NSA spyware within hard drives survives military-grade disk wiping and
formatting
Newsletter published on 24 February 2015
(1) Russian Kaspersky researchers expose NSA spyware
within hard drives
(2) NSA spyware within hard drives survives military-grade
disk wiping
and formatting
(3) US IT companies lose sales over complicity
in NSA spying
(4) NSA and GCHQ hack mobile phones
(5) UK surveillance
tribunal finds GCHQ-NSA intelligence sharing unlawful
(6) Spooks can track a
mobile phone by looking at battery power
(7) Smart TVs & phones listen in
on users' personal conversations
(8) Energy companies need insurance cover
for cyber attack 'time bomb'
(1) Russian Kaspersky researchers expose NSA
spyware within hard drives
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216
Russian
researchers expose breakthrough U.S. spying program
By Joseph
Menn
SAN FRANCISCO Mon Feb 16, 2015 5:10pm EST
NSA is infecting
hard drives with difficult to detect spying software,
report
says
JOSEPH MENN, REUTERS | February 17, 2015 | Last Updated: Feb 17 1:07
PM ET
The U.S. National Security Agency has figured out how to hide
spying
software deep within hard drives made by Western Digital, Seagate,
Toshiba and other top manufacturers, giving the agency the means to
eavesdrop on the majority of the world’s computers, according to cyber
researchers and former operatives.
That long-sought and closely
guarded ability was part of a cluster of
spying programs discovered by
Kaspersky Lab, the Moscow-based security
software maker that has exposed a
series of Western cyberespionage
operations.
Kaspersky said it found
personal computers in 30 countries infected with
one or more of the spying
programs, with the most infections seen in
Iran, followed by Russia,
Pakistan, Afghanistan, China, Mali, Syria,
Yemen and Algeria. The targets
included government and military
institutions, telecommunication companies,
banks, energy companies,
nuclear researchers, media, and Islamic activists,
Kaspersky said.
The firm declined to publicly name the country behind the
spying
campaign, but said it was closely linked to Stuxnet, the NSA-led
cyberweapon that was used to attack Iran’s uranium enrichment facility.
The NSA is the U.S. agency responsible for gathering electronic
intelligence.
A former NSA employee told Reuters that Kaspersky’s
analysis was
correct, and that people still in the spy agency valued these
espionage
programs as highly as Stuxnet. Another former intelligence
operative
confirmed that the NSA had developed the prized technique of
concealing
spyware in hard drives, but said he did not know which spy
efforts
relied on it.
NSA spokeswoman Vanee Vines said the agency was
aware of the Kaspersky
report but would not comment on it
publicly.
Kaspersky on Monday published the technical details of its
research on
Monday, a move that could help infected institutions detect the
spying
programs, some of which trace back as far as 2001.
The
disclosure could hurt the NSA’s surveillance abilities, already
damaged by
massive leaks by former contractor Edward Snowden. Snowden’s
revelations
have upset some U.S. allies and slowed the sales of U.S.
technology products
abroad.
The exposure of these new spying tools could lead to greater
backlash
against Western technology, particularly in countries such as
China,
which is already drafting regulations that would require most bank
technology suppliers to proffer copies of their software code for
inspection.
Peter Swire, one of five members of U.S. President Barack
Obama’s Review
Group on Intelligence and Communications Technology, said the
Kaspersky
report showed that it is essential for the country to consider the
possible impact on trade and diplomatic relations before deciding to use
its knowledge of software flaws for intelligence gathering.
“There
can be serious negative effects on other U.S. interests,” Swire
said.
According to Kaspersky, the spies made a technological breakthrough
by
figuring out how to lodge malicious software in the obscure code called
firmware that launches every time a computer is turned on.
Snowden’s
revelations have upset some U.S. allies and slowed the sales
of U.S.
technology products abroad
Disk drive firmware is viewed by spies and
cybersecurity experts as the
second-most valuable real estate on a PC for a
hacker, second only to
the BIOS code invoked automatically as a computer
boots up.
“The hardware will be able to infect the computer over and
over,” lead
Kaspersky researcher Costin Raiu said in an
interview.
Though the leaders of the still-active espionage campaign
could have
taken control of thousands of PCs, giving them the ability to
steal
files or eavesdrop on anything they wanted, the spies were selective
and
only established full remote control over machines belonging to the most
desirable foreign targets, according to Raiu. He said Kaspersky found
only a few especially high-value computers with the hard-drive
infections.
Kaspersky’s reconstructions of the spying programs show that
they could
work in disk drives sold by more than a dozen companies,
comprising
essentially the entire market. They include Western Digital Corp,
Seagate Technology Plc , Toshiba Corp, IBM, Micron Technology Inc and
Samsung Electronics Co Ltd.
Western Digital, Seagate and Micron said
they had no knowledge of these
spying programs. Toshiba and Samsung declined
to comment. IBM did not
respond to requests for comment.
Raiu said
the authors of the spying programs must have had access to the
proprietary
source code that directs the actions of the hard drives.
That code can serve
as a roadmap to vulnerabilities, allowing those who
study it to launch
attacks much more easily.
“There is zero chance that someone could
rewrite the [hard drive]
operating system using public information,” Raiu
said.
Concerns about access to source code flared after a series of
high-profile cyberattacks on Google Inc and other U.S. companies in 2009
that were blamed on China. Investigators have said they found evidence
that the hackers gained access to source code from several big U.S. tech
and defense companies.
It is not clear how the NSA may have obtained
the hard drives’ source
code. Western Digital spokesman Steve Shattuck said
the company “has not
provided its source code to government agencies.” The
other hard drive
makers would not say if they had shared their source code
with the NSA.
Seagate spokesman Clive Over said it has “secure measures
to prevent
tampering or reverse engineering of its firmware and other
technologies.” Micron spokesman Daniel Francisco said the company took
the security of its products seriously and “we are not aware of any
instances of foreign code.”
According to former intelligence
operatives, the NSA has multiple ways
of obtaining source code from tech
companies, including asking directly
and posing as a software developer. If
a company wants to sell products
to the Pentagon or another sensitive U.S.
agency, the government can
request a security audit to make sure the source
code is safe.
“They don’t admit it, but they do say, ‘We’re going to do
an evaluation,
we need the source code,’” said Vincent Liu, a partner at
security
consulting firm Bishop Fox and former NSA analyst. “It’s usually
the NSA
doing the evaluation, and it’s a pretty small leap to say they’re
going
to keep that source code.”
The NSA declined to comment on any
allegations in the Kaspersky report.
Vines said the agency complies with the
law and White House directives
to protect the United States and its allies
“from a wide array of
serious threats.”
Kaspersky called the authors
of the spying program “the Equation group,”
named after their embrace of
complex encryption formulas.
The group used a variety of means to spread
other spying programs, such
as by compromising jihadist websites, infecting
USB sticks and CDs, and
developing a self-spreading computer worm called
Fanny, Kaspersky said.
Fanny was like Stuxnet in that it exploited two of
the same undisclosed
software flaws, known as “zero days,” which strongly
suggested
collaboration by the authors, Raiu said.
He added that it
was “quite possible” that the Equation group used Fanny
to scout out targets
for Stuxnet in Iran and spread the virus.
(Reporting by Joseph Menn;
Editing by Tiffany Wu)
(2) NSA spyware within hard drives survives
military-grade disk wiping
and formatting
http://www.csmonitor.com/USA/USA-Update/2015/0217/Did-the-NSA-embed-spyware-in-your-computer
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
How
"omnipotent" hackers tied to NSA hid for 14 years--and were found at
last
"Equation Group" ran the most advanced hacking operation ever
uncovered.
by Dan Goodin - Feb 17, 2015 5:00am AEST
CANCUN,
Mexico -- In 2009, one or more prestigious researchers received
a CD by mail
that contained pictures and other materials from a recent
scientific
conference they attended in Houston. The scientists didn't
know it then, but
the disc also delivered a malicious payload developed
by a highly advanced
hacking operation that had been active since at
least 2001. The CD, it
seems, was tampered with on its way through the mail.
It wasn't the first
time the operators--dubbed the "Equation Group" by
researchers from
Moscow-based Kaspersky Lab--had secretly intercepted a
package in transit,
booby-trapped its contents, and sent it to its
intended destination. In 2002
or 2003, Equation Group members did
something similar with an Oracle
database installation CD in order to
infect a different target with malware
from the group's extensive
library. (Kaspersky settled on the name Equation
Group because of
members' strong affinity for encryption algorithms,
advanced obfuscation
methods, and sophisticated
techniques.)
Kaspersky researchers have documented 500 infections by
Equation Group
in at least 42 countries, with Iran, Russia, Pakistan,
Afghanistan,
India, Syria, and Mali topping the list. Because of a
self-destruct
mechanism built into the malware, the researchers suspect that
this is
just a tiny percentage of the total; the actual number of victims
likely
reaches into the tens of thousands.
A long list of almost
superhuman technical feats illustrate Equation
Group's extraordinary skill,
painstaking work, and unlimited resources.
They include:
* The
use of virtual file systems, a feature also found in the
highly
sophisticated Regin malware. Recently published documents
provided by Ed
Snowden indicate that the NSA used Regin to infect the
partly state-owned
Belgian firm Belgacom.
* The stashing of malicious files in multiple
branches of an
infected computer's registry. By encrypting all malicious
files and
storing them in multiple branches of a computer's Windows
registry, the
infection was impossible to detect using antivirus
software.
* Redirects that sent iPhone users to unique exploit Web
pages. In
addition, infected machines reporting to Equation Group command
servers
identified themselves as Macs, an indication that the group
successfully
compromised both iOS and OS X devices.
* The use of
more than 300 Internet domains and 100 servers to host
a sprawling command
and control infrastructure.
* USB stick-based reconnaissance malware
to map air-gapped
networks, which are so sensitive that they aren't
connected to the
Internet. Both Stuxnet and the related Flame malware
platform also had
the ability to bridge airgaps.
* An unusual if
not truly novel way of bypassing code-signing
restrictions in modern
versions of Windows, which require that all
third-party software interfacing
with the operating system kernel be
digitally signed by a recognized
certificate authority. To circumvent
this restriction, Equation Group
malware exploited a known vulnerability
in an already signed driver for
CloneCD to achieve kernel-level code
execution.
Taken together, the
accomplishments led Kaspersky researchers to
conclude that Equation Group is
probably the most sophisticated computer
attack group in the world, with
technical skill and resources that rival
the groups that developed Stuxnet
and the Flame espionage malware.
"It seems to me Equation Group are the
ones with the coolest toys,"
Costin Raiu, director of Kaspersky Lab's global
research and analysis
team, told Ars. "Every now and then they share them
with the Stuxnet
group and the Flame group, but they are originally
available only to the
Equation Group people. Equation Group are definitely
the masters, and
they are giving the others, maybe, bread crumbs. From time
to time they
are giving them some goodies to integrate into Stuxnet and
Flame."
In an exhaustive report published Monday at the Kaspersky
Security
Analyst Summit here, researchers stopped short of saying Equation
Group
was the handiwork of the NSA--but they provided detailed evidence that
strongly implicates the US spy agency.
First is the group's known
aptitude for conducting interdictions, such
as installing covert implant
firmware in a Cisco Systems router as it
moved through the
mail.
Second, a highly advanced keylogger in the Equation Group library
refers
to itself as "Grok" in its source code. The reference seems eerily
similar to a line published last March in an Intercept article headlined
"How the NSA Plans to Infect 'Millions' of Computers with Malware." The
article, which was based on Snowden-leaked documents, discussed an
NSA-developed keylogger called Grok.
Third, other Equation Group
source code makes reference to "STRAITACID"
and "STRAITSHOOTER." The code
words bear a striking resemblance to
"STRAITBIZARRE," one of the most
advanced malware platforms used by the
NSA's Tailored Access Operations
unit. Besides sharing the
unconventional spelling "strait," Snowden-leaked
documents note that
STRAITBIZARRE could be turned into a disposable
"shooter." In addition,
the codename FOXACID belonged to the same NSA
malware framework as the
Grok keylogger.
Apart from these shared code
words, the Equation Group in 2008 used four
zero-day
vulnerabilities--including two that were later incorporated
into
Stuxnet.
The similarities don't stop there. Equation Group malware dubbed
GrayFish encrypted its payload with a 1,000-iteration hash of the target
machine's unique NTFS object ID. The technique makes it impossible for
researchers to access the final payload without possessing the raw disk
image for each individual infected machine. The technique closely
resembles one used to conceal a potentially potent warhead in Gauss, a
piece of highly advanced malware that shared strong technical
similarities with both Stuxnet and Flame. (Stuxnet, according to The New
York Times, was a joint operation between the NSA and Israel, while
Flame, according to The Washington Post, was devised by the NSA, the
CIA, and the Israeli military.)
Beyond the technical similarities to
the Stuxnet and Flame developers,
Equation Group boasted the type of
extraordinary engineering skill
people have come to expect from a spy
organization sponsored by the
world's wealthiest nation. One of the Equation
Group's malware
platforms, for instance, rewrote the hard-drive firmware of
infected
computers--a never-before-seen engineering marvel that worked on 12
drive categories from manufacturers including Western Digital, Maxtor,
Samsung, IBM, Micron, Toshiba, and Seagate.
The malicious firmware
created a secret storage vault that survived
military-grade disk wiping and
reformatting, making sensitive data
stolen from victims available even after
reformatting the drive and
reinstalling the operating system. The firmware
also provided
programming interfaces that other code in Equation Group's
sprawling
malware library could access. Once a hard drive was compromised,
the
infection was impossible to detect or remove.
While it's simple
for end users to re-flash their hard drives using
executable files provided
by manufacturers, it's just about impossible
for an outsider to reverse
engineer a hard drive, read the existing
firmware, and create malicious
versions.
"This is an incredibly complicated thing that was achieved by
these
guys, and they didn't do it for one kind of hard drive brand," Raiu
said. "It's very dangerous and bad because once a hard drive gets
infected with this malicious payload it's impossible for anyone,
especially an antivirus [provider], to scan inside that hard drive
firmware. It's simply not possible to do that."
One of the most
intriguing elements of Equation Group is its suspected
use of interdiction
to infect targets. Besides speaking to the group's
organization and advanced
capabilities, such interceptions demonstrate
the lengths to which the group
will go to infect people of interest. The
CD from the 2009 Houston
conference--which Kaspersky declined to
identify, except to say it was
related to science--tried to use the
autorun.inf mechanism in Windows to
install malware dubbed
DoubleFantasy. Kaspersky knows that conference
organizers did send
attendees a disc, and the company knows the identity of
at least one
conference participant who received a maliciously modified one,
but
company researchers provided few other details and don't know precisely
how the malicious content wound up on the disc.
"It would be very
easy to trace the attack back to the organizers and
point them out, and this
could in turn result in some very serious
diplomatic incidents," Raiu said.
"Our best guess is that the organizers
didn't act in a malicious way against
the participants, but [that] some
of the CD-ROMs on their way to the
participants were intercepted and
replaced with the malicious
variants."
Even less is known about a CD for installing Oracle 8i-8.1.7
for Windows
sent six or seven years earlier, except that it installed an
early
Equation Group malware program known as EquationLaser. The conference
and Oracle CDs are the only Equation Group interdictions that Kaspersky
researchers have discovered. Given how little is known about the
interdictions, they weren't likely to have been used often.
A
separate method of infection relied on a worm introduced in 2008 that
Kaspersky has dubbed Fanny, after a text string that appears in one of
the zero-day exploits used by the worm to self-replicate. The
then-unknown vulnerability resided in functions that process so-called
.LNK files Windows uses to display icons when a USB stick is connected
to a PC. By embedding malicious code inside the .LNK files, a
booby-trapped stick could automatically infect the connected computer
even when its autorun feature was turned off. The self-replication and
lack of any dependence on a network connection made the vulnerability
ideal for infecting air-gapped machines. (The .LNK vulnerability is
classified as CVE-2010-2568.)
Some two years after first playing its
role in Fanny, the .LNK exploit
was added to a version of Stuxnet so that
the worm could automatically
spread through highly sensitive computers in
Iran. Fanny also relied on
an elevation-of-privilege vulnerability that was
a zero day at the time
the worm was introduced. In 2009, the exploit also
made its way into
Stuxnet, but by then, Microsoft had patched the underlying
bug with the
release of MS09-025.
A far more common infection vector
was Web-based attacks that exploited
vulnerabilities in Oracle's Java
software framework or in Internet
Explorer. The exploits were hosted on a
variety of websites related to
everything from reviews of technology
products to discussions of Islamic
Jihad. In addition to planting exploits
on the websites, the attack code
was also transmitted through ad networks.
The wide range of exploit
carriers may explain why so many of the machines
Kaspersky observed
reporting to its sinkholes were domain controllers, data
warehouses,
website hosts, and other types of servers. Equation Group, it
seems,
wasn't infecting only end user computers--it was also booby-trapping
servers known to be accessed by targeted end users.
Equation Group
exploits are notable for the surgical precision exercised
to ensure that
only an intended target was infected. One Equation
Group-written PHP script
that Kaspersky unearthed, for instance, checked
if the MD5 hash of a website
visitor's username was either
84b8026b3f5e6dcfb29e82e0b0b0f386 or
e6d290a03b70cfa5d4451da444bdea39.
The plaintext corresponding to the first
hash is "unregistered," an
indication that attackers didn't want to infect
visitors who weren't
logged in. The second hash has yet to be deciphered
Update: now been
cracked; see this brief.
"We could not crack this
MD5, despite using considerable power for
several weeks, which makes us
believe [the plaintext username] is a
relatively complex one," Raiu said.
"It definitely indicates that
whoever is behind this username should not be
infected by the Equation
Group, [and] actually it shouldn't even see the
exploit. I would assume
this is either one of the group members (a fake
identity), one of their
partners, or a known identity of a previously
infected victim."
The PHP script also took special care not to infect IP
addresses based
in Jordan, Turkey, and Egypt. Kaspersky observed users
visiting the site
who didn't meet any of these exceptions, yet they still
weren't
attacked--an indication that an additional level of filtering spared
all
but the most sought-after targets who visited the site.
More
recently, Kaspersky has observed malicious links on the site
standardsandpraiserepurpose[.]com that looked
like
standardsandpraiserepurpose[.]com/login?qq=5eaae4d[SNIP]0563&rr=1&h=cc593a6bfd8e1e26c2734173f0ef75be3527a205
where
the h value (that is, the text following the "h=") appears to be
an SHA1
hash. Kaspersky has yet to crack those hashes, but company
researchers
suspect they're being used to serve customized exploits to
specific people.
The company is recruiting help from fellow white-hat
hackers in cracking
them. Other hashes include:
*
0044c9bfeaac9a51e77b921e3295dcd91ce3956a *
06cf1af1d018cf4b0b3e6cfffca3fbb8c4cd362e *
3ef06b6fac44a2a3cbf4b8a557495f36c72c4aa6 *
5b1efb3dbf50e0460bc3d2ea74ed2bebf768f4f7 *
930d7ed2bdce9b513ebecd3a38041b709f5c2990 *
e9537a36a035b08121539fd5d5dcda9fb6336423
The PHP exploit code also
serves unique Web pages and HTML code to
people visiting with iPhones,
behavior that Kaspersky found telling.
"This indicates the exploit server
is probably aware of iPhone visitors
and can deliver exploits for them as
well," Kaspersky's report published
Monday explained. "Otherwise, the
exploitation URL can simply be removed
for these." The report also said one
sinkholed server receives visits
from a large pool of China-based machines
that identify themselves as
Macs in the browser user agent string. While
Kaspersky has yet to obtain
Equation Group malware that runs on OS X, they
believe it exists. Six
codenames
In all, Kaspersky has tied at least
six distinct pieces of malware to
Equation Group. They
include:
EquationLaser: an early implant in use from 2001 to
2004.
DoubleFantasy: a validator-style trojan designed to confirm if the
infected person is an intended target. People who are confirmed get
upgraded to either EquationDrug or GrayFish.
EquationDrug: also known
as Equestre, this is a complex attack platform
that supports 35 different
modules and 18 drivers. It is one of two
Equation Group malware platforms to
re-flash hard drive firmware and use
virtual file systems to conceal
malicious files and stolen data.
It was delivered only after a target had
been infected with
DoubleFantasy and confirmed to be a target. It was
introduced in 2002
and was phased out in 2013 in favor of the more advanced
GrayFish. Enlarge
GrayFish: the successor to EquationDrug and the most
sophisticated of
all the Equation Group attack platforms. It resides
completely in the
registry and relies on a bootkit to take hold each time a
computer
starts. Whereas EquationDrug re-flashed hard drives for six models,
GrayFish re-flashed 12 classes of hard drives. GrayFish exploits a
vulnerability in the CloneCD driver ElbyCDIO.sys--and possibly drivers
of other programs--to bypass Windows code-signing requirements. Enlarge
/ The VBR means Virtual Boot Record. It is a special area of the disk
that is responsible for loading the operating system. The Pill is an
injected piece of code ("blue pill", "red pill" - Matrix references)
that is responsible for hijacking the OS loading. It works by carefully
altering the loading mechanism to include malicious code that the OS
blindly "swallows."
The BBSVC service is another GRAYFISH mechanism
used when the Pill
cannot be injected, for some unknown reason. It loads
further stages of
Grayfish at the time the OS starts. In essence, it's a
weaker mechanism
than the pill, because it exposes one single malicious
executable on the
hard drive of the victims. This is why BBSVC is a
polymorphic
executable, filled with gibberish and random data to make it
hard to
detect. The platform kernel "fvexpy.sys" is one of the core
components
of Grayfish. It is designed to run in Windows kernel mode and
provide
functions for the platform components.
GrayFish is the
crowning achievement of the Equation Group. The malware
platform is so
complex that Kaspersky researchers still understand only
a fraction of its
capabilities and inner workings. Key to the
sophistication of GrayFish is
its bootkit, which allows it to take
extraordinarily granular control of the
machines it infects.
"This allows it to control the launching of Windows
at each stage,"
Kaspersky's written report explained. "In fact, after
infection, the
computer is not run by itself anymore: it is GrayFish that
runs it step
by step, making the necessary changes on the
fly."
Fanny: A computer worm that exploited what in 2008 were two
zero-day
vulnerabilities in Windows to self-replicate each time an infected
USB
stick was inserted into a targeted computer. The main purpose of Fanny
was to conduct reconnaissance on sensitive air-gapped networks. After
infecting a computer not connected to the Internet, Fanny collected
network information and saved it to a hidden area of the USB drive. If
the stick was later plugged in to an Internet-computer, it would upload
the data to attacker servers and download any attacker commands. If the
stick was later plugged into the air-gapped machine, the downloaded
commands would be executed. This process would continue each time the
stick was switched between air-gapped and Internet-connected
machines.
No matter how elite a hacking group may be, Raiu said, mistakes
are
inevitable. Equation Group made several errors that allowed Kaspersky
researchers to glean key insights into an operation that went unreported
for at least 14 years.
Kaspersky first came upon the Equation Group
in March 2014, while
researching the Regin software that infected Belgacom
and a variety of
other targets. In the process, company researchers analyzed
a computer
located in the Middle East and dubbed the machine "Magnet of
Threats"
because, in addition to Regin, it was infected by four other highly
advanced pieces of malware, including Turla, Careto/Mask, ItaDuke, and
Animal Farm. A never-before-seen sample of malware on the computer
piqued researchers' interest and turned out to be an EquationDrug
module.
Following the discovery, Kaspersky researchers combed through
their
cloud-based Kaspersky Security Network of exploits and infections
reported by AV users and looked for similarities and connections. In the
following months, the researchers uncovered additional pieces of malware
used by Equation Group as well as the domain names used to host command
channels.
Perhaps most costly to the attackers was their failure to
renew some of
the domains used by these servers. Out of the 300 or so
domains used,
about 20 were allowed to expire. Kaspersky quickly registered
the
domains and, over the past ten months, has used them to "sinkhole" the
command channels, a process in which researchers monitor incoming
connections from Equation Group-infected machines.
One of the most
severe renewal failures involved a channel that
controlled computers
infected by "EquationLaser," an early malware
platform abandoned around 2003
when antivirus programs began to detect
it. The underlying domain name
remained active for years until one day,
it didn't; Kaspersky acquired it
and EquationLaser-infected machines
still report to it.
"It's really
surprising to see there are victims around the world
infected with this
malware from 12 years ago," Raiu said. He continues
to see about a dozen
infected machines that report from countries that
include Russia, Iran,
China, and India.
Raiu said 90 percent or more of the command and control
servers were
closed last year, although some remained active as recently as
last month.
"We understand just how little we know. It also makes us
reflect
about how many other things remain hidden or unknown."
The
sinkholes have allowed Kaspersky researchers to gather key clues
about the
operation, including the number of infected computers
reporting to the
seized command domains, the countries in which these
compromised computers
are likely located, and the types of operating
systems they
run.
Another key piece of information gleaned by Kaspersky: some machines
infected by Equation Group are the "patients zero" that were used to
seed the Stuxnet worm so it would travel downstream and infect Iran's
Natanz facility.
"It is quite possible that the Equation Group
malware was used to
deliver the Stuxnet payload," Kaspersky researchers
wrote in their report.
Other key mistakes were variable names, developer
account names, and
similar artifacts left in various pieces of Equation
Group malware. In
the same way cat burglars wear gloves to conceal their
fingerprints,
attackers take great care to scrub such artifacts out of their
code
before releasing it. But in at least 13 cases, they failed. Possibly
the
most telling artifact is the string "-standalonegrok_2.1.1.1" that
accompanies a highly advanced keylogger tied to Equation
Group.
Another potentially damaging artifact found by Kaspersky is the
Windows
directory path of "c:\users\rmgree5" belonging to one of the
developer
accounts that compiled Equation Group malware. Assuming the
rmgree5
wasn't a randomly generated account name, it may be possible to link
it
to a developer's real-world identity if the handle has been used for
other accounts or if it corresponds to a developer's real-world name
such as "Richard Gree" or "Robert Greenberg."
Kaspersky researchers
still don't know what to make of the 11 remaining
artifacts, but they hope
fellow researchers can connect the strings to
other known actors or
incidents. The remaining artifacts are:
* SKYHOOKCHOW * prkMtx -
unique mutex used by the Equation
Group's exploitation library ( gPrivLib
h) * "SF" - as in
"SFInstall", "SFConfig" * "UR", "URInstall" -
"Performing
UR-specific post-install..." * "implant" - from "Timeout
waiting for
the "canInstallNow" event from the implant-specific EXE!" *
STEALTHFIGHTER
(VTT/82055898/STEALTHFIGHTER/2008-10-16/14:59:06.229-04:00 *
DRINKPARSLEY - (Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00) *
STRAITACID - (VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00)
*
LUTEUSOBSTOS -
(VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00)
*
STRAITSHOOTER - STRAITSHOOTER30.exe * DESERTWINTER -
c:\desert~2\desert~3\objfre_w2K_x86\i386\DesertWinterDriver.pdb
Hacking
without a budget
The money and time required to develop the Equation
Group malware, the
technological breakthroughs the operation accomplished,
and the
interdictions performed against targets leave little doubt that the
operation was sponsored by a nation-state with nearly unlimited
resources to dedicate to the project. The countries that were and
weren't targeted, the ties to Stuxnet and Flame, and the Grok artifact
found inside the Equation Group keylogger strongly support the theory
the NSA or a related US agency is the responsible party, but so far
Kaspersky has declined to name a culprit.
Update: Reuters reporter
Joseph Menn said the hard-drive firmware
capability has been confirmed by
two former government employees. He wrote:
A former NSA employee
told Reuters that Kaspersky's analysis was
correct, and that people still in
the intelligence agency valued these
spying programs as highly as Stuxnet.
Another former intelligence
operative confirmed that the NSA had developed
the prized technique of
concealing spyware in hard drives, but said he did
not know which spy
efforts relied on it.
Update: Several hours ater
this post went live, NSA officials e-mailed
the following statement to
Ars:
We are aware of the recently released report. We are not going
to
comment publicly on any allegations that the report raises, or discuss
any details. On January 17, 2014, the President gave a detailed address
about our signals intelligence activities, and he also issued
Presidential Policy Directive 28 (PPD-28). As we have affirmed publicly
many times, we continue to abide by the commitments made in the
President's speech and PPD-28. The U.S. Government calls on our
intelligence agencies to protect the United States, its citizens, and
its allies from a wide array of serious threats - including terrorist
plots from al-Qaeda, ISIL, and others; the proliferation of weapons of
mass destruction; foreign aggression against ourselves and our allies;
and international criminal organizations.
What is safe to say is that
the unearthing of the Equation Group is a
seminal finding in the fields of
computer and national security, as
important, or possibly more so, than the
revelations about Stuxnet.
"The discovery of the Equation Group is
significant because this
omnipotent cyber espionage entity managed to stay
under the radar for
almost 15 years, if not more," Raiu said. "Their
incredible skills and
high tech abilities, such as infecting hard drive
firmware on a dozen
different brands, are unique across all the actors we
have seen and
second to none. As we discover more and more advanced threat
actors, we
understand just how little we know. It also makes us reflect
about how
many other things remain hidden or unknown."
(3) US IT
companies lose sales over complicity in NSA spying
http://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-companies.html
Revelations
of N.S.A. Spying Cost U.S. Tech Companies
By CLAIRE CAIN MILLERMARCH 21,
2014
SAN FRANCISCO -- Microsoft has lost customers, including the
government
of Brazil.
IBM is spending more than a billion dollars to
build data centers
overseas to reassure foreign customers that their
information is safe
from prying eyes in the United States
government.
And tech companies abroad, from Europe to South America, say
they are
gaining customers that are shunning United States providers,
suspicious
because of the revelations by Edward J. Snowden that tied these
providers to the National Security Agency's vast surveillance
program.
Even as Washington grapples with the diplomatic and political
fallout of
Mr. Snowden's leaks, the more urgent issue, companies and
analysts say,
is economic. Technology executives, including Mark Zuckerberg
of
Facebook, raised the issue when they went to the White House on Friday
for a meeting with President Obama.
It is impossible to see now the
full economic ramifications of the
spying disclosures -- in part because
most companies are locked in
multiyear contracts -- but the pieces are
beginning to add up as
businesses question the trustworthiness of American
technology products.
The confirmation hearing last week for the new
N.S.A. chief, the video
appearance of Mr. Snowden at a technology conference
in Texas and the
drip of new details about government spying have kept
attention focused
on an issue that many tech executives hoped would go
away.
Despite the tech companies' assertions that they provide
information on
their customers only when required under law -- and not
knowingly
through a back door -- the perception that they enabled the spying
program has lingered.
"It's clear to every single tech company that
this is affecting their
bottom line," said Daniel Castro, a senior analyst
at the Information
Technology and Innovation Foundation, who predicted that
the United
States cloud computing industry could lose $35 billion by
2016.
Forrester Research, a technology research firm, said the losses
could be
as high as $180 billion, or 25 percent of industry revenue, based
on the
size of the cloud computing, web hosting and outsourcing markets and
the
worst case for damages. Continue reading the main story
The
business effect of the disclosures about the N.S.A. is felt most in
the
daily conversations between tech companies with products to pitch
and their
wary customers. The topic of surveillance, which rarely came
up before, is
now "the new normal" in these conversations, as one tech
company executive
described it.
"We're hearing from customers, especially global enterprise
customers,
that they care more than ever about where their content is stored
and
how it is used and secured," said John E. Frank, deputy general counsel
at Microsoft, which has been publicizing that it allows customers to
store their data in Microsoft data centers in certain countries.
At
the same time, Mr. Castro said, companies say they believe the
federal
government is only making a bad situation worse.
"Most of the companies
in this space are very frustrated because there
hasn't been any kind of
response that's made it so they can go back to
their customers and say,
'See, this is what's different now, you can
trust us again,' " he
said.
In some cases, that has meant forgoing potential
revenue.
Though it is hard to quantify missed opportunities, American
businesses
are being left off some requests for proposals from foreign
customers
that previously would have included them, said James Staten, a
cloud
computing analyst at Forrester who has read clients' requests for
proposals. There are German companies, Mr. Staten said, "explicitly not
inviting certain American companies to join."
He added, "It's like,
'Well, the very best vendor to do this is IBM, and
you didn't invite them.'
"
The result has been a boon for foreign companies.
Runbox, a
Norwegian email service that markets itself as an alternative
to American
services like Gmail and says it does not comply with foreign
court orders
seeking personal information, reported a 34 percent annual
increase in
customers after news of the N.S.A. surveillance.
Brazil and the European
Union, which had used American undersea cables
for intercontinental
communication, last month decided to build their
own cables between Brazil
and Portugal, and gave the contract to
Brazilian and Spanish companies.
Brazil also announced plans to abandon
Microsoft Outlook for its own email
system that uses Brazilian data centers.
Mark J. Barrenechea, chief
executive of OpenText, Canada's largest
software company, said an
anti-American attitude took root after the
passage of the Patriot Act, the
counterterrorism law passed after 9/11
that expanded the government's
surveillance powers.
But "the volume of the discussion has risen
significantly post-Snowden,"
he said. For instance, after the N.S.A.
surveillance was revealed, one
of OpenText's clients, a global steel
manufacturer based in Britain,
demanded that its data not cross United
States borders.
"Issues like privacy are more important than finding the
cheapest
price," said Matthias Kunisch, a German software executive who
spurned
United States cloud computing providers for Deutsche Telekom.
"Because
of Snowden, our customers have the perception that American
companies
have connections to the N.S.A."
Security analysts say that
ultimately the fallout from Mr. Snowden's
revelations could mimic what
happened to Huawei, the Chinese technology
and telecommunications company,
which was forced to abandon major
acquisitions and contracts when American
lawmakers claimed that the
company's products contained a backdoor for the
People's Liberation Army
of China -- even though this claim was never
definitively verified.
Silicon Valley companies have complained to
government officials that
federal actions are hurting American technology
businesses. But
companies fall silent when it comes to specifics about
economic harm,
whether to avoid frightening shareholders or because it is
too early to
produce concrete evidence.
"The companies need to keep
the priority on the government to do
something about it, but they don't have
the evidence to go to the
government and say billions of dollars are not
coming to this country,"
Mr. Staten said.
Some American companies say
the business hit has been minor at most.
John T. Chambers, the chief
executive of Cisco Systems, said in an
interview that the N.S.A. disclosures
had not affected Cisco's sales "in
a major way." Although deals in Europe
and Asia have been slower to
close, he said, they are still being completed
-- an experience echoed
by several other computing companies.
Still,
the business blowback can be felt in other ways than lost
customers.
Security analysts say tech companies have collectively spent
millions
and possibly billions of dollars adding state-of-the-art encryption
features to consumer services, like Google search and Microsoft Outlook,
and to the cables that link data centers at Google, Yahoo and other
companies.
IBM said in January that it would spend $1.2 billion to
build 15 new
data centers, including in London, Hong Kong and Sydney,
Australia, to
lure foreign customers that are sensitive about the location
of their
data. Salesforce.com announced similar plans this
month.
Germany and Brazil, where it was revealed that the N.S.A. spied on
government leaders, have been particularly adversarial toward American
companies and the government. Lawmakers, including in Germany, are
considering legislation that would make it costly or even technically
impossible for American tech companies to operate inside their
borders.
Yet some government officials say laws like this could have a
motive
other than protecting privacy. Shutting out American companies "means
more business for local companies," Richard A. Clarke, a former White
House counterterrorism adviser, said last month.
Contributing
reporting were Quentin Hardy and Nicole Perlroth from San
Francisco, David
E. Sanger from Washington, Mark Scott from London, Dan
Horch from São Paulo,
Brazil, and Ian Austen from Ottawa.
A version of this article appears in
print on March 22, 2014, on page A1
of the New York edition with the
headline: N.S.A. Spying Imposing Cost
on Tech Firms.
(4) NSA and GCHQ
hack mobile phones
http://abcnews.go.com/International/wireStory/rights-groups-call-action-reported-us-uk-phone-29099593
Rights
Groups Call for Action Over Reported US-UK Phone Hack
LONDON -- Feb 20,
2015, 1:55 PM ET
By SYLVIA HUI Associated Press
Rights
organizations on Friday called for urgent steps to be taken to
protect
private calls and online communications after allegations that
U.S. and
British agencies hacked into the networks of a major SIM card
maker.
The World Wide Web Foundation, founded by Web inventor Tim
Berners-Lee,
said the alleged hacking by the National Security Agency and
its British
counterpart, GCHQ, was "another worrying sign that these
agencies think
they are above the law."
The claims of the hack into
Netherlands-based company Gemalto came from
documents given to journalists
by whistleblower Edward Snowden. A story
about the documents posted Thursday
on the website The Intercept said
the agencies hacked into Gemalto's
networks to steal codes that allow
both governments to seamlessly eavesdrop
on mobile phones worldwide.
In an email to The Associated Press on
Friday, GCHQ said it does not
comment on intelligence matters. However, it
said all of its work was
legal and its "interception regime" fully complies
with the European
Convention on Human Rights.
Privacy International,
which recently won an unprecedented court victory
against GCHQ in the wake
of the Snowden revelations, said that the
electronic eavesdropping agency
had lost its way.
"In stealing the SIM card encryption keys of millions
of mobile phone
users they have shown there are few lines they aren't
willing to cross,"
Privacy International Deputy Director Eric King said in a
statement.
"Hacking into law-abiding companies, spying on their employees
and
stealing their data should never be considered 'fair game,'" he added.
"Their actions have undermined the security of us all."
Yet hacking
into law-abiding companies, and inducing foreigners to
commit treason by
spilling secrets, are standard practices of spy
agencies throughout the
world. The U.S. and Britain happen to be more
proficient than most. There is
no international treaty laying out the
rules of espionage, cyber or
otherwise.
The NSA hacks into companies in friendly nations for all sorts
of
reasons, say former intelligence officials who declined to be quoted
discussing classified operations. The CIA, and its Russian, Chinese,
French and British counterparts, pay foreigners to supply information in
violation of the laws of their countries.
One question being raised
by some of the Snowden leaks is whether the
public in the U.S. and Europe
are willing to reign in their digital
spying services if it means rendering
them less effective. Another
question is whether the benefits of a
particular surveillance method are
worth the fallout in the event it is
disclosed.
In Germany, opposition lawmakers have called for a
parliamentary hearing
on the reported hacking. An aide to Green Party
lawmaker Konstantin von
Notz said the hearing would likely take place
Wednesday and could call
on witnesses from Germany's domestic and foreign
intelligence agencies
to testify.
Germany is the only country that
has launched a parliamentary inquiry
into the activities of the NSA and GCHQ
in the wake of the Snowden
revelations.
------
AP Intelligence
Writer Ken Dilanian in Washington D.C. and Frank Jordans
in Berlin
contributed to this report.
(5) UK surveillance tribunal finds GCHQ-NSA
intelligence sharing unlawful
Date: Sun, 22 Feb 2015 23:18:48 +0000
From: "penninecottage@hush.com"
<penninecottage@hush.com>
https://www.privacyinternational.org/?q=node/485
Victory!
UK surveillance tribunal finds GCHQ-NSA intelligence sharing
unlawful
by Eric King
6 February 2015
Privacy
International, Bytes for All and other human rights groups are
celebrating
a major victory against the Five Eyes today as the UK
surveillance tribunal
rules that GCHQ acted unlawfully in accessing
millions of private
communications collected by the NSA up until
December 2014.
Today’s
judgement represents a monumental leap forward in efforts to
make
intelligence agencies such as GCHQ and NSA accountable to the
millions of
individuals whose privacy they have violated.
The case was only possible
thanks to NSA whistleblower Edward Snowden
whose leaked documents provided
the facts needed to challenge the
long-standing intelligence sharing
relationship. His greatest fear was
that "nothing would change." Today's
success vindicates his admirable
acts and shows the power of public
scrutiny and transparency of State
power.
Numbers game
The
receipt of unanalysed intercepted material from partners like NSA
makes up
a huge percentage of the raw data that GCHQ crunches through.
Through
their secret intelligence sharing relationship with the NSA,
GCHQ has had
intermittently unrestricted access to PRISM - NSA's means
of directly
accessing data and content handled by some of the world’s
largest Internet
companies, including Microsoft, Yahoo, Google,
Facebook, PalTalk, AOL,
Skype, YouTube and Apple.
GCHQ also has had access to the NSA’s mass
surveillance programme
UPSTREAM, that exploits the US geographical position
as the internet
and telecommunications switching center for the world and
involves the
interception of fibre optic cables running through the
country. Other
programmes part of UPSTREAM to which GCHQ has had access
include
CO-TRAVELLER, which collects five billion locational records a day,
and
DISHFIRE which harvests 194 million text messages daily. The top five
programmes within UPSTREAM created 160 billion interception records in
one month alone.
GCHQ’s access to NSA material therefore makes up the
large bulk of all
surveillance material handled by the security services;
some ex- GCHQ
staffers estimated that “95 per cent of all SIGINT [signals
intelligence material] handled at GCHQ is American”. Indeed, in his
witness statement to the Investigatory Powers Tribunal in May 2014,
Charles Farr attested that
“The immense value of [GCHQ’s
relationships with the NSA] for the
UK in part reflects the fact that the
US intelligence agencies are far
larger and much better resourced than the
Intelligence Services… In
simple terms, the US can provide the UK with
intelligence that the UK
with its far more limited resources could not
realistically obtain by
itself.”
Historical illegality
But
this has been going on for far longer than PRISM has been in
existence. For
more than 60 years GCHQ has been recieving raw intercept
from NSA. Indeed,
the original 1946 Five Eyes agreement (the UKUSA
agreement) stipulates that
"all raw traffic shall continue to be
exchanged except in cases where one
or the other party agrees to forgo
its copy.”
The details of the
modern day UKUSA arrangement remain secret, despite
legal attempts to
obtain them, including FOI requests in all Five Eyes
countries and an
ongoing legal challenge from Privacy International in
the European Court of
Human Rights.
However, significant quantities of intelligence material
are almost
certainly being shared between the parties. Indeed, in an essay
by an
ex-NSA employee marked UNCLASSIFIED and approved for public release
by
the NSA's office of Pre-Publication Review it was confirmed
that:
"If you are a citizen of the UK, Canada, New Zealand, or
Australia, you may also be glad, because everything the NSA collects is
by default shared with your government.”
The extraordinary
implications of today's judgement is that all
historical sharing of raw
intelligence between NSA and GCHQ took place
without an adequate legal
framework, and thus was unlawful.
The fight continues
The UK
surveillance tribunal agreed with Privacy International that
intelligence
sharing between the United States and the United Kingdom
was unlawful prior
to December 2014, because the rules governing the
UK’s access to the NSA’s
PRISM and UPSTREAM programmes were secret.
But the fight has to continue
at the European Court of Human Rights. In
the coming weeks Privacy
International will appeal the tribunal's
earlier decision that GCHQ’s
access to NSA data was lawful from
December 2014 onward because secret
policies governing the US-UK
intelligence relationship were made public
during Privacy
International’s case against the security services.
It
does not need to be this way. Our intelligence agencies do not need
to be
run relying on secret interpretations of secret laws. With
independent
reviews of RIPA already underway we hope this success
encourages the call
for root and branch reform, to bring our
intelligence agencies under the
rule of law once and for all.
(6) Spooks can track a mobile phone by
looking at battery power
http://rt.com/usa/234403-phone-hacking-power-location/
Hackers
can track phone users' location by looking at power supply
Published
time: February 21, 2015 16:02
Researchers have found out it is possible
to track someone's mobile
phone by looking at how much battery has been
used. The data does not
need the users' permission to be shared, while it
can help track a phone
with up to 90 percent accuracy.
The findings
were carried out by a group of researchers at Stanford
University and the
Israeli defense company Rafael. The created a
technique, which they have
named PowerSpy and can gather information
concerning the location of Android
phones. It does this by simply
tracking how much power has been used over a
certain time.
How much power is used depends on a number of factors. For
example, the
further away the phone is from a transmitter, the more power is
needed
to get a signal. Physical objects such as mountains or buildings also
have an impact on the amount of battery needed as these obstacles can
block the phone's signal, meaning there are temporary 'power drains' on
the devices.
"A sufficiently long power measurement (several minutes)
enables the
learning algorithm to 'see' through the noise," the researchers
said,
which was reported by Wired. "We show that measuring the phone's
aggregate power consumption over time completely reveals the phone's
location and movement."
However, there is a catch. The spying
technique only works if the person
has traveled along that route before. It
is also impossible to gain any
data if the hacker has not walked along the
same routes previously.
The researchers gathered data from phones as they
drove around the Bay
Area in California and the Israeli city of Haifa. They
then compared the
data they had collected with an LG Nexus 4 cell phone. For
each test
which was carried out, the team chose a different, unknown route.
Wired
magazine reports that they were able to identify the correct one with
90
percent accuracy.
"If you take the same ride a couple of times,
you'll see a very clear
signal profile and power profile," says Yan
Michalevsky, one of the
researchers from Stanford. "We show that those
similarities are enough
to recognize among several possible routes that
you're taking this route
or that one, that you drove from Uptown to
Downtown, for instance, and
not from Uptown to Queens," according to the
Wired.
The researchers also found out that phones with a very few number
of
apps were easier to track as the power used was more consistent in
comparison to phones, which had a number of apps because they would use
power unpredictably.
What can users do to stop it? Basically, nothing
aside from not using
the phone. With certain apps, such as Instagram or
Facebook, the user is
asked whether they want to provide their current
geo-location. However,
the data from the power supply on a phone is freely
available.
Michalevsky says this is a problem that Google needs to
address.
"You could install an application like Angry Birds that
communicates
over the network but doesn't ask for any location permissions.
It
gathers information and sends it back to me to track you in real time,
to understand what routes you've taken when you drove your car or to
know exactly where you are on the route. And it does it all just by
reading power consumption," Michalevsky concluded.
(7) Smart TVs
& phones listen in on users' personal conversations
http://www.abc.net.au/news/2015-02-10/samsung-warns-customers-new-smart-tvs-listen-in-on-users/6082144
Samsung
warns customers new Smart TVs 'listen in' on users' personal
conversations
AM
By Nick Grimm
Updated Tue 10 Feb 2015,
12:59pm
Customers with Samsung's new Smart televisions are being warned
that
what they say could be recorded and distributed to a third
party.
The company is warning people as part of its privacy policy that
anything they say around their new television will be "among the data
captured and transmitted to a third party" because of a voice
recognition feature.
The policy advises customers to "please be aware
that if your spoken
words include personal or other sensitive information,
that information
will be among the data captured and transmitted to a third
party through
your use of voice recognition."
Voice recognition
technology is already used on most smartphones, but
what troubles some
observers about smart household goods like
televisions is that customers may
not always be aware when their new
gadget is listening in.
"I suppose
the interesting difference between the televisions and the
phone example is
when you're dictating into a phone you know exactly
what you're doing,
whereas with a television you might just be sitting
around chatting to your
friends and you're inadvertently activating this
voice command technology
which will start recording what you're saying,"
Jake Goldenfein, from the
centre for media and communications law at the
University of Melbourne,
said.
Luke Hopewell, editor of online technology journal Gizmodo, said
"big
brother" may not be actually listening to what we say just yet, but
more
how we say it.
"When it says don't discuss personal information
in front of your TV,
what it's actually saying is that identifiers of your
voice are being
sent to third party services when you're using this
television," he said.
"LG has a very similar clause in its terms and
conditions as well."
Mr Hopewell said the third party sources are not so
much keeping
recording as keeping data point.
"Those data points mean
what your voice inflection sounds like, which
words that you said," he
said.
"For example, the Australian accent in particular is very difficult
to
decode.
"Samsung work with people at Macquarie University to
actually figure out
what people were saying before they could bring voice
recognition to
Australia.
Angus Kidman from website Lifehacker said
voice recognition technology
looked for specific information.
Media
player: "Space" to play, "M" to mute, "left" and "right" to seek.
Video:
Angus Kidman discusses Samsung's latest warning (ABC News)
"It's looking
for you to say 'I want to watch this show' or 'I want to
watch this
channel'. It's not hanging around going 'I want to grab your
credit card
number'," he said.
Mr Kidman said data points needed to be sent to an
online third party to
be analysed.
"It requires a lot of processing
power so it's not going to happen in
your television; it's going to get sent
online to be analysed," he said.
"That's why they have to tell you
they're doing that."
He said consumers have a tendency to take the
convenience of technology
without realising there is a trade-off.
"In
order to make things simpler and easier for us using technology,
that often
requires us to give up some personal information and we
haven't perhaps
thought as hard as we should about the fact that we're
doing that," he
said.
Mr Hopewell said it's "about getting a better quality of service,
but it
really raises questions about what we're going to do in the smart
home
in the future.
"This is the first time people have actually
recognised that this might
be a problem if we start giving all our
information over in our smart
home to third party services."
(8)
Energy companies need insurance cover for cyber attack 'time bomb'
http://www.reuters.com/article/2014/04/08/us-energy-cybercrime-idUSBREA371DO20140408
BY
MICHAEL SZABO
LONDON Tue Apr 8, 2014 11:44am EDT
(Reuters) -
Energy companies have no insurance against major cyber
attacks, reinsurance
broker Willis said on Tuesday, likening the threat
to a "time bomb" that
could cost the industry billions of dollars.
Willis highlighted the
industry's vulnerability to cyber threats in its
annual review of the energy
sector's insurance market, which called on
insurers to find a way to provide
cover.
"A major energy catastrophe - on the same scale as ... Exxon
Valdez or
Deepwater Horizon - could be caused by a cyber attack, and,
crucially,
that cover for such a loss is generally not currently provided by
the
energy insurance market," the insurance broker said.
Most
insurance products currently available will cover minor things such
as data
losses or downtime caused by IT issues, but not major events
like explosions
at multiple facilities triggered remotely by hackers,
Willis said.
It
said the lack of coverage stemmed from a clause included in most
energy
sector insurance agreements over the past 10 years that
explicitly excludes
loss or damage caused by software, viruses or other
malicious computer
code.
"There can be little doubt that the removal of this exclusion would
be
the most effective way for coverage to be provided to the energy
industry," it said.
But the exclusion clause has remained because
cyber security is not
well-understood by the insurance industry, making it
difficult to design
comprehensive products. Additionally, problems lie with
how insurers
agree to cover damage to multiple plants or platforms caused by
a single
attack.
The issue is attracting more attention after
high-profile events
including Stuxnet - a virus that afflicted a uranium
enrichment facility
in Iran - and Shamoon - a virus linked to cyber assaults
on energy firms
in Saudi Arabia and Qatar in 2012.
Technology now
allows entire oil and gas networks to be operated
remotely, but connecting
that infrastructure via the internet has also
opened the door for hackers
and computer viruses to target anything from
refineries to
pipelines.
The effects of such attacks can range from viruses spreading
across a
network of household smart electric meters to hackers triggering
oil
spills or explosions.
Britain estimates that cyber security
breaches cost UK energy firms
around 400 million pounds ($664 million)
annually. The U.S. Department
of Homeland Security said over 40 percent of
attacks on the United
States' critical infrastructure assets were aimed at
the energy industry
in the year to September 2012.
Research firm ABI
estimates that global cyber security spending by the
industry on critical
oil and gas infrastructure will reach $1.87 billion
by 2018.
Willis
also said companies are also coming under pressure from
shareholders and the
government to beef up cyber defenses, a trend that
could lead to the
introduction of regulatory requirements aimed at
protecting key
infrastructure.
"While many in the energy industry may not see regulation
as the answer
to the problem of cyber-attacks, it remains a strong
possibility that
energy companies will increasingly be accountable for
demonstrating that
they have taken every possible step to counter this
threat," it added.
($1 = 0.6020 British Pounds)
(Editing by Jane
Merriman)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.