NotPetya – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Russia Sanctions, Mossack Fonseca Shutdown, Equifax Insider Trading

On Thursday, the U.S. government imposed sanctions against five entities and 19 individuals for their role in “destabilizing activities” ranging from interfering in the 2016 U.S. presidential election to carrying out destructive cyber-attacks such as NotPetya, an event that the Treasury department said is the most destructive and costly cyber-attack in history.

“These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia,” said Treasury Secretary Steven T. Mnuchin in a press release. “Treasury intends to impose additional CAATSA [Countering America’s Adversaries Through Sanctions Act] sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the U.S. financial system.”

Nine of the 24 entities and individuals named on Thursday had already received previous sanctions from either President Obama or President Trump for unrelated reasons, The New York Times reported.

In addition to the sanctions, the Department of Homeland Security and the FBI issued a joint alert warning that the Russian government is targeting government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

According to the alert, Russian government cyber actors targeted small commercial facilities’ networks with a multi-stage intrusion campaign that staged malware, conducted spear phishing attacks, and gained remote access into energy sector networks. The actors then used their access to conduct network reconnaissance, move laterally, and collect information pertaining to Industrial Control Systems.

Other trending cybercrime events from the week include:

Sensitive data exposed: Researchers discovered a publicly accessible Amazon S3 bucket belonging to the Chicago-based jewelry company MBM Company Inc. that exposed the personal information of more than 1.3 million people. About 3,000 South Carolina recipients of the Palmetto Fellows scholarship had their personal information exposed online for over a year due to a glitch when switching programs. The Dutch Data Protection Authority accidentally leaked the names of some of its employees due to not removing metadata from more than 800 public documents.
State data breach notifications: ABM Industries is notifying clients of a phishing incident that may have compromised their personal information. Chopra Enterprises is notifying customers that payment cards used on its ecommerce site may have been compromised. Neil D. DiLorenzo CPA is notifying clients of unauthorized access to a system that contained files related to tax returns, and several clients have reported fraudulent activity related to their tax returns. NetCredit is warning a small percentage of customers that an unauthorized party used their credentials to access their accounts.
Other data breaches: A misconfiguration at Florida Virtual School led to the personal information of 368,000 students as well as thousands of former and current Leon County Schools employees being compromised. Okaloosa County Water and Sewer said that individuals may have had their payment card information stolen due to a breach involving external vendors that process credit and debit card payments. The Nampa School District said that an email account compromise may have compromised the personal information of 3,983 current and past employees. A cyber-attack at the Port of Longview may have exposed the personal information of 370 current and former employees as well as 47 vendors.
Arrests and legal actions: A Maryland Man was sentenced to 12 years in prison for his role in a multi-million dollar identity theft scheme that claimed fraudulent tax refunds over a seven-year period. The owner of Smokin’ Joe’s BBQ in Missouri has been charged with various counts related to the use of stolen credit cards. Svitzer said that 500 employees are impacted by the discovery of three employee email accounts in finance, payroll, and operations were auto-forwarding emails outside of the company for nearly 11 months without the company’s knowledge.
Other notable events: Up to 450 people who filed reports with Gwent Police over a two-year period had their data exposed due to security flaws in the online tool, and those people were never notified that their data may have been compromised. A security flaw on a Luxembourg public radio station may have exposed non-public information.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

Cyber Risk Trends From the Past Week

Two of the largest data breaches of recent memory were back in the news this week due to Mossack Fonseca announcing that it is shutting down following the fallout from the Panama Papers breach as well as a former Equifax employee being charged with insider trading related to its massive breach.

Documents stolen from the Panamanian law firm Mossack Fonseca and leaked to the media in April 2016 were at the center of the scandal known as the Panama Papers, which largely revealed how rich individuals around the world were able to evade taxes in various countries.

“The reputational deterioration, the media campaign, the financial circus and the unusual actions by certain Panamanian authorities, have occasioned an irreversible damage that necessitates the obligatory ceasing of public operations at the end of the current month,” Mossack Fonseca wrote in a statement.

While Mossack Fonseca’s data breach appears to have finally led to the organization shutting down, Equifax’s massive breach announcement in September 2017 has since sparked a variety of regulatory questions, as well as criticism of the company’s leadership and allegations of insider trading.

Last week the SEC officially filed a complaint that alleges that Jun Ying, who was next in line to be the company’s global CIO, conducted insider trading by using confidential information entrusted to him by the company to conclude Equifax had suffered a serious breach, and Ying then exercised all of his vested Equifax stock options and sold the shares in the days before the breach was publicly disclosed.

“According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses,” the SEC wrote in a press release.

Ying also faces criminal charges from the U.S. Attorney’s Office for the Northern District of Georgia.

Weekly Cyber Risk Roundup: Olympic Malware and Russian Cybercrime

More information was revealed this week about the Olympic Destroyer malware and how it was used to disrupt the availability of the Pyeonchang Olympic’s official website for a 12-hour period earlier this month.

It appears that back in December, a threat actor may have compromised the computer system’s of Atos, an IT service provider for the Olympics, and then used that access to perform reconnaissance and eventually spread the destructive wiper malware known as “Olympic Destroyer.”

The malware was designed to delete files and event logs by using legitimate Windows features such as PsExec and Windows Management Instrumentation, Cisco researchers said.

Cyberscoop reported that Atos, which is hosting the cloud infrastructure for the Pyeongchang games, was compromised since at least December 2017, according to VirusTotal samples. The threat actor then used stolen login credentials of Olympics staff in order to quickly propagate the malware.

An Atos spokesperson confirmed the breach and said that investigations into the incident are continuing.

“[The attack] used hardcoded credentials embedded in a malware,” the spokesperson said. “The credentials embedded in the malware do not indicate the origin of the attack. No competitions were ever affected and the team is continuing to work to ensure that the Olympic Games are running smoothly.”

The Olympic Destroyer malware samples on VirusTotal contained various stolen employee data such as usernames and passwords; however, it is unclear if that information was stolen via a supply-chain attack or some other means, Cyberscoop reported.

Other trending cybercrime events from the week include:

Organizations expose data: Researchers discovered a publicly exposed Amazon S3 bucket belonging to Bongo International LLC, which was bought by FedEx in 2014, that contained more than 119 thousand scanned documents of U.S. and international citizens. Researchers found a publicly exposed database belonging to The Sacramento Bee that contained information on all 19 million registered voters in California, as well as internal data such as the paper’s internal system information, API information, and other content. Researchers discovered a publicly exposed network-attached storage device belonging to the Maryland Joint Insurance Association that contained a variety of sensitive customer information and other credentials. The City of Thomasville said that it accidentally released the Social Security numbers of 269 employees to someone who put in a public record request for employee salaries, and those documents were then posted on a Facebook page.
Notable phishing attacks: The Holyoke Treasurer’s Office in Massachusetts said that it lost $10,000 due to a phishing attack that requested an urgent wire payment be processed. Sutter Health said that a phishing attack at legal services vendor Salem and Green led to unauthorized access to an employee email account that contained personal information for individuals related to mergers and acquisitions activity. The Connecticut Airport Authority said that employee email accounts were compromised in a phishing attack and that personal information may have been compromised as a result.
User and employee accounts accessed: A phishing attack led to more than 50,000 Snapchat users having their credentials stolen, The Verge reported. A hacker said that it’s easy to brute force user logins for Freedom Mobile and gain access to customers’ personal information. Entergy is notifying employees of a breach of W-2 information via its contractor’s website TALX due to unauthorized individuals answering employees’ personal questions and resetting PINs.
Other notable events: Makeup Geek is notifying customers of the discovery of malware on its website that led to the theft of personal and financial information entered by visitors over a two-week period in December 2017. The Russian central bank said that hackers managed to steal approximately $6 million from a Russian bank in 2017 in an attack that leveraged the SWIFT messaging system. Western Union is informing some customers of a third-party data breach at “an external vendor system formerly used by Western Union for secure data storage” that may have exposed their personal information.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

Cyber Risk Trends From the Past Week

The U.S. government issued a formal statement this past week blaming the Russian military for the June 2017 outbreak of NotPetya malware. Then on Friday, the day after the NotPetya accusations, the Justice Department indicted 13 Russian individuals and three Russian companies for using information warfare to interfere with the U.S. political system, including the 2016 presidential election. Those stories have once again pushed the alleged cyber activities of the Russian government into the national spotlight.

A statement on NotPetya from White House Press Secretary Sarah Huckabee Sanders described the outbreak as “the most destructive and costly cyber-attack in history” and vowed that the “reckless and indiscriminate cyber-attack … will be met with international consequences.” Newsweek reported that the NotPetya outbreak, which leveraged the popular Ukrainian accounting software M.E. Doc to spread, cost companies more than $1.2 billion. The United Kingdom also publicly blamed Russia for the attacks, writing in a statement that “malicious cyber activity will not be tolerated.” A spokesperson for Russian President Vladimir Putin denied the allegations as “the continuation of the Russophobic campaign.”

It remains unclear what “consequences” the U.S. will impose in response to NotPetya. Politicians are still urging President Trump to enforce sanctions on Russia that were passed with bipartisan majorities in July. Newsday reported that congressmen such as democratic Sen. Chuck Schumer and republican representative Peter King have urged those sanctions to be enforced following Friday’s indictment of 13 Russians and three Russian companies.

The indictment alleges the individuals attempted to “spread distrust” towards U.S. political candidates and the U.S. political system by using stolen or fictitious identities and documents to impersonate politically active Americans, purchase political advertisements on social media platforms, and pay real Americans to engage in political activities such as rallies. For example, the indictment alleges that after the 2016 presidential election, the Russian operatives staged rallies both in favor of and against Donald Trump in New York on the same day in order to further their goal of promoting discord.

As The New York Times reported, none of those indicted have been arrested, and Russia is not expected to extradite those charged to the U.S. to face prosecution. Instead, the goal is to name and shame the operatives and make it harder for them to work undetected in future operations.

Weekly Cyber Risk Roundup: Bad Rabbit’s Parallel Attack, Paradise Papers Fallout

October’s Bad Rabbit ransomware attacks were back in the news this week due to a report that a series of phishing attacks occurred at the same time as the Bad Rabbit outbreak, and the parallel attacks may have been carried out by the same group.

The discovery also suggests that Ukraine may have been a key target of the attacks, despite Russian victims being more heavily targeted by Bad Rabbit.

The phishing attacks targeted users of Russian-designed 1C software with emails that appeared to be from the developer, the head of the Ukrainian state cyber police told Reuters. 1C products, including accounting software, are widely used in Ukraine.

The official said that 15 companies reported they were compromised by the attack, and it is possible that more people or organizations may have been affected due to 1C software’s wide use. The official also said the main theory is that both the Bad Rabbit and 1C phishing attacks were carried out by the same perpetrators with the goal of getting remote and undetected access in order to steal financial and confidential information. 1C’s developers did not respond to Reuters’ requests for comment about the phishing attacks, but a Ukrainian distributor confirmed that its users were targeted and that it warned them to take extra precautions.

Some researchers have suggested that the Bad Rabbit attacks were carried out by the same group behind June’s NotPetya outbreak. The NotPetya attack leveraged a back door that had been inserted into the M.E.Doc accounting software, which Reuters reported is used by 80 percent of Ukrainian companies. The use of popular Ukrainian accounting software during both NotPetya and attacks potentially linked to Bad Rabbit is yet another shared connection between the two events.

Other trending cybercrime events from the week include:

Data breach announcements: Verticalscope, which manages popular Web discussion forums, confirmed that it discovered an intrusion that provided access to the individual website files of six websites. Tween Brands is notifying customers that their personal information may have been compromised due the discovery of unauthorized access to a server. HumanGood is notifying customers that their personal information may have been compromised due to unauthorized access at a third-party benefits coordination vendor. North American Title Company is notifying customers that their personal information may have compromised due to an employee’s email account being accessed by an unauthorized third party. Wilbraham, Lawler & Buba and the East Central Kansas Area Agency on Aging announced ransomware attacks that could have also compromised personal information.
Data exposed: WikiLeaks released the source code for an alleged CIA hacking tool called “Hive,” and the release is just the first in a new series, dubbed “Vault 8,” that is intended to publish the source code from the variety of hacking tools described in the series of “Vault 7” publications earlier this year. A flaw in the website of the Australian Securities and Investments Commission (ASIC) exposes the search records and purchased documents of users such as investigative journalists and finance industry professionals. The website of the Scottish Appropriate Adult Network, which works with mentally impaired individuals that need help with the justice system, was shut down after it was found to be exposing the personal information of about 50 people. Klinger Moving Company is notifying employees that their personal information was briefly exposed due to a file that was stored on a company server being browsable via search engines.
Other notable incidents: NIC Asia Bank said that malicious actors initiated $4.4 million worth of fraudulent money transfers via the SWIFT messaging system last month; however, the bank was able to recover all but $580,000 of the funds. The anime streaming service Crunchyroll said that intruders planted a fake homepage that pushed a malicious “CrunchyViewer” program to its viewers for several hours. Approximately 800 school websites hosted by SchoolDesk displayed a pro-ISIS video after the company was hacked and a file was injected that redirected those websites to the video. Valley Family Medicine said that two now-former employees printed a mailing list of 8,450 patient names and addresses and used the list to make postcards informing them of a new practice.
Legal actions: A Pennsylvania man has been indicted for illegal trading via more than 50 hacked online brokerage accounts, which caused the firms servicing the accounts to lose more than $2 million. A former Minnesota resident has been charged with purchasing a year’s worth of DDoS attacks against his former employer Washburn Computer Group, as well as the networks of the Minnesota Judicial Branch, Hennepin County, and several banks. The UK’s Information Commissioner’s Office is warning employees to obey strict privacy laws on the heels of a charity worker at Rochdale Connections Trust being prosecuted for sending spreadsheets containing the personal information of 183 people to his personal email address.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

The hack of a large cache of sensitive documents from the offshore law firm Appleby, which was first reported several weeks ago, has already begun to have potentially wide-reaching ramifications.

The International Consortium of Investigative Journalists (ICIJ), which also drove the reporting around the 2016 “Panama Papers” leak, has dubbed the new leak the “Paradise Papers.”

The Guardian reported that the now-exposed Appleby documents contain information related to numerous prominent individuals and organizations, such as Donald Trump’s commerce secretary Wilbur Ross, Queen Elizabeth II and Prince Charles, associates of Canadian Prime Minister Justin Trudeau, social media platforms Twitter and Facebook, corporations Apple and Nike, a variety of wealthy private individuals, and hundreds more.

Appleby reiterated this week that the theft of its data was not a leak by an insider, but “a serious criminal act” carried out “by an intruder who deployed the tactics of a professional hacker.” The company has previously stated that it had “thoroughly and vigorously investigated the allegations” from the ICIJ and was “satisfied that there is no evidence of any wrongdoing, either on the part of ourselves or our clients.”

The BBC reported that although the 2016 Panama Papers were larger is size, the way the Paradise Papers “lifts the lid on sophisticated, upper-end offshore dealings” is unprecedented. For example, Gabriel Zucman, a professor of economics at the University of California, Berkeley, wrote in The New York Times that $70 billion, or close to 20 percent of all U.S. corporate tax revenue, is lost every year due to shifting corporate profits to tax havens.

The ICIJ and nearly 100 media groups are continuing to dig through the 13.4 million documents spanning seven decades that make up the Paradise Papers. The BBC said the papers include 6.8 million documents related to the Appleby breach, 6 million documents from corporate registries in mostly Caribbean jurisdictions, and a smaller amount from the Singapore-based international trust and corporate services provider Asiaciti Trust.

Dozens more stories related to the Paradise Papers will likely be published in the near future, although it remains to be seen what political, economic, or reputational fallout will accompany the organizations and individuals impacted by the leak.

Leaked Exploits Have Fueled Cybercrime So Far in 2017, Says New Report

Leaked exploits and increased cybercrime-as-a-service offerings — along with the expanding digital footprints of organizations — helped to fuel cybercrime in the first half of 2017, according to a mid-year threat intelligence report from SurfWatch Labs.

The global outbreaks of WannaCry and NotPetya have dominated headlines so far this year. Although vastly different from the record-setting, Marai-powered DDoS attacks that disrupted services in the second half of 2016, the report noted that those events share a similar root cause: leaked exploits and source code.

Download the report: “Leaked Exploits Fuel Cybercrime: State-Sponsored Exploits and Cybercriminal Services Empower Malicious Actors.”

“A year ago, our mid-year report showed the interconnectedness of cybercrime through extensive supply chain hacks and compromised IoT devices,” said Adam Meyer, chief security strategist, SurfWatch Labs. “Find one weak link and maximize it for all it’s worth was the name of the game then … and that still happens today with even more evidence of how the criminal ecosystem maximizes efforts through shared resources, skills for hire and, sometimes, outright theft.”

CF_Types — SurfWatch Labs collected data on close to 4,000 different industry targets in the first half of 2017 across a variety of categories. The main categories – data breaches, cyber-attacks, illegal trading, vulnerabilities, advisories, and legal actions – are shown in the chart above, with larger circles indicating more threat intelligence activity for that target.

The leaked exploits and data from the NSA and CIA have received the most attention, but there was a wide range of other malware and source code leaks that could have consequences for organizations moving forward, such as:

the sale of the Kraken source code used in MongoDB and ElasticSearch extortion attacks;
the release of the Nuclear Bot (NukeBot) banking Trojan’s source code;
the creation of the Android BankBot Trojan from a commercial Trojan’s leaked source code;
and reports that claimed various malicious actors used tools leaked from surveillance company HackingTeam or created by Israeli cyber arms dealer the NSO Group in targeted attacks.

Just last week researchers reported that attackers were using modifying versions of NukeBot to target banks in France and the U.S.

“Much like leaked personal data, once those vulnerabilities, exploits, and tools are exposed, they forever remain in the cybercriminal public domain,” SurfWatch Labs’ report noted. “[Events such as WannaCry and NotPetya] reaffirmed that the most dangerous data breaches often involve the theft of such tools and exploits – and the impact of that type of information being leaked can spread further, wider, and be more long-lasting than perhaps any other type of cyber incident.”

SurfWatch Labs collected cyber threat data from thousands of open and dark web sources and then categorized, normalized and measured it for impact based on our CyberFact information model.

Some notable takeaways from the mid-year threat intelligence report include:

WannaCry ransomware was the most talked about malware out of nearly 1,200 tags, accounting for 8.6% of all malware tags, followed by the Industroyer malware at 4.8%.
Crimeware trade was the most prevalent tag related to cybercrime practices as malicious actors continued to buy, sell, and trade tools on dark web markets and cybercriminal forums, as well as develop more cybercrime-as-a-service options.
The percentage of extortion-related activity observed in 2017 has more than doubled from 2015 levels and increased by more than 40% when compared to 2016 levels. More industry targets were publicly tied to ransomware and extortion over just the first half of 2017 than in all of either 2014, 2015, or 2016.
Cybercriminals expanded upon successful business email compromise (BEC) scams to implement more attacks. For example, more than 200 organizations reported W-2 data breaches due to phishing messages in the first half of 2017 – a rise from the 175 reported in 2016.
The percent of government cybercrime-related threat data collected by SurfWatch Labs more than doubled from the previous two periods (from 13% to nearly 27%), and government was the top trending overall sector for the time frame (followed by IT at 25% and consumer goods at 17%).
The CIA was the top trending cybercrime target of the period due a nearly weekly series of data dumps from WikiLeaks (followed by Microsoft, the NSA, Twitter, and England’s National Health Service).

“As we’ve repeatedly seen over the past few years, a major breach is rarely isolated, and information stolen or leaked from one organization can be leveraged to attack numerous other organizations,” Meyer said. “Whether it is personal information, credentials, intellectual property, or vulnerabilities and exploits, actors will build off of that hard work and the previous success of other actors by incorporating that information into new campaigns.”

Read the full, complimentary report: http://info.surfwatchlabs.com/cyber-threat-trends-report-1h-2017

Weekly Cyber Risk Roundup: Three Ethereum Heists and NotPetya Fallout Continues

The cryptocurrency Ethereum made numerous headlines this past week due to three separate multi-million dollar thefts: one due to a bug in the code of the Parity Ethereum client, one caused by a website hack that redirected funds meant for the Initial Coin Offering (ICO) of Coindash, and one tied to a hacker managing to steal VERI tokens during the ICO of Veritaseum.

The largest theft involved a bug found in the multi-signature wallet code used as part of Parity Wallet software, which led to 3 wallets being exploited and reports of more than 150,000 ETH (approximately $34 million) being stolen. As Parity noted, a total of 596 multi-sig wallets were vulnerable, but the vast majority of the funds in those wallets were commandeered by a group known as the White Hat Group in order to prevent the theft of an additional 377,000 ETH (approximately $85 million).

That theft followed an announcement from Coindash that an actor had managed to gain access to its official website during the company’s ICO and changed the text on the site to an ether wallet address likely controlled by the attacker — resulting in investors sending $10 million worth of Ether to the fraudulent address. The company’s developers said that “all CoinDash investors will get their tokens”; however, Coin Desk reported that individuals who made transactions after the website was shut down will not be compensated.

Finally, Veritaseum confirmed that a malicious actor stole $8.4 million worth of VERI tokens from the platform’s ICO on July 23. The attackers immediately resold the tokens during the “very sophisticated” attack. Not much was disclosed about the attack, but “there is at least one corporate partner that may have dropped the ball and be liable,” the company’s founder said.

Other trending cybercrime events from the week include:

More information exposed due to errors: Dow Jones & Company confirmed that at least 2.2 million customers had their data exposed due to an Amazon Web Services S3 bucket that was configured to allow any AWS “Authenticated Users” to download the data. In addition, the leak contained the details of 1.6 million entries in a suite of databases known as Dow Jones Risk and Compliance, a set of subscription-only corporate intelligence programs used largely by financial institutions for compliance with anti-money laundering regulations. Security researchers discovered an insecure database owned by the data services company DM Print that had 31,000 records, including administrative credentials for the database. With that information, anyone could access highly sensitive health information such as names, date of births, NIN numbers, addresses, investment data, and more. Travel company Flight Centre said that the personal information and customer passports “relating to some leisure customers in Australia was accidentally made available to a small number of potential third party suppliers for a short period of time.”

Insider breaches: An employee at Bupa copied and removed insurance information relating to 108,000 international insurance plans affecting 547,000 customers. The company said the data included names, dates of birth, nationalities, and some contact and administrative information. Detroit Medical Center is notifying 1,529 patients of a breach at a contracted staffing agency where an employee provided their information to unauthorized individuals. The breach occurred between March 2015 and May 2016. The Nova Scotia Health Authority said that 337 patients had their personal health information accessed inappropriately in two separate incidents involving six employees.

More energy sector warnings: The UK’s National Cyber Security Centre (NCSC) warned that state-sponsored actors are targeting the country’s energy sector and that “a number of Industrial Control System engineering and services organisations” have likely been compromised. The warnings followed similar alerts from U.S. agencies about hackers successfully targeting U.S. energy companies. While other sectors have been targeted, the focus of the attacks are engineering, industrial control, and water sector companies, the NCSC said.

Other notable incidents: Domain name registrar Gandi said that an unauthorized connection that occurred at one of the technical providers it uses to manage a number of geographic TLDs led to 751 domains having their traffic forwarded to a malicious site exploiting security flaws in several browsers. There were 22 breach incidents in the Veterans Administration’s monthly reports to Congress between May 2016 and June 7, 2017, and only one of those breaches received any media coverage at the time, according to data obtained via a Freedom of Information Act request by databreaches.net. A dark web vendor going by the name “dnu2k” is selling data tied to dadeschools.net, k12.wi.us, and other “freshly hacked emails.” The latest dump of CIA documents from WikiLeaks involves contractor Raytheon Blackbird Technologies providing “Proof-of-Concept ideas and assessments for malware attack vectors” to the agency.

Cyber Risk Trends From the Past Week

The picture of the damage cause by the NotPetya global outbreak in late June continues to crystallize as more companies reveal the details and fallout of their infections.

For starters, FedEx said that some of the damage caused by the NotPetya attack may be permanent, particularly when it comes to TNT Express B.V., which FedEx acquired in May 2016. Some of TNTs customers were “still experiencing widespread service and invoicing delays” nearly three weeks after the NotPetya infection, according to SEC documents filed by FedEx.

“We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus,” FedEx wrote in its filing. That filing listed more a dozen types of costs and damages potentially resulting from the incident — ranging from operational disruption to remediation to permanent customer loss to litigation.

In addition, the France-based Compagnie de Saint Gobain SA said that a preliminary assessment of the NotPetya infection estimated the incident would cost the company approximately 1% of first half sales. That equates to approximately €200 million as a result of the attack, The Street reported.

Earlier this month, The Guardian reported that Reckitt Benckiser, a British consumer goods company, may lose around €100 million due to NotPetya. In addition, Mondelez, the maker of Oreo cookies, said that the attack had disrupted shipping and invoicing during the last four days of the second quarter and that in a few markets the company had “permanently lost some of that revenue due to holiday feature timing.”

NotPetya may not have generated nearly as much extortion money as other ransomware — if that was even its intention to begin with — however, the global attack has proven quite impactful for numerous organizations so far. The second half of 2017 will likely see the total costs of the attack become more clear as other organizations reveal more details about how NotPetya affected their operations — and how the fallout from the attack has impacted the year’s financial projections.

Weekly Cyber Risk Roundup: Banks Threatened with DDoS Attacks and Researchers Investigate NotPetya

South Korean financial institutions dominated the week’s top trending targets due to a series of extortion demands that have threatened distributed denial-of-service (DDoS) attacks unless those institutions pay between 10 and 15 bitcoins ($24,000 to $36,000) in ransom each.

At least 27 financial institutions received the extortion demands from a group claiming to be the Armada Collective, including major banks, security companies, and the Korea Exchange, the Korea Joongang Daily reported. It is unclear if the group behind the threats is associated with the real Armada Collective, or if it is yet another group that is attempting to leverage the popular extortionists identity in order to gain credibility. In early 2016, a group was able to successfully extort more than $100,000 by threatening DDoS attacks under the Armada Collective name — but researchers concluded that specific threat was empty and the group never actually carried out any attacks — despite being profitable.

According to The Korea Times, the group carried out a small attack last Monday on the Korea Financial Telecommunications & Clearings Institute (KFTC), Suhyup Bank, DGB Daegu Bank, and JB Bank — with a promise of more powerful attacks to come in the future if the institutions do not pay their ransoms by the July 3 deadline. The DDoS attacks did not disrupt any services, the Times reported, and the small DDoS attack against KFTC last Monday lasted for only 16 minutes. Previous extortion campaigns have seen groups using a similar tactic of small DDoS attacks to prove they have some capability and lend credibility to their threats; however, the full capabilities of the group behind the most recent demands is unclear.

It is possible that the group is simply looking for easy blackmail targets following the recent $1.1 million dollar ransom payment that was made by South Korean web hosting firm Nayana. Researchers had previously speculated that the large ransom payment could lead to more South Korean organizations being targeted.

Other trending cybercrime events from the week include:

Attackers target government: Dozens of email accounts belonging to members of parliament and peers were breached during “a sustained and determined attack on all parliamentary user accounts in an attempt to identify weak passwords.” A hacker going by the name “Vigilance” said that he gained access to 23 state of Minnesota databases and was able to steal 1,400 email addresses and some corresponding “weakly encrypted” passwords. The hacker then published the information in protest of the police officer charged with killing Philando Castile being found not guilty. Multiple government websites were defaced with pro-ISIS propaganda and a logo saying the hack was carried out by “Team System DZ.”

Organizations expose more data: The personal information of 2,200 Aetna customers in Ohio and Texas was compromised due to their data being “inappropriately available for a period of time.” Corpus Christi Independent School District said that it is notifying 6,100 individuals that employee names and Social Security numbers from late 2016 through early 2017 were inadvertently made visible online. The Campbell River School District is warning parents and guardians of Timberline Secondary students that their personal information may have been “inappropriately accessed” due to a file being left on a shared drive that students and staff could access. Users of the UK government’s data dashboard, data.gov.uk, were asked to change their passwords after a file containing their names, email addresses, and hashed passwords was left publicly accessible on a third-party system.

Disgruntled employees harm employers: A Pennsylvania man has been sentenced to one year and one day in prison for hacking and damaging the IT networks of several water utility providers across the U.S. East Coast. A disgruntled employee led to a breach of Professional Counseling and Medical Associates’ electronic health records system. The FBI said a former employee of Transformations Autism Treatment Center tried to hack into the company’s computer system and steal the personal information of autistic children.

Other notable incidents: Internet radio service 8tracks said that a copy of its user database has been leaked, including usernames, email addresses, and SHA1-hashed passwords. The full leaked dataset includes around 18 million accounts. Information security consultant Paul Moore reported a data breach involving Kerv after he received both an email from an “anonymous” Kerv user that “had inside information which wouldn’t otherwise be available” and admin credentials from a Tor address. Acting State Supreme Court Justice Lori Sattler told police that she was scammed out of $1,057,500 when she responded to an email impersonating her real estate lawyer and wired the money to an account at the Commerce Bank of China. Two men who are suspected to be part of an international group that hacked into Microsoft’s network in early 2017 have been arrested by British police.

Cyber Risk Trends From the Past Week

One of the biggest stories that occurred last week was the spread of a ransomware/wiper malware known as NotPetya.

The outbreak was similar to May’s quick spread of the WannaCry ransomware, and those that were infected across the Ukraine, the UK, the Netherlands, India, Spain, Denmark, and elsewhere were shown a ransom demand asking for $300 in bitcoin along with contact details. However, various researchers quickly concluded that the intention behind the attack was likely disruption, not monetary gain.

Previous versions of similar ransomware like Petya used a personal infection ID that contained crucial information for the key recovery, Kaspersky explained in its analysis. However, the NotPetya malware uses randomly generated data in place of that personal key. That means that the attackers have little hope of actually recovering their data, even if they wanted to do so.

As Ars Technica noted, other researchers have come to similar conclusions about NotPetya. Matt Suiche of Comae Technologies concluded that the ransomware aspect of NotPetya may a have been a front to push the media narrative towards the attacker being an unknown cybercriminal group rather than a nation-state attacker with data destruction in mind.

The head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection agreed with that assessment, saying “I think this [NotPetya malware] was directed at us” and that the event was definitely not a criminal attack, but likely a state-sponsored one carrying over from Ukraine’s ongoing cyberwar with Russia. That theory is not confirmed, but as SurfWatch Labs noted, “strong evidence points to the attack beginning with the hacking of the Ukrainian accounting software MeDoc where the automatic update feature was used to download the worm.”

Ukraine’s security service SBU announced that a number of international organizations are helping to investigate the NotPetya attacks and identify the culprits, so more information about the attacks will likely be announced in the near future.