New computer virus spreads from Ukraine
to disrupt world business
Send a link to a friend
[June 29, 2017]
By Eric Auchard and Dustin Volz
FRANKFURT/WASHINGTON (Reuters) - A computer
virus wreaked havoc on firms around the globe on Wednesday as it spread
to more than 60 countries, disrupting ports from Mumbai to Los Angeles
and halting work at a chocolate factory in Australia.
Risk-modeling firm Cyence said economic losses from this week's attack
and one last month from a virus dubbed WannaCry would likely total $8
billion. That estimate highlights the steep tolls businesses around the
globe face from growth in cyber attacks that knock critical computer
"When systems are down and can't generate revenue, that really gets the
attention of executives and board members," said George Kurtz, chief
executive of security software maker CrowdStrike. "This has heightened
awareness of the need for resiliency and better security in networks."
The virus, which researchers are calling GoldenEye or Petya, began its
spread on Tuesday in Ukraine. It infected machines of visitors to a
local news site and computers downloading tainted updates of a popular
tax accounting package, according to national police and cyber experts.
It shut down a cargo booking system at Danish shipping giant A.P.
Moller-Maersk <MAERSKb.CO>, causing congestion at some of the 76 ports
around the world run by its APM Terminals subsidiary..
Maersk said late on Wednesday that the system was back online: "Booking
confirmation will take a little longer than usual but we are delighted
to carry your cargo," it said via Twitter.
U.S. delivery firm FedEx said its TNT Express division had been
significantly affected by the virus, which also wormed its way into
South America, affecting ports in Argentina operated by China's Cofco.
The malicious code encrypted data on machines and demanded victims $300
ransoms for recovery, similar to the extortion tactic used in the global
WannaCry ransomware attack in May.
Security experts said they believed that the goal was to disrupt
computer systems across Ukraine, not extortion, saying the attack used
powerful wiping software that made it impossible to recover lost data.
"It was a wiper disguised as ransomware. They had no intention of
obtaining money from the attack," said Tom Kellermann, chief executive
of Strategic Cyber Ventures.
Brian Lord, a former official with Britain's Government Communications
Headquarters (GCHQ) who is now managing director at private security
firm PGI Cyber, said he believed the campaign was an "experiment" in
using ransomware to cause destruction.
"This starts to look like a state operating through a proxy," he said.
The malware appeared to leverage code known as "Eternal Blue" believed
to have been developed by the U.S. National Security Agency.
Eternal Blue was part of a trove of hacking tools stolen from the NSA
and leaked online in April by a group that calls itself Shadow Brokers,
which security researchers believe is linked to the Russian government.
That attack was noted by NSA critics, who say the agency puts the public
at risk by keeping information about software vulnerabilities secret so
that it can use them in cyber operations.
U.S. Representative Ted Lieu, a Democrat, on Wednesday called for the
NSA to immediately disclose any information it may have about Eternal
Blue that would help stop attacks.
[to top of second column]
A user takes a selfie in front of a laptop at WPP, a British
multinational advertising and public relations company in Hong Kong,
China June 28, 2017 in this picture obtained from social media.
INSTAGRAM/KENNYMIMO via REUTERS
“If the NSA has a kill switch for this new malware attack, the NSA
should deploy it now,” Lieu wrote in a letter to NSA Director Mike
The NSA did not respond to a request for comment and has not
publicly acknowledged that it developed the hacking tools leaked by
The target of the campaign appeared to be Ukraine, an enemy of
Russia that has suffered two cyber attacks on its power grid that it
has blamed on Moscow.
ESET, a Slovakian cyber-security software firm, said 80 percent of
the infections detected among its global customer base were in
Ukraine, followed by Italy with about 10 percent.
Ukraine has repeatedly accused Moscow of orchestrating cyber attacks
on its computer networks and infrastructure since Russia annexed
Crimea in 2014.
The Kremlin, which has consistently rejected the accusations, said
on Wednesday it had no information about the origin of the attack,
which also struck Russian companies including oil giant Rosneft
<ROSN.MM> and a steelmaker.
"Unfounded blanket accusations will not solve this problem," said
Kremlin spokesman Dmitry Peskov.
Austria's government-backed Computer Emergency Response Team (CERT)
said "a small number" of international firms appeared to be
affected, with tens of thousands of computers taken down.
Microsoft, Cisco Systems Inc and Symantec Corp <SYMC.O> said they
believed the first infections occurred in Ukraine when malware was
transmitted to users of a tax software program.
Russian security firm Kaspersky said a news site for the Ukraine
city of Bakhumut was also hacked and used to distribute the
A number of the victims were international firms with have
operations in Ukraine.
They include French construction materials company Saint Gobain
<SGOB.PA>, BNP Paribas Real Estate <BNPP.PA>, and Mondelez
International Inc <MDLZ.O>, which owns Cadbury chocolate.
Production at the Cadbury factory on the Australian island state of
Tasmania ground to a halt late on Tuesday after computer systems
(Additional reporting by Jack Stubbs in Moscow, Alessandra Prentice
in Kiev, Helen Reid in London, Teis Jensen in Copenhagen, Maya
Nikolaeva in Paris, Shadia Naralla in Vienna, Marcin Goettig in
Warsaw, Byron Kaye in Sydney, John O'Donnell in Frankfurt, Ari
Rabinovitch in Tel Aviv, Noor Zainab Hussain in Bangalore; Writing
by Eric Auchard, David Clarke and Jim Finkle; Editing by David
Clarke and Andrew Hay)
[© 2017 Thomson Reuters. All rights
Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.