TribLIVE

| Investigative


CYBER RATTLING: THE NEXT THREAT
ANDREW RUSSELL | TRIB TOTAL MEDIA
THE BEGINNING

Thirty years after a young hacker played by Matthew Broderick nearly triggered a nuclear war in the movie "WarGames," fears of malicious computer attackers causing real‐world destruction are an everyday reality.

Online attacks, such as those recently aimed at U.S. banks and the Federal Reserve, represent a new front in wars fought with computer keystrokes rather than weapons. Costly to the banks, the attacks merely annoyed customers who could not access their accounts online.

Future strikes, top military experts warn, could be destructive — even deadly — targeting nuclear power plants, public water systems, railways, air traffic control and hospitals.

"People have realized that cyberspace — just like land, air and sea — is another domain that they need to defend, control and protect," said David Brumley, a computer security researcher at Carnegie Mellon University. "Cyber attacks are part of a covert war right now."

Discovered in 2010, the computer worm Stuxnet went where only science‐fiction movies had gone before — leaping out of digital code to destroy Iran's uranium‐enrichment centrifuges by making them spin out of control.

Every 3:0 Seconds
There is roughly one victim of identity theft in the U.S. every 3 seconds.
That's . . .
15 per minute
913 per hour
22,000 per day
8 million per year


TribLIVE Cyber Rattling
ANDREW RUSSELL | TRIB TOTAL MEDIA    
HACKERS' NEW DYRE MALWARE INFECTS W.PA. COMPUTERS, VEXES FBI CYBER AGENTS
TWITTER FACEBOOK LINKEDIN GOOGLEPLUS

BY ANDREW CONTE

Pittsburgh‐based FBI cyber agents who brought down an international Russian hacking syndicate in May are now focusing on two new targets
that have caused significant damage, the Tribune‐Review has learned.


Like the Gameover Zeus malware that agents shut down, another malware called Dyre allows hackers to steal online bank passwords and other identification
by infecting users' computers to make it seem they are communicating with their financial institution.


Dyre has hit victims across Western Pennsylvania. Private industry experts told the Trib that they believe hackers in Eastern Europe devised the malware, and they said it seems ready to blow up across computer networks.


J. Keith Mularski, the FBI's cyber supervisory agent, said he "won't confirm or deny" whether an investigation is under way.


"I can say we are actively assessing the situation, especially here in Pittsburgh, to
see how these financial botnets are affecting the businesses in our district," he said. "There are large spam campaigns that are going on."


FBI agents are working with private‐sector companies to assess Dyre — also
known as Dyreza — and a second, similar malware called Cridex, which has primarily targeted European victims. Mularski said it's "too premature" to say whether the agency might attempt a large‐scale counterattack, such as the one it conducted against the Russian‐based network behind Gameover Zeus.


Both Dyre and Cridex have some advantages over the Zeus variants of malware,
said Peter Kruse, a security specialist at CSIS Security Group, a computer security company in Denmark. The malwares allow hackers to listen in on the communication between the victim and his online bank to generate a real‐time
attack during a financial transaction.


"Dyreza and Cridex are definitely causing a lot of losses for a lot of online
banking systems," Kruse told the Trib. "They are very aggressive, motivated and
… complex types of malware."


In cyber attacks, Dyre, Cridex and other malware operate like missiles, allowing hackers to
deliver different kinds of payloads, said Tal Klein, vice president of strategy at Adallom, a
scomputer security company in Palo Alto, Calif. Researchers there analyzed a variant of
Dyre this summer.


THE COMPLETE SERIES

Cybersecurity experts warn Pittsburgh conference about dangers of hacking

By Andrew Conte
Hackers typically need less than a day to break into a victim’s computers — but it can take months to find the breach and fix ...


• Line dividing hacker cyber crime, state-sponsored terror attacks murky

• Hackers’ new Dyre malware infects W.Pa. computers, vexes FBI cyber agents

• Social media can improve, muddy election campaigns

• Unprepared law firms vulnerable to hackers

• Case of Ukrainian wanted in Western Pennsylvania spotlights difficulty of hacker fight

• Identifying cyber-criminals is No. 1 challenge, high-profile lawyer says

• Americans make unwitting investment in hacking with free email providers

• Banks, law enforcement lack ammo to combat thieves’ cyber attacks

• Consumers pay high-tech price in privacy for perks

• Hackers likely hit Target ‘lottery’ through Sharpsburg firm’s remote link

• Feds: Butler County firm that vetted Snowden ‘flushed’ 650,000 cases to clear backlog

• Biohackers work toward building $6M man on do-it-yourself budget

• Corporate bank accounts robbed of millions by Bonnie and Clyde hackers

• PSU grad accused of orchestrating $1.2B in illegal drug sales on secret Web network

• Protesters, criminals get around government censors using secret Web network

• Hidden Web Tor helps average users and criminals avoid government snooping

• Cyber threat facing U.S. ‘continuous,’ security experts say

• Humans will retain key role in robot use

• Debate on drones raises issue of safety vs. privacy

• Facial recognition technology moving toward identifying almost anyone

• Militaries’ growing use of ground robots raises ethics concerns

Gameover Zeus worried investigators because its specific
payload seemed to be directed by an organized syndicate bent on widespread theft. It infected more than a half‐million computers around the world as criminals stole more than $100 million in the United States alone.


The FBI defeated Gameover Zeus by teaming up with private cyber security companies and university experts to poison the hackers' computers. Agents formed an international coalition to shut down servers and search computers used by the cyber attackers.


US‐CERT, a cyber response team at the Department of Homeland Security, put out an alert this week warning companies about the Dyre malware, saying it "has targeted a wide variety of recipients." The attacks use various tactics but focus on tricking victims into opening email attachments and downloading malicious software, it said.


A Homeland Security spokesman declined to talk about Dyre and the attacks.


"The reason that US‐CERT is starting to get paranoid about Dyre is because the behavior is starting to look a lot like that syndicate behavior," Klein said. "… By syndicate, it could be a nation‐state. It could be the Mafia. We don't really know necessarily who. It's not necessarily the same people as the Zeus people, but we're starting to see that it's an organized effort."


FBI agents don't know whether the hackers are the same, Mularski said, but believe it's originating in Eastern Europe.


Evgeniy Mikhailovich Bogachev, who was identified as the mastermind behind the Gameover Zeus attacks, remains on the FBI's cyber Most Wanted list and is presumed to be in Russia. A Justice Department civil complaint filed at the same time identified four other hackers by their online handles, and a separate criminal case out of Nebraska named eight conspirators in Russia, Ukraine and the United Kingdom.


Ronnie Tokazowski, a senior researcher at PhishMe, a computer security company in Chantilly, Va., discovered Dyre in the early summer when a company employee received an email with the malware hidden in an attached zip file. Tokazowski reverse‐engineered the malware and realized that it looked different from anything else researchers had seen.


As the first to find the new attack, Tokazowski could have named it anything but went with Dyre, a word that appeared within the code and that seemed to be the name hackers were using. Since Tokazowski went public, other cyber security companies have referred to the malware
by other names like Dyreza.


The hackers responded in subsequent iterations of the attack by inserting words into the code saying, "I'm Dyre," confirming the name, and "Slava Ukraini," or "Glory to Ukraine." Investigators don't know whether that means the attack came out of Ukraine or from Russian hackers trying to make it appear Ukrainian in origin, but it seems linked to the fighting
going on between the countries, Tokazowski said.


Dyre typically spreads by getting victims to click on an email attachment that includes an infected zip file. Despite repeated warnings, users continue to confound and exasperate computer security experts by opening files from people they do not know.


"What we've been telling customers is: 'Try not to click zip files inside of emails,' " Tokazowski said. "Across the whole spectrum, the easiest way to help protect against these (attacks) is to train your users not to click inside of a zip file. … I think it really falls down to just users aren't trained to be able to tell the difference."


The FBI recommends that companies using online banking should have a terminal just for financial transactions, separate from computers they use to surf the Internet or check email, Mularski said.


In a twist, hackers might actually be seeking the easiest targets with the Dyre attacks, Klein said. People who click on the infected email also are the most likely to have outdated security measures and weak banking authentications, he said.


"The cyber war is very similar to the war on drugs or the war on crime," Klein said. "There's never a silver bullet. You're just constantly trying to get back to the status quo. You're trying to get back to normal."


Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412‐320‐7835 or andrewconte@tribweb.com.


ONLINE PROJECT CREDITS: JIM WILHELM, INVESTIGATIVE EDITOR; LISA FUQUA, WEB PROGRAMMER;
MELANIE WASS, SENIOR DESIGNER;