Travel News

Trump administration slammed for proposal to split leadership on cyber operations

The responsibility for defending the country against cyber attacks is divided among different parts of the government. The Department of Homeland Security is responsible for protecting civilian agencies and advising states, businesses, and public services. The FBI is investigating cyber attacks.

The NSA, which by law can only operate abroad, penetrates deep into foreign networks but is also responsible for securing national security systems, such as communications with the nuclear arsenal. Cyber ​​Command is a military operation responsible for offensive military activities and the defense of military services against cyber attacks.

Last month, Mr Trump fired Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, for saying the presidential election was one of the best in history the United States. On CNN Sunday, Krebs said he had no idea about the Russian attack and that the American sensors were not designed to detect this type of intrusion in the supply chain.

All of this seems to raise questions that Mr. Trump would like to address last month. Instead, on Saturday, he blurred intelligence’s conclusion that the Russians were at the center of the hack, suggesting it could have been China.

A senior administration official, who spoke on condition of anonymity to discuss internal deliberations, said no decision had been made and Acting Defense Secretary Christopher C. Miller, and his senior staff were reviewing the proposal. The official said the Cyber ​​Command proposal was part of a larger review of several portfolios of defense organizations that Miller was quick to complete before Mr. Trump stepped down.

The official said the Pentagon was not acting under pressure from the White House.

Representing Adam Smith, Washington Democrat and Chairman of the House Armed Services Committee, letters sent to Mr. Miller and General Milley who opposed the proposal and warned that such unilateral action was “not only inadvisable, but against the law”.

A spokesman for General Milley, Colonel Dave Butler, said on Saturday: “The president has neither considered nor approved any such proposal.

Travel News

Billions spent on US cyber defenses failed to detect giant Russian hack

He called on the government to declassify what it knows and what it doesn’t know.

On Wednesday morning, Senator Richard J. Durbin, Democrat of Illinois, called the Russian cyberattack “practically a declaration of war”.

So far, however, President Trump has said nothing, perhaps knowing his tenure is coming to an end as it began, with questions about what he knew about Russian cyber operations, and when. The National Security Agency has been largely silent, hiding behind the classification of intelligence. Even the Agency for Cybersecurity and Infrastructure Security, the Department of Homeland Security’s group responsible for defending critical networks, has been visibly silent on the Russian mega-hack.

Mr Blumenthal’s Twitter post was the first official acknowledgment that Russia was behind the intrusion.

Trump administration officials have acknowledged that several federal agencies – the State Department, the Department of Homeland Security, parts of the Pentagon as well as the Treasury and Commerce Department – have been compromised. Investigators are struggling to determine how affected the military, intelligence community, and nuclear labs are.

The same questions are asked in many Fortune 500 companies that use the network management tool, called Orion and manufactured by the SolarWinds company, based in Austin, Texas. The Los Alamos National Laboratory, where nuclear weapons are designed, uses it, as do major defense contractors.

“How is it not a massive intelligence failure, especially since we were supposed to be actors of the Russian threat everywhere before the elections,” Robert Knake, an Obama administration cyber official, asked Wednesday on Twitter. “Did the NSA fall into a giant honeypot while the SVR” – Russia’s most sophisticated spy agency – “quietly looted” government and private industry?

Of course, the NSA doesn’t see everything, even after placing its probes and beacons in networks around the world. But if there is a major investigation – and it’s hard to imagine how one could avoid it – the agency’s responsibility, led by General Paul M. Nakasone, one of the most experienced cyber warriors of the country, will be in the foreground.

Travel News

Top Cyber ​​Security Firm FireEye Claims Hacked By Nation State

WASHINGTON – For years, cybersecurity firm FireEye has been the first call to government agencies and businesses around the world that have been hacked by, or feared, the most sophisticated attackers.

Now, it looks like the hackers – in this case, there is evidence that Russian intelligence agencies – could take revenge.

FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with high-level offensive capabilities.” The company said hackers were using “new techniques” to get away with its own toolkit, which could be useful in mounting new attacks around the world.

It was a staggering theft, akin to the bank robbers who, after clearing the local coffers, turned around and stole the FBI investigative tools. In fact, FireEye said on Tuesday, moments after the market closed, that it called the FBI.

The $ 3.5 billion company, which partly makes its living identifying the culprits of some of the world’s most daring violations – its clients have included Sony and Equifax – declined to say explicitly who was responsible. But its description, and the fact that the FBI turned the matter over to its Russian specialists, leaves little doubt as to the identity of the main suspects and that they were looking for what the company calls the “tools of the crime”. ‘red team’.

They are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools – with permission from a corporate client or a government agency – to check for vulnerabilities in their systems. Most of the tools are based in a digital safe that FireEye closely monitors.

The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack as US attention – including that of FireEye – focused on securing the presidential election system. As the country’s public and private intelligence systems tracked down violations of voter registration systems or voting machines, the time may have come for Russian agencies, implicated in the 2016 election violations, to step aside. turn to other targets.

The hack was the biggest known theft of cybersecurity tools since those of the National Security Agency were stolen in 2016 by an as-yet-unidentified group calling themselves the ShadowBrokers. This group emptied NSA hacking tools online for several months, giving nation states and hackers the “keys to the digital realm,” as a former NSA operator put it. North Korea and Russia ultimately used stolen NSA weapons in destructive attacks on government agencies, hospitals and the world’s largest conglomerates – at a cost of more than $ 10 billion.

NSA tools were probably more useful than FireEye’s since the US government manufactures specially designed digital weapons. FireEye’s Red Team tools are basically built from malware the company has seen used in a wide variety of attacks.

Yet the advantage of using stolen weapons is that nation states can hide their own tracks when launching attacks.

“Hackers could take advantage of FireEye’s tools to hack risky, high-level targets with plausible deniability,” said Patrick Wardle, a former NSA hacker who is now a senior security researcher at Jamf, a software company. . “In risky environments, you don’t want to burn your best tools, so this gives advanced opponents a way to use someone else’s tools without burning off their best abilities.”

A state-sponsored Chinese hacking group has previously been caught using NSA hacking tools in attacks around the world, apparently after discovering NSA tools on their own systems. “It’s just obvious,” Mr. Wardle said.

The breach is likely to be a black eye for FireEye. Its investigators worked with Sony after the devastating 2014 attack that the company later attributed to North Korea. It was FireEye that was called after the State Department and other US government agencies were breached by Russian hackers in 2015. And its main corporate clients include Equifax, the credit monitoring service that was hacked. three years ago, in a violation that affected nearly half of the American population.

In the FireEye attack, the hackers made extraordinary efforts to avoid being seen. They created several thousand Internet Protocol addresses – many in the United States – that had never been used before in attacks. By using these addresses to stage their attack, it allowed hackers to better hide their location.

“This attack is unlike the tens of thousands of incidents we’ve responded to over the years,” said Kevin Mandia, CEO of FireEye. (He was the founder of Mandiant, a company acquired by FireEye in 2014.)

But FireEye said it is still investigating how hackers breached its most protected systems. The details were slim.

Mr Mandia, a former Air Force intelligence officer, said the attackers “specially designed their world-class capabilities to target and attack FireEye.” He said they appeared to be highly skilled in “operational security” and displayed “discipline and focus,” while moving stealthily to evade detection of security tools and forensic examination. Google, Microsoft and other companies that conduct cybersecurity surveys have said they have never seen some of these techniques.

FireEye has also released key pieces of its “Red Team” tools so others around the world can see attacks coming.

U.S. investigators are trying to determine whether the attack has anything to do with another sophisticated operation which the NSA said Russia was late in a warning issued on Monday. This goes into a type of software, called VM for virtual machines, which is widely used by defense companies and manufacturers. The NSA declined to say who the targets of this attack were. It is not known whether the Russians used their success in this breach to enter FireEye’s systems.

The attack on FireEye could be a kind of retaliation. Company investigators have repeatedly called Russian military intelligence units – the GRU, SVR and FSB, the successor agency of the Soviet-era KGB – for high-level hacks on the power grid. in Ukraine and American municipalities. They were also the first to speak out against Russian hackers behind an attack that successfully dismantled industrial security locks at a Saudi petrochemical plant, the very last step before triggering an explosion.

Security companies have been a frequent target for nation states and hackers, in part because their tools maintain a deep level of access to corporate and government customers around the world. By hacking into these tools and stealing the source code, spies and hackers can gain a foothold in the systems of victims.

McAfee, Symantec and Trend Micro were among the list of top security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security company, was hacked by Israeli hackers in 2017. And in 2012, Symantec confirmed that a segment of its antivirus source code was stolen by hackers.

David E. Sanger reported from Washington and Nicole Perlroth from San Francisco.

Travel News

Cyber ​​attacks discovered on vaccine distribution operations

A spate of cyberattacks are underway targeting businesses and government organizations that will distribute coronavirus vaccines around the world, IBM’s cybersecurity division has found, although it is not clear whether the goal is to steal the virus. technology to keep vaccines refrigerated in transit or sabotage movement.

The results are alarming enough that the Department of Homeland Security is considering issuing its own warning Thursday to Operation Warp Speed, the Trump administration’s effort to develop and distribute coronavirus vaccines, federal officials said. .

Researchers from IBM and the department’s Cybersecurity and Infrastructure Security Agency said the attacks appear intended to steal the network credentials of business executives and heads of global organizations involved in the refrigeration process needed to protecting vaccine doses, or what the industry calls the cold chain.

Josh Corman, coronavirus strategist at the cybersecurity agency, said in a statement that IBM’s report reiterated the need for “cybersecurity due diligence at every stage of the vaccine supply chain” . He urged organizations “involved in the storage and transport of vaccines to harden attack surfaces, particularly in cold storage operations.”

Cyber ​​attackers “were working to gain access to how the vaccine is shipped, stored, kept cold and delivered,” said Nick Rossmann, who heads IBM’s global threat intelligence team. “We think whoever is behind this wanted to be able to understand the whole process of the cold chain.”

Most of the approaches have taken the form of “spear phishing” emails that impersonate an executive of a large Chinese company, Haier Biomedical, who is a legitimate participant in the distribution chain. The email says “we want to place an order with your company” and includes a draft contract that contains malware that would give attackers access to the network.

Researchers from IBM Security X-Force, the company’s cybersecurity arm, said they believed the attacks were sophisticated enough to point to a government-sponsored initiative, and not a rogue criminal operation targeting only a monetary gain. But they couldn’t identify which country might be behind them.

Outside experts said they doubted China, which has been accused of attempting to steal vaccine information from universities, hospitals and medical researchers, as it would be different from Chinese hackers to do so. pass off as executives of a large Chinese company.

If they are right, the main suspects would be hackers in Russia and North Korea, who have also been accused by the United States of carrying out attacks to steal information about the process of manufacturing and distributing them. vaccines. It is sometimes difficult to tell the difference between official hacking operations of the Russian or North Korean governments and those carried out for private purposes.

The motive is not clear either. Attackers may simply seek to steal the technology to move large quantities of vaccine over long distances at extremely low temperatures, which would be a classic form of intellectual property theft.

But some cybersecurity experts say they suspect something more nefarious: efforts to interfere with distribution, or ransomware, in which vaccines are essentially held hostage by hackers who have broken into the system that runs the distribution network. and locked it – and who demand a large payment to unlock it.

“There is no intelligence advantage to spying on a refrigerator,” said James Lewis, who heads cybersecurity programs at the Center for Strategic and International Studies in Washington. “I suspect they are preparing for a ransomware game. But we will not know how these stolen credentials will be used until the vaccine distribution begins. “

IBM researchers reported on their efforts in an interview before the company released its findings. They said the attackers had sent out various requests for pricing and product information, some allegedly on behalf of Gavi, the Vaccine Alliance, a public-private partnership that helps deliver vaccines to developing countries.

Most of the targets were in Asia, but some were European, including the European Commission’s Directorate-General for Taxation and Customs Union. IBM noted that the organization has “direct links to several national government networks,” showing that attackers had a sophisticated understanding of how to identify targets that could bring them into many countries.

But other organizations have also been targeted, from Taiwan and South Korea to Germany and Italy. Some have been involved in solar panel cooling systems for the vaccine.

The attackers’ emails were addressed to companies that provide key components of the cold chain process. These include ice-cold boxes for vaccines and solar panels that can power refrigerated vaccine containers – an important feature in poor countries where electricity can be scarce.

The researchers said the effort appeared to be aimed at stealing identifying information that could ultimately have led attackers to a wealth of information, including vaccine distribution schedules, vaccine recipient lists and where doses. are shipped.

IBM could not determine whether the attacks were successful, the company said. Researchers said attackers targeted a Gavi program launched in 2015, before the advent of the coronavirus, to improve cold chain equipment for vaccines in dozens of countries.

UNICEF, which plans to deliver vaccines to the poorest countries, appears to have been another target. Najwa Mekki, spokesperson for the organization, said IBM researchers had alerted officials to the threat to the cold chain system, and “we have informed our supply networks and alerted teams concerned about the need to increase vigilance. “

There is no indication to date that the attackers were targeting Pfizer or Moderna, whose vaccines are expected to be the first approved for emergency use in the United States. A spokeswoman for Pfizer said on Wednesday that the company’s cold storage equipment was designed by safety-conscious experts and custom built to meet the specific requirements of Pfizer’s vaccine, which is to be stored at extremely cold temperatures.

Travel News

The United States Tried A More Aggressive Cyber ​​Strategy And The Dreaded Attacks Never Come

From its sprawling new war room inside Fort Meade, not far from Baltimore-Washington International Airport in Maryland, the United States Cyber ​​Command has delved deep into Russian and Iranian networks in the months leading up to the election, temporarily crippling some and taking ransomware tools offline.

Then he stole Iran’s game plan and, without revealing the intelligence coup behind the theft, made part of Tehran’s playbook public when the Iranians started executing it.

Now, nearly a week after the polls closed, it is clear that all warnings of a crippling cyberattack on electoral infrastructure, or an overwhelming influence operation targeting American voters, have not come up. materialized. There was no violation of the voting machines and only modest efforts, it seems, to break into the registration systems.

Interviews with government officials and other experts suggest a number of reasons for this apparent success.

One may be that the main adversaries of the United States were dissuaded, convinced that the voting infrastructure was so hardened, Facebook and Twitter were so on alert, and Cyber ​​Command and a small group of American companies were so on the offensive that it was not worth it. the risk.

But there is also another explanation: In the 2020 elections, the distinction between foreign and domestic interference blurred. From the start of the campaign, President Trump did more to undermine confidence in the integrity of the system than American rivals could have done on their own.

And thereafter, Mr. Trump’s baseless accusations, amplified by the conservative media, only intensified, leaving the Russians and Iranians with the relatively easy task of sending his messages back to the echo chamber of the social media.

“Much of the disinformation consumed by voters comes from our own country,” said Jeh C. Johnson, homeland security secretary under President Barack Obama. “All foreign adversaries have to do is help, encourage, and amplify.”

It turns out that Mr. Trump and his allies were the primary purveyors of the kind of electoral disinformation that the FBI, Department of Homeland Security, and U.S. intelligence officials were warning of. He was also the only actor they couldn’t mention, let alone try to neutralize. This has been left to online platforms, primarily Twitter, which have placed warnings on many of its posts.

In a conversation on election day with reporters, Gen. Paul M. Nakasone, commander of Cyber ​​Command and director of the National Security Agency, said he was “very confident in the measures taken against opponents over the past few weeks and months to make sure they don’t interfere with our elections. “

He said the National Security Agency is also monitoring efforts by foreign adversaries to push extremist groups into violence – a concern that remains.

Again In the days that followed, before the election for Joseph R. Biden Jr. was called, General Nakasone and other officials avoided questioning whether their Commander-in-Chief was fueling the very forces they were working to defeat.

In interviews, Democrats and Republicans who have been deeply involved in the effort to harden America’s defenses and criminalize the United States say it’s possible the country is starting to understand what works to deter U.S. cyber attacks.

They pay tribute to General Nakasone and Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security. Mr. Krebs has spent the past two years persuading states and social media companies to beef up their defenses against attacks.

Once the election is officially certified, the military will write its “after action” reports. The most interesting will probably be ranked. But in interviews with a variety of key players, a few lessons are already emerging.

The first is that General Nakasone’s aggressive new posture – which Cyber ​​Command describes with terms like “persistent engagement” and “forward defense” – can work. The sentences refer to going deep inside the computer networks of opponents, that means the Internet Research Agency, the Russian-based group that mounted the 2016 influence campaigns; the GRU, the Russian military intelligence agency; or Iran’s increasingly active cyber corps.

Once inside, Cyber ​​Command can use its access to chase operations that are being planned – or to carry out preemptive strikes.

The United States has launched such strikes before, of course, against Iran’s nuclear program, North Korea’s missiles and, in the 2018 election, the Internet Research Agency, which led the campaign. influence that aided Mr. Trump in 2016. But there was no cyber-Christianization, at least publicized, ordered by the Obama administration in the 2016 election, even though the administration knew that Russian actors were stealing data and scanning voter registration systems.

This time, General Nakasone did not wait for much evidence to act.

He attacked Trickbot, a widely used set of tools written by Russian-speaking criminal groups that he said could be used to lock down the registration systems or computer sites of secretaries of state, who count them. ballots.

So has Microsoft, which obtained court orders against Trickbot. Together, the actions of the military and private sectors, which appear to have been largely uncoordinated, disrupted the network of criminal groups in October, leaving them hampered by possible attacks on electoral infrastructure.

Officials familiar with the operations say there have also been attacks directed against a Russian state-run group called Energetic Bear, or Dragonfly, which has long been a part of the US electric utilities and has redirected its skills. in hacking to state and local governments.

Senator Angus King, an independent from Maine who has helped lead a bipartisan effort to learn from the increasing pace of cyberattacks, said Cyber ​​Command’s more active approach was having an effect.

“I have felt for years that what was missing from our cyber defense was a deterrent,” King said. “And we are getting closer to that deterrent effect. I want our opponents to think seriously about what they are going to do because they know there will be results that will be a cost to pay.

General Nakasone will not confirm specific operations. But he said he would achieve his victories in small doses, taking opponents offline, even temporarily, to prevent them from launching an attack. “I look at it more like we’re imposing a certain degree of cost on them that makes it more difficult for them to do their operations?” he said.

The same was true of Mr. Krebs, who worked to strengthen the defenses at home.

This mainly meant placing federal government sensors on numerous computer networks and causing cities and states, which were easy targets four years ago, to toughen up.

In the week leading up to the election, Mr Krebs came to believe that the Russians might want to stay out of this election because everyone was looking for their actions.

“I wouldn’t tell you we’re going to stop them,” he said a few weeks ago. “But we can make the attack a lot harder,” a process some strategists call “deterrence through denial” because attackers can’t get enough access to alter events – or in this case, vote.

Mr Krebs, said Senator Mark Warner of Virginia, the top Democrat on the Intelligence Committee, “argued with clerks and secretaries of state across the country, including some fairly right-wingers, that the threat was real.

Another big change in strategy this year has been the desire to publicly expose opponents. This is something the Obama administration was also reluctant to do in 2016, when it avoided naming China as the country that stole 22 million files from government employees, or Russia as the source of the attacks on the Pentagon, the White House and the State Department.

This year, William R. Evanina, the head of electoral security through the Office of the Director of National Intelligence, called on Russia, China and Iran for their efforts to interfere in the elections.

Although criticized by Democrats for not being specific enough and appearing to equate Iran with much more talented cyber adversaries, Mr. Evanina’s statements warned both the public and American rivals of what to come, including the warning that Russia was trying to help Trump again.

Mr Evanina’s announcements in July and August were followed by an announcement in October by John Ratcliffe, the director of national intelligence, that Russian groups had probed state and local networks and that Iran had tried to influence. the election by sending spoofed emails as part of a campaign, he said, was aimed at hurting Mr. Trump.

“Naming and humiliating the bad actors who try to annoy us is a key part of a cohesive deterrence strategy,” said Rep. Mike Gallagher, the Republican of Wisconsin who, along with Mr. King, headed the Cybersecurity Solarium Commission.

Mr Ratcliffe’s announcement was followed by Cyber ​​Command covert operations to interfere with the Russian group’s operations and eliminate, at least temporarily, the Iranian hacking group linked to the Islamic Revolutionary Guard Corps in Tehran. .

U.S. officials have said that while Iran opposes Mr. Trump’s re-election, its hackers are barely playing at Russia’s level. The emails and text messages they tried to send to Americans contained so many spelling, syntax and grammar errors that they seemed unlikely to deceive their targets. Even though they had not been taken offline, they posed no threat to overturn the election result.

This is proof of why Iran, as several US officials have noted, remains far less of a threat than Russia.

Iran’s actions were an attempt to “shake our cage” and not an actual attempt to change the results, said Glenn S. Gerstell, former general counsel for the National Security Agency.

Nicole Perlroth contributed reporting.

Travel News

US cyber command expands operations to hunt hackers from Russia, Iran and China

FORT MEADE, Md. – The United States Cyber ​​Command has expanded its overseas operations aimed at finding foreign hacking groups ahead of Tuesday’s election, an effort to identify not only Russian tactics but also those of the China and Iran, military officials said.

In addition to new operations in Europe to prosecute Russian hackers, Cyber ​​Command has sent teams to the Middle East and Asia over the past two years to help find Iranian, Chinese and North Korean hack teams. and identify the tools they used to penetrate computer networks.

Cyber ​​Command was building on an initiative launched in 2018, when it sent teams to North Macedonia, Montenegro and other countries to learn more about Russian operations. The move also reflects an increased effort to secure this year’s presidential election.

Cyber ​​Command, which directs the military’s offensive and defensive operations in the online world, was largely on the sidelines in 2016. But for the 2018 midterm elections, the command took a much stance. more aggressive. In addition to sending the teams to the allied countries, he sent warning messages to future Russian trolls before the vote, during his first offensive operation against Moscow; he then took at least one of those troll farms offline on election day and the days after.

The 2018 operation was primarily focused on Russia, according to what is publicly known about it. But ahead of this year’s election, intelligence officials described efforts by Iran and China, as well as Russia, to potentially influence the vote, and Cyber ​​Command has also broadened its reach. action.

“Since 2018, we have extended our forward fighter operations to all major adversaries,” Lt. Gen. Charles L. Moore Jr., deputy chief of Cyber ​​Command, said in an interview in his Fort Meade office.

Cyber ​​Command calls its work with its allies to find enemy pirates “to continue operations.” After approaching foreign adversaries’ own networks, Cyber ​​Command can then penetrate inside to identify and potentially neutralize attacks against the United States, according to current and former officials.

“We want to find the bad guys in the red space, in their own operating environment,” General Moore said. “We want to take the archer down rather than dodge the arrows.”

Officials would only identify the regions and not the countries in which they operated before the 2020 election. But Cyber ​​Command officials said those efforts uncovered malware used by opposing hacking teams. . Other government agencies have used this information to help national and local authorities strengthen their electoral defenses and inform the public of threats.

Cyber ​​Command sends teams of experts overseas to work with partner and allied nations to help them find, identify, and eliminate hostile intrusions on their government or military computer networks.

For allied nations, inviting Cyber ​​Command agents not only helps improve their network defenses, but also demonstrates to adversaries that the U.S. military is working with them. For the United States, the deployments give their experts an early glimpse of the tactics that potential adversaries are honing in their own neighborhoods, techniques that could later be used against the Americans.

Information gathered from forward hunting operations was shared with the rest of the U.S. government to help defend critical networks ahead of the election, Cyber ​​Command chief Gen. Paul M. Nakasone wrote in a post. in August in Foreign Affairs.

Cyber ​​security experts have argued that the deployments allow Cyber ​​Command to work alongside partner teams that are under attack on a daily basis from Russia, Iran or China.

“The best way to get intelligence is through genuine cooperation and collaboration with other teams fighting it,” said Theresa Payton, cybersecurity expert and former public servant under the George W. Bush administration. “They will have received different types of targeted attacks that you may not have seen.”

Cyber ​​Command officials said they continued to try to identify and stop foreign threats to the elections after the midterm vote in 2018, adding new partners to their defensive network.

“The attacks are still ongoing; this is why Cyber ​​Command’s continued work with the military cyber operations of other countries is our best way to be at fault to protect US interests, ”said Ms. Payton, whose book“ Manipulated ”examined emerging types of cyberattacks.

Some lawmakers and experts believe foreign influence efforts could escalate if the election outcome is challenged, amplifying allegations of fraud or demands for a recount.

Likewise, Cyber ​​Command officials said their efforts to try to counter foreign threats would not end with the vote closing on Tuesday; they will continue as the votes are counted and the Electoral College prepares to meet in December.

“We are not stopping or thinking about relaxing our operations on November 3,” General Moore said. “Defending the elections is now a persistent and ongoing campaign for Cyber ​​Command.”

Travel News

Officials warn of cyber attacks on hospitals as virus cases rise

Hundreds of American hospitals are targeted by cyber attacks by the same Russian hackers who fear American officials and researchers will wreak havoc around next week’s election.

Attacks on US hospitals, clinics and medical complexes are aimed at taking these facilities offline and keeping their data hostage in exchange for multi-million dollar ransom payments, just as coronavirus cases are climbing in the United States.

“We expect panic,” said in Russian a hacker involved in the attacks in a private exchange Monday that was captured by Hold Security, a security firm that tracks criminals online.

Some hospitals in New York State and the West Coast have reported cyber attacks in recent days, although it is not clear if they were part of the attacks, and hospital officials have pointed out that critical care to patients were not affected.

Russian hackers, believed to be based in Moscow and St. Petersburg, have traded a list of more than 400 hospitals they plan to target, according to Alex Holden, the founder of Hold Security, who shared the information with the FBI Mr Holden said the hackers claimed to have infected more than 30 of them already.

On Wednesday, three government agencies – the FBI, the Department of Health and Human Services, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency – warned hospital administrators and security researchers of a “credible threat Cyberattacks on US hospitals, according to a security official who listened to the briefing.

Officials and researchers have not named the hospitals affected, but the Sonoma Valley Hospital in California said it was still trying to restore its computer systems after a breach last week. The St. Lawrence Health System in New York has confirmed that two of its hospitals, Canton-Potsdam and Gouverneur, were hit by ransomware attacks Tuesday morning that caused them to shut down computer systems and hijack ambulances. Sky Lakes Medical Center in Oregon was also crippled by a ransomware attack on Tuesday that froze electronic medical records and delayed surgeries, a hospital representative said.

Employees at that hospital in Klamath Falls, Ore., Were told, “If it’s a PC, shut it down,” said Thomas Hottman, public information manager at Sky Lakes.

It was not clear whether these attacks were related to the ongoing hacking campaign. But the latest breaches were linked to the same Russian hackers who held Universal Health Services, a giant network of more than 400 hospitals, ransomware hostage last month in what was then considered the biggest medical cyberattack of its kind.

Hackers are also the same group behind TrickBot, a vast channel of ransomware attacks that government hackers and tech officials have targeted in two takedowns over the past month.

In late September, United States Cyber ​​Command began hacking TrickBot’s infrastructure in an attempt to deactivate it before the election. Microsoft also began removing TrickBot servers via federal court orders over the past month. According to officials and leaders, the goal of both efforts was to prevent election ransomware attacks that could disrupt the vote or create delays that would undermine confidence in the election.

But the researchers said the deletions had an unintended effect: cutting off hackers’ access to security detectors. “The challenge here is that due to the withdrawal attempts, the TrickBot infrastructure has changed and we don’t have the same telemetry that we had before,” Holden said.

The latest campaign on US hospitals suggests that the developers of TrickBot are not discouraged. It also shows that they are moving towards different hacking methods and tools.

“They don’t need TrickBot because they have a whole arsenal of other tools they can use,” said Kimberly Goody, analyst at Mandiant, a division of digital security firm FireEye.

Ms Goody said the tools used in the latest attacks on hospitals first appeared in April and were not as well known, which made them more effective.

It was not clear if the latest attacks at the hospital were in retaliation for the TrickBot demolitions. Microsoft said it has taken more than 90% of TrickBot servers offline.

Mr Holden described the group as a “wounded animal” and said the latest attacks were not as well planned as the previous ones. They were also a notable departure from an agreement between ransomware groups in March not to target hospitals due to the coronavirus pandemic, he said.

“We now have more sick people in this country than we had in March and April,” Holden said. “It’s wrong.”

By targeting hospitals now, Ms. Goody said, the hackers “were showing a clear contempt for human life.”

Hackers have also demanded higher ransoms from hospitals than in previous attacks. In an attack on an unnamed private clinic, Mr Holden said, hackers held systems hostage for the Bitcoin equivalent of more than $ 5 million, more than double the typical ransom the group received. had asked months earlier.

Hackers, Mr Holden said, used to base these demands on an old Russian formula, charging 10% of a victim’s annual income.

“There is an old Russian tradition of giving 10% of annual income to the church,” he said. “This is the way hackers do the same.”

Reed Abelson contributed reporting.