission of the coronavirus by people who did not have symptoms was “very rare,” but she later walked back that statement.
What’s the risk of catching coronavirus from a surface?
Touching contaminated objects and then infecting ourselves with the germs is not typically how the virus spreads. But it can happen. A number of studies of flu, rhinovirus, coronavirus and other microbes have shown that respiratory illnesses, including the new coronavirus, can spread by touching contaminated surfaces, particularly in places like day care centers, offices and hospitals. But a long chain of events has to happen for the disease to spread that way. The best way to protect yourself from coronavirus — whether it’s surface transmission or close human contact — is still social distancing, washing your hands, not touching your face and wearing masks.
How does blood type influence coronavirus?
A study by European scientists is the first to document a strong statistical link between genetic variations and Covid-19, the illness caused by the coronavirus. Having Type A blood was linked to a 50 percent increase in the likelihood that a patient would need to get oxygen or to go on a ventilator, according to the new study.
How many people have lost their jobs due to coronavirus in the U.S.?
The unemployment rate fell to 13.3 percent in May, the Labor Department said on June 5, an unexpected improvement in the nation’s job market as hiring rebounded faster than economists expected. Economists had forecast the unemployment rate to increase to as much as 20 percent, after it hit 14.7 percent in April, which was the highest since the government began keeping official statistics after World War II. But the unemployment rate dipped instead, with employers adding 2.5 million jobs, after more than 20 million jobs were lost in April.
What are the symptoms of coronavirus?
Common symptoms include fever, a dry cough, fatigue and difficulty breathing or shortness of breath. Some of these symptoms overlap with those of the flu, making detection difficult, but runny noses and stuffy sinuses are less common. The C.D.C. has also added chills, muscle pain, sore throat, headache and a new loss of the sense of taste or smell as symptoms to look out for. Most people fall ill five to seven days after exposure, but symptoms may appear in as few as two days or as many as 14 days.
How can I protect myself while flying?
If air travel is unavoidable, there are some steps you can take to protect yourself. Most important: Wash your hands often, and stop touching your face. If possible, choose a window seat. A study from Emory University found that during flu season, the safest place to sit on a plane is by a window, as people sitting in window seats had less contact with potentially sick people. Disinfect hard surfaces. When you get to your seat and your hands are clean, use disinfecting wipes to clean the hard surfaces at your seat like the head and arm rest, the seatbelt buckle, the remote, screen, seat back pocket and the tray table. If the seat is hard and nonporous or leather or pleather, you can wipe that down, too. (Using wipes on upholstered seats could lead to a wet seat and spreading of germs rather than killing them.)
What should I do if I feel sick?
If you’ve been exposed to the coronavirus or think you have, and have a fever or symptoms like a cough or difficulty breathing, call a doctor. They should give you advice on whether you should be tested, how to get tested, and how to seek medical treatment without potentially infecting or exposing others.
But the attack’s methodology suggests it was intended for the work-at-home era.
The malware, Mr. Chien said, was deployed on common websites and even one news site. But it did not infect every computer used to go shopping or read about the day’s events. Instead, the code looked for a sign that the computer was part of a major corporate or government network. For example, many firms have their employees use a “virtual private network,” or V.P.N., a protected channel that allows workers sitting in their basements or attics to tunnel into their corporate computer systems as if they were at the office.
“These attacks do not try to get into the V.P.N.,” Mr. Chien said. “They just use it to identify who the user works for.” Then the systems wait for the worker to go to a public or commercial website, and use that moment to infect their computer. Once the machine is reconnected to the corporate network, the code is deployed, in hopes of gaining access to corporate systems.
The indictment was intended to put Evil Corp. out of business. It failed. In the month after the indictment, Evil Corp.’s hackers dropped off the map, but they picked up again in May, according to security researchers at Symantec and Fox-IT, another security company that is a division of the NCC Group. For the past month, they have been successfully breaking into organizations using custom ransomware tools.
Evil Corp.’s hackers managed to disable the antivirus software on victims’ systems and take out backup systems, in what Fox-IT’s researchers said was a clear attempt to thwart victims’ ability to recover their data, and in some cases prevent “the ability to recover at all.”
While Symantec did not say how much money Evil Corp. was generating from its recent attacks, Fox-IT researchers said they had previously seen the Russian hackers demand more than $10 million to unlock data on a single victim’s network.
“We’ve seen them ramp up their ransom demands over the past few years, into the millions of dollars as they hit bigger targets,” said Maarten van Dantzig, a threat analyst at Fox-IT. “They are the most professional group we see deploying attacks on this scale today.”
Source: Elections - nytimes.com