FROM: U.S. JUSTICE DEPARTMENT
Friday, December 19, 2014
Update in Sony Investigation
Today, the FBI would like to provide an update on the status of our investigation into the cyber attack targeting Sony Pictures Entertainment (SPE). In late November, SPE confirmed that it was the victim of a cyber attack that destroyed systems and stole large quantities of personal and commercial data. A group calling itself the “Guardians of Peace” claimed responsibility for the attack and subsequently issued threats against SPE, its employees, and theaters that distribute its movies.
The FBI has determined that the intrusion into SPE’s network consisted of the deployment of destructive malware and the theft of proprietary information as well as employees’ personally identifiable information and confidential communications. The attacks also rendered thousands of SPE’s computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company’s business operations.
After discovering the intrusion into its network, SPE requested the FBI’s assistance. Since then, the FBI has been working closely with the company throughout the investigation. Sony has been a great partner in the investigation, and continues to work closely with the FBI. Sony reported this incident within hours, which is what the FBI hopes all companies will do when facing a cyber attack. Sony’s quick reporting facilitated the investigators’ ability to do their jobs, and ultimately to identify the source of these attacks.
As a result of our investigation, and in close collaboration with other U.S. Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. Government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States. Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt – whether through cyber-enabled means, threats of violence, or otherwise – to undermine the economic and social prosperity of our citizens.
The FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential business information. Further, the FBI will continue to work closely with multiple departments and agencies as well as with domestic, foreign, and private sector partners who have played a critical role in our ability to trace this and other cyber threats to their source. Working together, the FBI will identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests.
Showing posts with label CYBER-ATTACKS. Show all posts
Showing posts with label CYBER-ATTACKS. Show all posts
Friday, December 19, 2014
Wednesday, March 26, 2014
SEC COMMISSIONER AGUILAR SPEAKS ON GROWING CYBER-THREAT
FROM: SECURITIES AND EXCHANGE COMMISSION
The Commission’s Role in Addressing the Growing Cyber-Threat
Commissioner Luis A. Aguilar
March 26, 2014
*I would like to start by welcoming each of the participants, audience members, and those joining us by webcast.
In recent months, cybersecurity has become a top concern to American companies, regulators, and law enforcement agencies.[1] This is in part because of the mounting evidence that the constant threat of cyber-attack is real, lasting, and cannot be ignored.
One of the most prominent examples of the wide-ranging and potentially devastating effects that can result from cyber-attacks is the December 2013 data breach of Target Corporation.[2] In addition, several large banks have repeatedly been the subject of denial-of-service attacks in which their public websites have been knocked offline for hours at a time,[3] and numerous government agencies have also experienced a series of cyber-attacks.[4] Moreover, cyber-attacks on financial institutions have become both more frequent and more sophisticated.[5] This is also true of cyber-attacks on the infrastructure underlying the capital markets. For example, according to a 2012 global survey of securities exchanges, 89% identified cyber-crime as a potential systemic risk and 53% reported experiencing a cyber-attack in the previous year.[6]
As an SEC Commissioner, I have become particularly concerned about the risks that cyber-attacks pose to public companies, and to the capital markets and its critical participants, including the exchanges, clearing agencies, transfer agents, broker-dealers, and investment advisers. Cyber-attacks aimed at these market participants can have devastating effects on our economy, on individual consumers, and on the markets and investors that the SEC was created to safeguard.
There is no doubt that the SEC must play a role in this area. What is less clear is what that role should be. As many of you know, in 2011 the staff issued guidance to public companies about their disclosure obligations with respect to cybersecurity risks and cyber incidents.[7] I hope that these disclosures have helped investors and public companies to focus and assess cybersecurity issues. However, the increased pervasiveness and seriousness of the cybersecurity threat raises questions about whether more should be done to ensure the proper functioning of the capital markets and the protection of investors.
As I explored this issue, it became readily apparent to me that the Commission has much to learn about the specific risks that our regulated entities and public companies are facing. After conducting research into this area, I recommended that the Commission convene a roundtable so that we can begin to develop a better understanding of this growing problem. I am pleased that Chair White agreed with my recommendation and asked the staff to make this roundtable a reality.
The issues that will be discussed by today’s four panels can roughly be broken down into two categories – issues potentially impacting public companies and issues impacting the capital market infrastructure and SEC-regulated entities. With regard to the public company discussion, I am particularly interested in hearing whether the current disclosure regime under the 2011 guidance is working or how it could be improved.
The risks facing the capital market infrastructure and regulated entities are of particular concern to the SEC. For instance, a cyber-attack on an exchange or other critical market participant can have broad consequences that impact a large number of public companies and their investors. Indeed, given the extent to which the capital markets have become increasingly dependent upon sophisticated and interconnected technological systems, there is a substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.
I am hopeful that today’s Roundtable will engender significant discussion about the ways in which regulators and industry can work together to address these risks. One of the most important things that can develop from this Roundtable is for the Commission to hear what we can do to help you fight, and respond to, the growing cyber-threat that is confronting our markets and our public companies. My expectation is for the Commission to analyze all of the information we will receive as a result of this Roundtable and, with appropriate haste, consider what additional steps the Commission should take to address cyber-threats.
It will be important to keep the dialogue and momentum from today’s event going. One immediate step the Commission should take is to establish a Cybersecurity Task Force. This Task Force should be composed of representatives from each division that will regularly meet and communicate with one another to discuss these issues, and, importantly, advise the Commission as appropriate.
In conclusion, I would like to thank all of our panelists for taking the time to be here today, and I want to thank the staff for organizing the Roundtable. I look forward to a well-informed discussion about cyber-attacks, as well as the ways to prevent, respond to, and mitigate the risks of such attacks. As a reminder, there will be a public comment file associated with today’s Roundtable, and I look forward to receiving additional comments and input on this issue.
Thank you.
[*] The views I express today are my own, and do not necessarily reflect the views of the U.S. Securities and Exchange Commission (the “SEC” or “Commission”), my fellow Commissioners, or members of the staff.
[1] For example, on February 26, 2014, the U.S. Commodity Futures Trading Commission (“CFTC”) published guidance outlining the data security practices it expects from firms it oversees and the third parties they contract with. See CFTC Staff Advisory No. 14-21, Gramm-Leach-Bliley Act Security Safeguards (Feb. 26, 2014), available at http://www.cftc.gov/ucm/groups/public/@lrlettergeneral/documents/letter/14-21.pdf. In addition, the Director of the Federal Bureau of Investigation (FBI), James Comey, said last November that “resources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.” See Testimony of James B. Comey, Director, Federal Bureau of Investigation, before the Senate Committee on Homeland Security and Governmental Affairs (Nov. 14, 2013), available at http://www.fbi.gov/news/testimony/homeland-threats-and-the-fbis-response. Also, on December 9, 2013, the Financial Stability Oversight Council held a meeting to discuss cybersecurity threats to the financial system; see also, U.S. Department of the Treasury Press Release, Financial Stability Oversight Council (FSOC) to Meet December 9 (Dec. 2, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2228.aspx; Jaclyn Jaeger, “Boards Look to Boost IT, Data Security Oversight,” Compliance Week (Mar. 11, 2014) (noting that company boards have become much more sensitive to cybersecurity risks and the harm they could cause to a company’s reputation and business). The importance of this issue is also reflected in the recent notices that the staffs from the SEC’s Office of Compliance Inspections and Examinations and from FINRA will have cybersecurity as a focus of their 2014 examinations. See SEC’s National Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; FINRA’s 2014 Regulatory and Examination Priorities Letter (Jan. 2, 2014), available at http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p419710.pdf. In addition, it was recently announced that SEC examiners will review whether asset managers have policies to prevent and detect cyber-attacks and are properly safeguarding against security risks that could arise from vendors having access to their systems. See Sarah N. Lynch, “SEC examiners to review how asset managers fend off cyber attacks,” Reuters (Jan. 30, 2014), available at http://www.reuters.com/article/2014/01/30/us-sec-cyber-assetmanagers-idUSBREA0T1PJ20140130.
[2] On December 19, 2013, Target Corporation announced a data breach resulting from a cyber-attack on its systems. The breach affected two types of data: payment card data, which affected approximately 40 million Target customers, and certain personal data, which affected up to 70 million Target customers. See Testimony of John Mulligan, Executive Vice President and Chief Financial Officer of Target, before the U.S. Senate Committee on the Judiciary (Feb. 4, 2014), available at http://www.judiciary.senate.gov/pdf/02-04-14MulliganTestimony.pdf; Target Press Release, Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores (Feb. 4, 2014), available at http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores..
[3] See, e.g., Joseph Menn, “Cyber attacks against banks more severe than most realize,” Reuters (May 18, 2013), available at http://www.reuters.com/article/2013/05/18/us-cyber-summit-banks-idUSBRE94G0ZP20130518; Bob Sullivan, “Bank Website Attacks Reach New Highs,” CNBC (Apr. 3, 2013), available at http://www.cnbc.com/id/100613270.
[4] See, e.g., Jim Finkle and Joseph Menn, “FBI warns of U.S. government breaches by Anonymous hackers,” Reuters (Nov. 15, 2013), available at http://www.reuters.com/article/2013/11/15/us-usa-security-anonymous-fbi-idUSBRE9AE17C20131115 (activist hackers secretly accessed U.S. government computers in multiple agencies, resulting in stolen data on at least 104,000 employees, contractors, and others associated with the Department of Energy, along with information on almost 2,000 bank accounts); “HealthCare.gov targeted ‘about 16 times’ by cyberattacks, DHS official says,” NBCNews.com (Nov. 13, 2013), available at http://www.nbcnews.com/news/investigations/healthcare-gov-targeted-about-16-times-cyberattacks-dhs-official-says-v21440068.
[5] For example, on December 9, 2013, the Financial Stability Oversight Council held a meeting to discuss cybersecurity threats to the financial system. See U.S. Department of the Treasury Press Release, Financial Stability Oversight Council (FSOC) to Meet December 9 (Dec. 2, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2228.aspx. During that meeting, Assistant Treasury Secretary Cyrus-Amir-Mokri said that “[o]ur experience over the last couple of years shows that cyber-threats to financial institutions and markets are growing in both frequency and sophistication.” See U.S. Department of the Treasury Press Release, Remarks of Assistant Secretary Cyrus Amir-Mokri on Cybersecurity at a Meeting of the Financial Stability Oversight Council (Dec. 9, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2234.aspx. In addition, in testimony before the House Financial Services Committee in 2011, the Assistant Director of the FBI’s Cyber Division stated that the number and sophistication of malicious incidents involving financial institutions has increased dramatically over the past several years and offered numerous examples of such attacks, which included fraudulent monetary transfers, unauthorized financial transactions from compromised bank and brokerage accounts, denial of service attacks on U.S. stock exchanges, and hacking incidents in which confidential information was misappropriated. See Testimony of Gordon M. Snow, Assistant Director, Cyber Division, Federal Bureau of Investigation, before the House Financial Services Committee, Subcommittee on Financial Institutions and Consumer Credit (Sept. 14, 2011), available at http://www.fbi.gov/news/testimony/cybersecurity-threats-to-the-financial-sector.
[6] See Rohini Tendulkar, “Cyber-crime, securities markets and systemic risk,” Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges (July 16, 2013), available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf. Forty-six securities exchanges responded to the survey.
[7] On October 13, 2011, staff in the Commission’s Division of Corporation Finance (Corp Fin) issued guidance on issuers’ disclosure obligations relating to cybersecurity risks and cyber incidents. See SEC’s Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2—Cybersecurity (“SEC Guidance”) (Oct. 31, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Among other things, this guidance notes that securities laws are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision, and cybersecurity risks and events are not exempt from these requirements. The guidance identifies six areas where cybersecurity disclosures may be necessary under Regulation S-K: (1) Risk Factors; (2) Management’s Discussion and Analysis of Financial Condition and Results of Operation (MD&A); (3) Description of Business; (4) Legal Proceedings; (5) Financial Statement Disclosures; and (6) Disclosure Controls and Procedures. The SEC Guidance further recommends that material cybersecurity risks should be disclosed and adequately described as Risk Factors. Where cybersecurity risks and incidents that represent a material event, trend or uncertainty reasonably likely to have a material impact on the organization's operations, liquidity, or financial condition—it should be addressed in the MD&A. If cybersecurity risks materially affect the organization’s products, services, relationships with customers or suppliers, or competitive conditions, the organization should disclose such risks in its description of business. Data breaches or other incidents can result in regulatory investigations or private actions that are material and should be discussed in the Legal Proceedings section. Cybersecurity risks and incidents that represent substantial costs in prevention or response should be included in Financial Statement Disclosures where the financial impact is material. Finally, where a cybersecurity risk or incident impairs the organization's ability to record or report information that must be disclosed, Disclosure Controls and Procedures that fail to address cybersecurity concerns may be ineffective and subject to disclosure. Some have suggested that such disclosures fail to fully inform investors about the true costs and benefits of companies’ cyber security practices, and argue that the Commission (and not the staff) should issue further guidance regarding issuers’ disclosure obligations. See Letter from U.S. Senator John D. Rockefeller IV to Chair White (Apr. 9, 2013), available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51.
The Commission’s Role in Addressing the Growing Cyber-Threat
Commissioner Luis A. Aguilar
March 26, 2014
*I would like to start by welcoming each of the participants, audience members, and those joining us by webcast.
In recent months, cybersecurity has become a top concern to American companies, regulators, and law enforcement agencies.[1] This is in part because of the mounting evidence that the constant threat of cyber-attack is real, lasting, and cannot be ignored.
One of the most prominent examples of the wide-ranging and potentially devastating effects that can result from cyber-attacks is the December 2013 data breach of Target Corporation.[2] In addition, several large banks have repeatedly been the subject of denial-of-service attacks in which their public websites have been knocked offline for hours at a time,[3] and numerous government agencies have also experienced a series of cyber-attacks.[4] Moreover, cyber-attacks on financial institutions have become both more frequent and more sophisticated.[5] This is also true of cyber-attacks on the infrastructure underlying the capital markets. For example, according to a 2012 global survey of securities exchanges, 89% identified cyber-crime as a potential systemic risk and 53% reported experiencing a cyber-attack in the previous year.[6]
As an SEC Commissioner, I have become particularly concerned about the risks that cyber-attacks pose to public companies, and to the capital markets and its critical participants, including the exchanges, clearing agencies, transfer agents, broker-dealers, and investment advisers. Cyber-attacks aimed at these market participants can have devastating effects on our economy, on individual consumers, and on the markets and investors that the SEC was created to safeguard.
There is no doubt that the SEC must play a role in this area. What is less clear is what that role should be. As many of you know, in 2011 the staff issued guidance to public companies about their disclosure obligations with respect to cybersecurity risks and cyber incidents.[7] I hope that these disclosures have helped investors and public companies to focus and assess cybersecurity issues. However, the increased pervasiveness and seriousness of the cybersecurity threat raises questions about whether more should be done to ensure the proper functioning of the capital markets and the protection of investors.
As I explored this issue, it became readily apparent to me that the Commission has much to learn about the specific risks that our regulated entities and public companies are facing. After conducting research into this area, I recommended that the Commission convene a roundtable so that we can begin to develop a better understanding of this growing problem. I am pleased that Chair White agreed with my recommendation and asked the staff to make this roundtable a reality.
The issues that will be discussed by today’s four panels can roughly be broken down into two categories – issues potentially impacting public companies and issues impacting the capital market infrastructure and SEC-regulated entities. With regard to the public company discussion, I am particularly interested in hearing whether the current disclosure regime under the 2011 guidance is working or how it could be improved.
The risks facing the capital market infrastructure and regulated entities are of particular concern to the SEC. For instance, a cyber-attack on an exchange or other critical market participant can have broad consequences that impact a large number of public companies and their investors. Indeed, given the extent to which the capital markets have become increasingly dependent upon sophisticated and interconnected technological systems, there is a substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.
I am hopeful that today’s Roundtable will engender significant discussion about the ways in which regulators and industry can work together to address these risks. One of the most important things that can develop from this Roundtable is for the Commission to hear what we can do to help you fight, and respond to, the growing cyber-threat that is confronting our markets and our public companies. My expectation is for the Commission to analyze all of the information we will receive as a result of this Roundtable and, with appropriate haste, consider what additional steps the Commission should take to address cyber-threats.
It will be important to keep the dialogue and momentum from today’s event going. One immediate step the Commission should take is to establish a Cybersecurity Task Force. This Task Force should be composed of representatives from each division that will regularly meet and communicate with one another to discuss these issues, and, importantly, advise the Commission as appropriate.
In conclusion, I would like to thank all of our panelists for taking the time to be here today, and I want to thank the staff for organizing the Roundtable. I look forward to a well-informed discussion about cyber-attacks, as well as the ways to prevent, respond to, and mitigate the risks of such attacks. As a reminder, there will be a public comment file associated with today’s Roundtable, and I look forward to receiving additional comments and input on this issue.
Thank you.
[*] The views I express today are my own, and do not necessarily reflect the views of the U.S. Securities and Exchange Commission (the “SEC” or “Commission”), my fellow Commissioners, or members of the staff.
[1] For example, on February 26, 2014, the U.S. Commodity Futures Trading Commission (“CFTC”) published guidance outlining the data security practices it expects from firms it oversees and the third parties they contract with. See CFTC Staff Advisory No. 14-21, Gramm-Leach-Bliley Act Security Safeguards (Feb. 26, 2014), available at http://www.cftc.gov/ucm/groups/public/@lrlettergeneral/documents/letter/14-21.pdf. In addition, the Director of the Federal Bureau of Investigation (FBI), James Comey, said last November that “resources devoted to cyber-based threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.” See Testimony of James B. Comey, Director, Federal Bureau of Investigation, before the Senate Committee on Homeland Security and Governmental Affairs (Nov. 14, 2013), available at http://www.fbi.gov/news/testimony/homeland-threats-and-the-fbis-response. Also, on December 9, 2013, the Financial Stability Oversight Council held a meeting to discuss cybersecurity threats to the financial system; see also, U.S. Department of the Treasury Press Release, Financial Stability Oversight Council (FSOC) to Meet December 9 (Dec. 2, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2228.aspx; Jaclyn Jaeger, “Boards Look to Boost IT, Data Security Oversight,” Compliance Week (Mar. 11, 2014) (noting that company boards have become much more sensitive to cybersecurity risks and the harm they could cause to a company’s reputation and business). The importance of this issue is also reflected in the recent notices that the staffs from the SEC’s Office of Compliance Inspections and Examinations and from FINRA will have cybersecurity as a focus of their 2014 examinations. See SEC’s National Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; FINRA’s 2014 Regulatory and Examination Priorities Letter (Jan. 2, 2014), available at http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p419710.pdf. In addition, it was recently announced that SEC examiners will review whether asset managers have policies to prevent and detect cyber-attacks and are properly safeguarding against security risks that could arise from vendors having access to their systems. See Sarah N. Lynch, “SEC examiners to review how asset managers fend off cyber attacks,” Reuters (Jan. 30, 2014), available at http://www.reuters.com/article/2014/01/30/us-sec-cyber-assetmanagers-idUSBREA0T1PJ20140130.
[2] On December 19, 2013, Target Corporation announced a data breach resulting from a cyber-attack on its systems. The breach affected two types of data: payment card data, which affected approximately 40 million Target customers, and certain personal data, which affected up to 70 million Target customers. See Testimony of John Mulligan, Executive Vice President and Chief Financial Officer of Target, before the U.S. Senate Committee on the Judiciary (Feb. 4, 2014), available at http://www.judiciary.senate.gov/pdf/02-04-14MulliganTestimony.pdf; Target Press Release, Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores (Feb. 4, 2014), available at http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores..
[3] See, e.g., Joseph Menn, “Cyber attacks against banks more severe than most realize,” Reuters (May 18, 2013), available at http://www.reuters.com/article/2013/05/18/us-cyber-summit-banks-idUSBRE94G0ZP20130518; Bob Sullivan, “Bank Website Attacks Reach New Highs,” CNBC (Apr. 3, 2013), available at http://www.cnbc.com/id/100613270.
[4] See, e.g., Jim Finkle and Joseph Menn, “FBI warns of U.S. government breaches by Anonymous hackers,” Reuters (Nov. 15, 2013), available at http://www.reuters.com/article/2013/11/15/us-usa-security-anonymous-fbi-idUSBRE9AE17C20131115 (activist hackers secretly accessed U.S. government computers in multiple agencies, resulting in stolen data on at least 104,000 employees, contractors, and others associated with the Department of Energy, along with information on almost 2,000 bank accounts); “HealthCare.gov targeted ‘about 16 times’ by cyberattacks, DHS official says,” NBCNews.com (Nov. 13, 2013), available at http://www.nbcnews.com/news/investigations/healthcare-gov-targeted-about-16-times-cyberattacks-dhs-official-says-v21440068.
[5] For example, on December 9, 2013, the Financial Stability Oversight Council held a meeting to discuss cybersecurity threats to the financial system. See U.S. Department of the Treasury Press Release, Financial Stability Oversight Council (FSOC) to Meet December 9 (Dec. 2, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2228.aspx. During that meeting, Assistant Treasury Secretary Cyrus-Amir-Mokri said that “[o]ur experience over the last couple of years shows that cyber-threats to financial institutions and markets are growing in both frequency and sophistication.” See U.S. Department of the Treasury Press Release, Remarks of Assistant Secretary Cyrus Amir-Mokri on Cybersecurity at a Meeting of the Financial Stability Oversight Council (Dec. 9, 2013), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2234.aspx. In addition, in testimony before the House Financial Services Committee in 2011, the Assistant Director of the FBI’s Cyber Division stated that the number and sophistication of malicious incidents involving financial institutions has increased dramatically over the past several years and offered numerous examples of such attacks, which included fraudulent monetary transfers, unauthorized financial transactions from compromised bank and brokerage accounts, denial of service attacks on U.S. stock exchanges, and hacking incidents in which confidential information was misappropriated. See Testimony of Gordon M. Snow, Assistant Director, Cyber Division, Federal Bureau of Investigation, before the House Financial Services Committee, Subcommittee on Financial Institutions and Consumer Credit (Sept. 14, 2011), available at http://www.fbi.gov/news/testimony/cybersecurity-threats-to-the-financial-sector.
[6] See Rohini Tendulkar, “Cyber-crime, securities markets and systemic risk,” Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges (July 16, 2013), available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf. Forty-six securities exchanges responded to the survey.
[7] On October 13, 2011, staff in the Commission’s Division of Corporation Finance (Corp Fin) issued guidance on issuers’ disclosure obligations relating to cybersecurity risks and cyber incidents. See SEC’s Division of Corporation Finance, CF Disclosure Guidance: Topic No. 2—Cybersecurity (“SEC Guidance”) (Oct. 31, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Among other things, this guidance notes that securities laws are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision, and cybersecurity risks and events are not exempt from these requirements. The guidance identifies six areas where cybersecurity disclosures may be necessary under Regulation S-K: (1) Risk Factors; (2) Management’s Discussion and Analysis of Financial Condition and Results of Operation (MD&A); (3) Description of Business; (4) Legal Proceedings; (5) Financial Statement Disclosures; and (6) Disclosure Controls and Procedures. The SEC Guidance further recommends that material cybersecurity risks should be disclosed and adequately described as Risk Factors. Where cybersecurity risks and incidents that represent a material event, trend or uncertainty reasonably likely to have a material impact on the organization's operations, liquidity, or financial condition—it should be addressed in the MD&A. If cybersecurity risks materially affect the organization’s products, services, relationships with customers or suppliers, or competitive conditions, the organization should disclose such risks in its description of business. Data breaches or other incidents can result in regulatory investigations or private actions that are material and should be discussed in the Legal Proceedings section. Cybersecurity risks and incidents that represent substantial costs in prevention or response should be included in Financial Statement Disclosures where the financial impact is material. Finally, where a cybersecurity risk or incident impairs the organization's ability to record or report information that must be disclosed, Disclosure Controls and Procedures that fail to address cybersecurity concerns may be ineffective and subject to disclosure. Some have suggested that such disclosures fail to fully inform investors about the true costs and benefits of companies’ cyber security practices, and argue that the Commission (and not the staff) should issue further guidance regarding issuers’ disclosure obligations. See Letter from U.S. Senator John D. Rockefeller IV to Chair White (Apr. 9, 2013), available at http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=49ac989b-bd16-4bbd-8d64-8c15ba0e4e51.
Wednesday, January 29, 2014
SPYEYE MALWARE DISTRIBUTOR PLEADS GUILTY TO FRAUD CHARGES
FROM: JUSTICE DEPARTMENT
Tuesday, January 28, 2014
Cyber Criminal Pleads Guilty to Developing and Distributing Notorious Spyeye Malware
Aleksandr Andreevich Panin, a Russian national also known as “Gribodemon” and “Harderman,” has pleaded guilty to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software known as “SpyEye,” which, according to industry estimates, has infected over 1.4 million computers in the United States and abroad.
Acting Assistant Attorney General Mythili Raman of the Department of Justice’s Criminal Division, U.S. Attorney Sally Quillian Yates of the Northern District of Georgia and Acting Special Agent in Charge Ricky Maxwell of the FBI’s Atlanta Field Office made the announcement.
“Given the recent revelations of massive thefts of financial information from large retail stores across the country, Americans do not need to be reminded how devastating it is when cyber criminals surreptitiously install malicious codes on computer networks and then siphon away private information from unsuspecting consumers,” said Acting Assistant Attorney General Raman. “Today, thanks to the tireless work of prosecutors and law enforcement agents, Aleksandr Panin has admitted to his orchestration of this criminal scheme to use ‘SpyEye’ to invade the privacy of Americans by infecting their computers through a dangerous botnet. As this prosecution shows, cyber criminals – even when they sit on the other side of the world and attempt to hide behind online aliases – are never outside the reach of U.S. law enforcement.”
“As several recent and widely reported data breaches have shown, cyber-attacks pose a critical threat to our nation’s economic security,” said U.S. Attorney Yates. “Today’s plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as ‘SpyEye’ that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned: you cannot hide in the shadows of the Internet. We will find you and bring you to justice.”
“This investigation highlights the importance of the FBI’s focus on the top echelon of cyber criminals,” said Acting FBI SAC Maxwell. “The apprehension of Mr. Panin means that one of the world’s top developers of malicious software is no longer in a position to create computer programs that can victimize people around the world. Botnets such as SpyEye represent one of the most dangerous types of malicious software on the Internet today, which can steal people’s identities and money from their bank accounts without their knowledge. The FBI will continue working with partners domestically and internationally to combat cyber-crime.”
According to the charges and other information presented in court, SpyEye is a sophisticated malicious computer code that is designed to automate the theft of confidential personal and financial information, such as online banking credentials, credit card information, usernames, passwords, PINs, and other personally identifying information. The SpyEye virus facilitates this theft of information by secretly infecting victims’ computers, enabling cyber criminals to remotely control the infected computers through command and control (C2) servers. Once a computer is infected and under their control, cyber criminals can remotely access the infected computers, without authorization, and steal victims’ personal and financial information through a variety of techniques, including “web injects,” “keystroke loggers,” and “credit card grabbers.” The victims’ stolen personal and financial data is then surreptitiously transmitted to the C2 servers, where it is used to steal money from the victims’ financial accounts.
Panin was the primary developer and distributor of the SpyEye virus. Operating from Russia from 2009 to 2011, Panin conspired with others, including codefendant Hamza Bendelladj, an Algerian national also known as “Bx1,” to develop, market and sell various versions of the SpyEye virus and component parts on the Internet. Panin allowed cyber criminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that specifically targeted designated financial institutions. Panin advertised the SpyEye virus on online, invitation-only criminal forums. He sold versions of the SpyEye virus for prices ranging from $1,000 to $8,500. Panin is believed to have sold the SpyEye virus to at least 150 “clients,” who, in turn, used them to set up their own C2 servers. One of Panin’s clients, “Soldier,” is reported to have made more than $3.2 million in a six-month period using the SpyEye virus.
According to industry estimates, the SpyEye virus has infected more than 1.4 million computers in the United States and abroad, and it was the preeminent malware toolkit used from approximately 2009 to 2011. Based on information received from the financial services industry, over 10,000 bank accounts have been compromised by SpyEye infections since 2013 alone. Some cyber criminals continue to use SpyEye today, although its effectiveness has been limited since software makers have added SpyEye to malicious software removal programs.
In February 2011, pursuant to a federal search warrant, the FBI searched and seized a SpyEye C2 server allegedly operated by Bendelladj in the Northern District of Georgia. That C2 server controlled over 200 computers infected with the SpyEye virus and contained information from numerous financial institutions.
In June and July 2011, FBI covert sources communicated directly with Panin, who was using his online nicknames “Gribodemon” and “Harderman,” about the SpyEye virus. FBI sources then purchased a version of SpyEye from Panin that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with the malware.
On Dec. 20, 2011, a Northern District of Georgia grand jury returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj. The indictment charged one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. A superseding indictment was subsequently returned identifying Panin by his true name.
Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on Jan. 5, 2013 and was extradited from Thailand to the United States on May 2, 2013. His charges are currently pending in the Northern District of Georgia.
Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport.
The investigation also has led to the arrest of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.
On Jan. 28, 2014, Panin pleaded guilty to conspiring to commit wire and bank fraud. Sentencing for Panin is scheduled for April 29, 2014, before United States District Judge Amy Totenberg of the Northern District of Georgia.
The case is being investigated by the FBI. Assistant United States Attorney Scott Ferber of the Northern District of Georgia, Trial Attorney Ethan Arenson of the Criminal Division’s Computer Crime and Intellectual Property Section and Senior Litigation Counsel Carol Sipperly of the Criminal Division’s Fraud Section are prosecuting the case. Former Assistant United States Attorney Nicholas Oldham also participated in the prosecution while with the Criminal Division.
Valuable assistance was provided by the Criminal Division’s Office of International Affairs and the following international law enforcement agencies: The United Kingdom’s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands - National High Tech Crime Unit (NHTCU), Dominican Republic’s Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria and the Australian Federal Police (AFP).
Valuable assistance also was provided by the following private sector partners: Trend Micro’s Forward-looking Threat Research (FTR) Team, Microsoft’s Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer and the Norwegian Security Research Team known as “Underworld.no”.
Tuesday, January 28, 2014
Cyber Criminal Pleads Guilty to Developing and Distributing Notorious Spyeye Malware
Aleksandr Andreevich Panin, a Russian national also known as “Gribodemon” and “Harderman,” has pleaded guilty to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software known as “SpyEye,” which, according to industry estimates, has infected over 1.4 million computers in the United States and abroad.
Acting Assistant Attorney General Mythili Raman of the Department of Justice’s Criminal Division, U.S. Attorney Sally Quillian Yates of the Northern District of Georgia and Acting Special Agent in Charge Ricky Maxwell of the FBI’s Atlanta Field Office made the announcement.
“Given the recent revelations of massive thefts of financial information from large retail stores across the country, Americans do not need to be reminded how devastating it is when cyber criminals surreptitiously install malicious codes on computer networks and then siphon away private information from unsuspecting consumers,” said Acting Assistant Attorney General Raman. “Today, thanks to the tireless work of prosecutors and law enforcement agents, Aleksandr Panin has admitted to his orchestration of this criminal scheme to use ‘SpyEye’ to invade the privacy of Americans by infecting their computers through a dangerous botnet. As this prosecution shows, cyber criminals – even when they sit on the other side of the world and attempt to hide behind online aliases – are never outside the reach of U.S. law enforcement.”
“As several recent and widely reported data breaches have shown, cyber-attacks pose a critical threat to our nation’s economic security,” said U.S. Attorney Yates. “Today’s plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as ‘SpyEye’ that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned: you cannot hide in the shadows of the Internet. We will find you and bring you to justice.”
“This investigation highlights the importance of the FBI’s focus on the top echelon of cyber criminals,” said Acting FBI SAC Maxwell. “The apprehension of Mr. Panin means that one of the world’s top developers of malicious software is no longer in a position to create computer programs that can victimize people around the world. Botnets such as SpyEye represent one of the most dangerous types of malicious software on the Internet today, which can steal people’s identities and money from their bank accounts without their knowledge. The FBI will continue working with partners domestically and internationally to combat cyber-crime.”
According to the charges and other information presented in court, SpyEye is a sophisticated malicious computer code that is designed to automate the theft of confidential personal and financial information, such as online banking credentials, credit card information, usernames, passwords, PINs, and other personally identifying information. The SpyEye virus facilitates this theft of information by secretly infecting victims’ computers, enabling cyber criminals to remotely control the infected computers through command and control (C2) servers. Once a computer is infected and under their control, cyber criminals can remotely access the infected computers, without authorization, and steal victims’ personal and financial information through a variety of techniques, including “web injects,” “keystroke loggers,” and “credit card grabbers.” The victims’ stolen personal and financial data is then surreptitiously transmitted to the C2 servers, where it is used to steal money from the victims’ financial accounts.
Panin was the primary developer and distributor of the SpyEye virus. Operating from Russia from 2009 to 2011, Panin conspired with others, including codefendant Hamza Bendelladj, an Algerian national also known as “Bx1,” to develop, market and sell various versions of the SpyEye virus and component parts on the Internet. Panin allowed cyber criminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that specifically targeted designated financial institutions. Panin advertised the SpyEye virus on online, invitation-only criminal forums. He sold versions of the SpyEye virus for prices ranging from $1,000 to $8,500. Panin is believed to have sold the SpyEye virus to at least 150 “clients,” who, in turn, used them to set up their own C2 servers. One of Panin’s clients, “Soldier,” is reported to have made more than $3.2 million in a six-month period using the SpyEye virus.
According to industry estimates, the SpyEye virus has infected more than 1.4 million computers in the United States and abroad, and it was the preeminent malware toolkit used from approximately 2009 to 2011. Based on information received from the financial services industry, over 10,000 bank accounts have been compromised by SpyEye infections since 2013 alone. Some cyber criminals continue to use SpyEye today, although its effectiveness has been limited since software makers have added SpyEye to malicious software removal programs.
In February 2011, pursuant to a federal search warrant, the FBI searched and seized a SpyEye C2 server allegedly operated by Bendelladj in the Northern District of Georgia. That C2 server controlled over 200 computers infected with the SpyEye virus and contained information from numerous financial institutions.
In June and July 2011, FBI covert sources communicated directly with Panin, who was using his online nicknames “Gribodemon” and “Harderman,” about the SpyEye virus. FBI sources then purchased a version of SpyEye from Panin that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with the malware.
On Dec. 20, 2011, a Northern District of Georgia grand jury returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj. The indictment charged one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. A superseding indictment was subsequently returned identifying Panin by his true name.
Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on Jan. 5, 2013 and was extradited from Thailand to the United States on May 2, 2013. His charges are currently pending in the Northern District of Georgia.
Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport.
The investigation also has led to the arrest of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.
On Jan. 28, 2014, Panin pleaded guilty to conspiring to commit wire and bank fraud. Sentencing for Panin is scheduled for April 29, 2014, before United States District Judge Amy Totenberg of the Northern District of Georgia.
The case is being investigated by the FBI. Assistant United States Attorney Scott Ferber of the Northern District of Georgia, Trial Attorney Ethan Arenson of the Criminal Division’s Computer Crime and Intellectual Property Section and Senior Litigation Counsel Carol Sipperly of the Criminal Division’s Fraud Section are prosecuting the case. Former Assistant United States Attorney Nicholas Oldham also participated in the prosecution while with the Criminal Division.
Valuable assistance was provided by the Criminal Division’s Office of International Affairs and the following international law enforcement agencies: The United Kingdom’s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands - National High Tech Crime Unit (NHTCU), Dominican Republic’s Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria and the Australian Federal Police (AFP).
Valuable assistance also was provided by the following private sector partners: Trend Micro’s Forward-looking Threat Research (FTR) Team, Microsoft’s Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer and the Norwegian Security Research Team known as “Underworld.no”.
Subscribe to:
Posts (Atom)