Overnight Cybersecurity: New questions about ‘ransomware’ attack | Tensions between NSA chief, Trump over Russia | Senate panel asks states to publicize election hacks

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We’re here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you’re a consumer, a techie or a D.C. lifer, we’re here to give you …

 

THE BIG STORY:

–YESTERDAY’S RANSOMWARE WASN’T: Researchers believe that the massive ransomware attack that infected computer systems around the world on Tuesday may actually be malware designed for purely destructive purposes. The ransomware deletes — not encrypts — the critical first few sectors of a hard drive called the master boot record (MBR), which is critical for hard drive function. Malware that wipes all or part of a hard drive is known as a wiper. “We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon,” wrote Matt Suiche, co-founder of Comae Technologies, in a blog post Wednesday. The ransomware released Tuesday was similar enough to ransomware known as Petya that many have taken to calling it Petya. Distinct differences, however, have led researchers to differentiate between the two, proposing names like “Petna,” “NotPetya” and “ExPetya.” NotPetya infected computers worldwide, causing untold damage. Victims ranged from a shipping yard in India to a major pharmaceutical company in the United States. Though infected computers display a message that a computer’s files have been encrypted and can be decrypted if users pay a ransom, that ransom ultimately will have no effect. Users are told to email details about their payment to an email account that is not active. Even if they could communicate payment of the ransom, it is impossible to recover much of the MBR. Whereas Petya encrypted and decrypted the MBR, with later versions of Petya also encrypting files, NotPetya deliberately overwrites parts of the MBR with no way to recover it. Potentially related: NotPetya uses three different methods to break into systems – two now-patched holes in Windows and a fake update to Ukrainian accounting software. Data from Kaspersky Lab and Symantec both show that Ukraine saw the majority of NotPetya infections.

To read the rest of our piece, click here.

{mosads}–…THE INTERNATIONAL LANGUAGE OF CYBER ATTACKS: Jon DiMaggio, senior threat intelligence analyst for Symantec, noted an interesting quirk in the malware. Despite the attack specifically targeting Ukrainian systems, the only language that the ransom note was printed in was English. “With WannaCry,” he noted, “there were dozens.” It’s tough to pay a ransom you can’t read.

–…SHADOWBROKERS CAPITALIZE ON MALWARE, WHICH USED THEIR LEAKS: The leaker or leakers that released two vulnerabilities used in Tuesday’s malware outbreak — one of which was also used in the similarly devastating WannaCry outbreak in May — is making an effort to capitalize on the notoriety. The ShadowBrokers, which claims to be releasing cyber weaponry stolen from the National Security Agency, announced pricing changes to a “wine of the month”-type leak program and a new “VIP” product in their attempts to monetize the hacking tools and apparent government documents in their possession. In the online message, the Brokers more than doubled the price of their monthly leaks service from $27,000 to $61,000 and instituted a premium program where for a one time payment of $122,000, they will answer emails and negotiate anything from contract hacking services to leak requests. “For one time payment of [$120,000] you getting theshadowbrokers VIP attention. VIP Service is no guarantee of future good or services, negotiation for those is being separate.”

To read the rest of our piece, click here.

–…DEM ASKS THE NSA TO DO SOMETHING: In a letter to the NSA, Ted Lieu noted that two of the vulnerabilities used in the malwares are said to have come from the NSA. He wrote: “My first and urgent request is that if the NSA knows how to stop this global malware attack, or has information that can help stop the attack, then NSA should immediately disclose it. If the NSA has a kill switch for this new malware attack, the NSA should deploy it now.”

 

A POLICY UPDATE:

WHEN NATO WILL SAY GO:

The head of NATO is pressing the alliance to strengthen its cyber defenses, saying that a cyberattack could trigger the Article 5 principle of collective defense.

NATO Secretary-General Jens Stoltenberg made the remarks ahead of a defense meeting in Brussels and the day after a massive ransomware campaign spread across the globe, affecting victims across Europe and the United States.

“[The] attack in May and this week just underlines the importance of strengthening our cyber defenses and that is what we are doing,” Stoltenberg told reporters on Wednesday, according to AFP.

NATO has paid more attention to cybersecurity in recent years, declaring cyberspace a domain of operations during last year’s Warsaw summit.

“We exercise more, we share best practices and technology, and we also work more and more closely with all allies,” Stoltenberg said Wednesday

To read the rest of our piece, click here.

TENSIONS BETWEEN NSA AND WHITE HOUSE: 

National Security Agency Director Mike Rogers is frustrated that he has not yet convinced President Trump that U.S. intelligence indicates Russia interfered in the 2016 presidential election, CNN reported Wednesday.

Rogers vented frustration over his fruitless efforts to lawmakers during a recent closed-door briefing on Capitol Hill, a congressional source familiar with the meeting told the news network.

The NSA director also reportedly said the White House lacked focus about the continued threat of the Kremlin’s cyber efforts, especially regarding voting systems in the U.S., another congressional source told CNN.

The intelligence community continues to brief the president on new information on Russia’s election involvement as it comes to light.

An intelligence official told CNN that while Trump does not seem less engaged when being briefed on the matter, he has expressed frustration outside of the briefings that too much attention is being paid to the ongoing probe into Russia’s interference in the election.

To read more, click here. 

 

A LIGHTER CLICK: 

AND NO ONE EVER SLEPT AGAIN: A Kickstarter night light will notify you of emails and tweets and all kinds of things better than bedtime.

 

A REPORT IN FOCUS:

NO DEVILS WENT DOWN TO GEORGIA:

The Department of Homeland Security did not engage in a prolonged cyberattack against the state of Georgia, the DHS inspector general has determined.

“We have recently completed our investigation into these allegations and have determined that the activity Georgia noted on its computer networks was the result of normal and automatic computer message exchanges generated by the Microsoft applications involved,” Inspector General John Roth wrote in a letter to House Oversight Committee Chairman Trey Gowdy (R-S.C.) on Monday.

In December, Georgia Secretary of State Brian Kemp sent a letter to then-Secretary of Homeland Security Jeh Johnson accusing the DHS of 10 cyberattacks of varying sizes around the time of the 2016 presidential election, implying that the alleged attacks were related to the state turning down DHS help to secure election systems.

An earlier, internal DHS investigation into the reported incident already showed that the “attempt to penetrate the Georgia Secretary of State’s firewall” was actually residual traffic from a Federal Law Enforcement Training Center employee checking the Georgia firearms license database. That employee said he was doing due diligence on private security contractors for the facility.

That traffic, the first report determined, was caused by the employee cutting and pasting data from the database to Microsoft Excel, which sent light traffic to the Georgia server while parsing the data. That traffic would have been in no way abnormal.

The DHS inspector general, which operates independently from the DHS chain of command, conducted a second investigation. It validated the first report’s results, finding that other states that made similar claims following the Georgia accusation appeared to also have drawn non-malicious traffic.

Roth noted in his letter that the DHS internet addresses that contacted the Georgia systems are configured to prevent their use in the kind of attack Kemp described.

Roth said the agency’s explanation of events was backed up by server logs and a consultation with Microsoft.

To read the rest of our piece, click here.

 

WHAT’S IN THE SPOTLIGHT:

ELECTION ATTACKS:

The Senate Intelligence Committee has asked election officials in 21 states to make public information about Russian efforts to hack their elections systems during the 2016 elections, the panel’s top Democrat said Wednesday.

The request was made in a letter sent last week “to all relevant state election officials” from Sens. Richard Burr (R-N.C.) and Mark Warner (D-Va.), the panel’s chairman and vice chairman, respectively, Warner revealed in his prepared remarks before a hearing on global election interference.

“I do not see how Americans are made safer when they do not know which state elections systems Russia tried to hack,” Warner said.

Department of Homeland Security (DHS) officials last week revealed that Russian hackers targeted election-related systems in 21 states leading up to Election Day.

To read the rest of our piece, click here.

THE COMEY MEMOS:

The Senate Intelligence Committee has reportedly reached an agreement to get former FBI Director James Comey’s memos detailing his conversations with President Trump.

“I’ve got a commitment,” Committee Chairman Richard Burr (R-N.C.) told Politico on Wednesday when asked whether his panel would obtain access to the memos.

Burr declined to say who provided the commitment, the newspaper reported.

Several House and Senate committees requested the memos after Comey said in his testimony before the Senate Intelligence panel earlier this month that he had authorized a friend to share the contents of one of the memos with a reporter.

To read the rest of our piece, click here.

 

IN CASE YOU MISSED IT:

Links from our blog, The Hill, and around the Web.

The FBI visits the homes of Kaspersky Lab employees. (The Hill)

House Foreign Intelligence Chair Ed Royce (R-Calif.) wants the Senate’s second chance Russia sanctions bill before recess. (The Hill)

GOP senators want to see the FBI’s surveillance requests of Trump officials. (The Hill)

Moscow ready to retaliate over seizures of its compounds. (The Hill)

The Democrats hired a former Uber employee to beef up cybersecurity (not the ex-CEO). (Recode)

40 ISPs asked the FCC not to nix net neutrality. (EFF)

If you’d like to receive our newsletter in your inbox, please sign up here.

– This post was updated at 8:47 p.m.