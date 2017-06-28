* Tax accounting software, Ukrainian news site blamed
* Attack first took hold in Ukraine, spread worldwide
* Port terminals operated by Maersk disrupted
By Eric Auchard, Jack Stubbs and Alessandra Prentice
FRANKFURT/MOSCOW/KIEV, June 28 A new cyber virus
spread from Ukraine to wreak havoc around the globe on
Wednesday, crippling thousands of computers, disrupting ports
from Mumbai to Los Angeles and halting production at a chocolate
factory in Australia.
The virus is believed to have first taken hold on Tuesday in
Ukraine where it silently infected computers after users
downloaded a popular tax accounting package or visited a local
news site, national police and international cyber experts said.
More than a day after it first struck, companies around the
world were still wrestling with the fallout while cyber security
experts scrambled to find a way to stem the spread.
Danish shipping giant A.P. Moller-Maersk said
it was struggling to process orders and shift cargoes,
congesting some of the 76 ports around the world run by its APM
Terminals subsidiary.
U.S. delivery firm FedEx Corp said its TNT Express
division had been significantly affected by the virus, which
also wormed its way into South America, affecting ports in
Argentina operated by China's Cofco.
The malicious code locked machines and demanded victims post
a ransom worth $300 in bitcoins or lose their data entirely,
similar to the extortion tactic used in the global WannaCry
ransomware attack in May.
More than 30 victims paid up but security experts are
questioning whether extortion was the goal, given the relatively
small sum demanded, or whether the hackers were driven by
destructive motives rather than financial gain.
Hackers asked victims to notify them by email when ransoms
had been paid but German email provider Posteo quickly shut down
the address, a German government cyber security official said.
Ukraine, the epicentre of the cyber strike, has repeatedly
accused Russia of orchestrating attacks on its computer systems
and critical power infrastructure since its powerful neighbour
annexed the Black Sea peninsula of Crimea in 2014.
The Kremlin, which has consistently rejected the
accusations, said on Wednesday it had no information about the
origin of the global cyber attack, which also struck Russian
companies such as oil giant Rosneft and a steelmaker.
"No one can effectively combat cyber threats on their own,
and, unfortunately, unfounded blanket accusations will not solve
this problem," said Kremlin spokesman Dmitry Peskov.
ESET, a Slovakian company that sells products to shield
computers from viruses, said 80 percent of the infections
detected among its global customer base were in Ukraine, with
Italy second hardest hit with about 10 percent.
ETERNAL BLUE
The aim of the latest attack appeared to be disruption
rather than ransom, said Brian Lord, former deputy director of
intelligence and cyber operations at Britain's GCHQ and now
managing director at private security firm PGI Cyber.
"My sense is this starts to look like a state operating
through a proxy ... as a kind of experiment to see what
happens," Lord told Reuters on Wednesday.
While the malware seemed to be a variant of past campaigns,
derived from code known as Eternal Blue believed to have been
developed by the U.S. National Security Agency (NSA), experts
said it was not as virulent as May's WannaCry attack.
Security researchers said Tuesday's virus could leap from
computer to computer once unleashed within an organisation but,
unlike WannaCry, it could not randomly trawl the internet for
its next victims, limiting its scope to infect.
Bushiness that installed Microsoft's latest
security patches from earlier this year and turned off Windows
file-sharing features appeared to be largely unaffected.
There was speculation, however, among some experts that once
the new virus had infected one computer it could spread to other
machines on the same network, even if those devices had received
a security update.
After WannaCry, governments, security firms and industrial
groups advised businesses and consumers to make sure all their
computers were updated with Microsoft security patches.
Austria's government-backed Computer Emergency Response Team
(CERT) said "a small number" of international firms appeared to
be affected, with tens of thousands of computers taken down.
Security firms including Microsoft, Cisco's Talos
and Symantec said they had confirmed some of the
initial infections occurred when malware was transmitted to
users of a Ukrainian tax software programme called MEDoc.
The supplier of the software, M.E.Doc denied in a post on
Facebook that its software was to blame, though Microsoft
reiterated its suspicions afterwards.
"Microsoft now has evidence that a few active infections of
the ransomware initially started from the legitimate MEDoc
updater process," it said in a technical blog post.
Russian security firm Kaspersky said a Ukrainian news site
for the city of Bakhumut was also hacked and used to distribute
the ransomware to visitors, encrypting data on their machines.
CORPORATE CHAOS
A number of the international firms hit have operations in
Ukraine, and the virus is believed to have spread within global
corporate networks after gaining traction within the country.
Shipping giant A.P. Moller-Maersk, which
handles one in seven containers shipped worldwide, has a
logistics unit in Ukraine.
Other large firms affected, such as French construction
materials company Saint Gobain and Mondelez
International Inc, which owns chocolate brand Cadbury,
also have operations in the country.
Maersk was one of the first global firms to be taken down by
the cyber attack and its operations at major ports such as
Mumbai in India, Rotterdam in the Netherlands and Los Angeles on
the U.S. west coast were disrupted.
Other companies to succumb included BNP Paribas Real Estate
, a part of the French bank that provides property and
investment management services.
"The international cyber attack hit our non-bank subsidiary,
Real Estate. The necessary measures have been taken to rapidly
contain the attack," the bank said on Wednesday.
Production at the Cadbury factory on the Australian island
state of Tasmania ground to a halt late on Tuesday after
computer systems went down.
Russia's Rosneft, one of the world's biggest crude producers
by volume, said on Tuesday its systems had suffered "serious
consequences" but oil production had not been affected because
it switched to backup systems.
