SolarWinds dealing with hack fallout cost at least $18 million

WASHINGTON (Reuters) – Texas-based SolarWinds Corp said the sprawling breach stemming from the compromise of its flagship software product has cost the company at least $18 million in the first three months of 2021.

In preliminary results made public on Tuesday, the company said it spent between $18 million and $19 million in the first quarter of 2021 to investigate and remediate what it described as “the Cyber Incident.”

SolarWinds has been working since December to deal with the fallout of a series of intrusions blamed on Russian hackers across the U.S. government and scores of private companies. In many cases, the hackers compromised their targets by piggybacking on a subverted version of SolarWinds Orion, a widely used network management tool.

SolarWinds has hired cybersecurity company CrowdStrike Holdings Inc and professional services firm KPMG to help it investigate the intrusions. The company said its costs were likely to grow.

“We expect to incur significant legal and other professional services expenses associated with the Cyber Incident in future periods,” it said in a note.

Solarwinds shares gained 2.1% in Tuesday trading on the New York Stock Exchange.

Reporting by Raphael Satter; Editing by Dan Grebler

Italian man ‘offered €10,000 in Bitcoin’ to maim ex-partner

Investigators in Rome have placed under house arrest a man who they say paid an attacker over the dark web to maim his ex-girlfriend.

The suspect is accused of offering €10,000 (£8,700; $12,000) in Bitcoin in return for the attack, which would have paralysed the woman, police said.

He was traced by Italian authorities and the EU’s crime agency and the woman was unharmed.

The would-be attacker has not been identified.

What is the man accused of?

“It looks like the plot of a contemporary thriller,” Italy’s Postal and Communication Police said in a statement.

The suspect, a 40-year-old IT expert from the northern region of Lombardy, is alleged to have gone on the dark web some months after his relationship broke down in July 2020.

Police said he contacted an intermediary via a website on the dark web, seeking to hire an attacker to throw acid at his ex-girlfriend’s face and to break her back, leaving her paralysed.

Despite having made the first of four payments to the would-be attacker, the suspect remained in contact with his intended victim, sending her flowers and messages, according to police.

Italian news agency Adnkronos quoted the arrest warrant as saying that the attack was to be staged to look like a robbery.

The suspect, who had been in a two-year relationship with the woman, had passed on her home address and Facebook profile, the news agency added.

How was he traced?

Italian authorities said they were alerted after messages from the suspect were intercepted by police from another European country in February.

The request had been placed through the Tor network – privacy-focused software used to access the dark web while often obscuring users and data. 

However, EU crime agency Europol said it was able to carry out “an urgent, complex crypto-analysis to enable the tracing and identification” of the Bitcoin provider, based in Italy.

Italian police were then able to get hold of further details about the suspect from the crypto-currency provider. 

The suspect’s home in Milan was searched at the end of February, according to Italian media, and as the search unfolded he is then said to have called off the attack via his computer.

He is currently under house arrest, charged with aggravated harassment and attempted personal injury, reports say

UK: Redcar cyber-attack: Government to help cover costs

A council left without online services for weeks following a cyber-attack is to receive £3.68m from the government to help towards the cost of rebuilding its systems.

The attack was estimated to have cost Redcar and Cleveland Council £10m, with the authority having to foot the remainder of the bill itself.

It said no ransom was paid to the hackers.

Critics said the government should be covering more of the cost.

Experts from the UK’s National Cyber Security Centre (NCSC) had to be drafted in to help restore appointment bookings, planning documents, social care advice and council housing complaints systems that had been knocked offline in February last year.

‘Conned’ over settlement

The council said the money to be provided by the government would help replenish its reserves, which had been used to restore its online systems.

It declined to say whether any services would be affected as a result of covering the remainder of the bill.

Council leader Mary Lanigan, who heads a coalition of independents and Liberal Democrats, said: “We are pleased that the government recognised the unique circumstances under which we requested support, and awarded grant funding, rightly distinguishing the criminal ransomware attack suffered by the council from the financial rescue packages of some other local authorities where permission to borrow has been granted.

“No money was handed over to these criminals and we continue to hope that they will eventually be brought to justice.”

Middlesbrough South and East Cleveland MP Simon Clarke, a Conservative, described the settlement as “exceptionally generous”.

Fellow Tory Jacob Young, MP for Redcar, said it would “go some way to restoring the hit on the council’s finances”.

However, former council leader Sue Jeffrey, of Labour, said residents were being “conned into thinking they have got a good deal” having only been awarded “a tiny proportion of the support they were promised by the government and local Conservative MPs”.

Sepa spends nearly £800,000 on cyber attack response

Scotland’s environmental watchdog has spent nearly £800,000 on its response to a major cyber attack, new figures show. 

The Scottish Environment Protection Agency (Sepa) had more than 4,000 of its digital files stolen by hackers on Christmas Eve.

The files were released on the internet when Sepa refused to pay a ransom.

The public body has warned it could be next year before its systems have fully recovered from the attack.

Figures released to BBC Scotland under freedom of information laws show a total of £790,000 has been spent on Sepa’s response and recovery actions so far. 

This includes £458,000 on stabilising the watchdog’s business IT platform.

Sepa has restored the majority of its key services, such as flooding forecasting, but it is expected a full recovery from the attack will take up the remainder of 2021-22. 

Terry A’Hearn, Sepa’s chief executive, said: “Whilst we initially lost access to our data and systems, what we didn’t lose was the expertise of our 1,200 staff. 

“Since Christmas Eve, teams across the agency have been working flat-out to support our people, partners and customers and to restore our systems services as quickly as possible. 

“Our clear recovery strategy is gradually seeing systems being restored. By Easter, over 70% of staff will be back online and we’re engaging data recovery specialists and are confident that we will recover the most important data.”

Terry A'Hearn
image captionSepa chief executive Terry A’Hearn said the organisation had faced a “significant and sophisticated cyber-attack”

Sepa rejected a ransom demand for the attack, which was claimed by the international Conti ransomware group.

Contracts, strategy documents and databases were among the 4,000 files released.

The data has been put on the dark web – a part of the internet associated with criminality and only accessible through specialised software.

Some of the information stolen was already publicly available but other files, including data about staff and suppliers, was not.

Sepa told BBC Scotland a total of 54 people had been in touch to ask if their data was among the files stolen. This includes 27 current and former staff members. 

‘Sickening attack’

Police Scotland is investigating the crime and has previously indicated the likely involvement of international serious and organised crime.

Det Insp Michael McCullagh said: “Police Scotland is continuing to work closely with Sepa to investigate and provide support in response to this incident.

“The actions of the criminals behind this crime show a blatant disregard for public safety, evident in this sickening attack on an organisation like Sepa. This type of crime and its impacts can be significant.

“I would urge caution in the viewing and downloading of any data published by cyber criminals. The likelihood of those files being infected and making you their next victim is high.”

Source: BBC

‘We have your porn collection’: Hackers name and shame company’s IT Manager

Cyber-security companies are warning about the rise of so-called ‘extortionware’ where hackers embarrass victims into paying a ransom.

Experts say the trend towards ransoming sensitive private information could affect companies not just operationally but through reputation damage.

It comes as hackers bragged after discovering an IT Director’s secret porn collection.

The targeted US firm has not publicly acknowledged that it was hacked.

In its darknet blog post about the hack last month, the cyber-criminal gang named the IT director whose work computer allegedly contained the files.

It also posted a screen grab of the computer’s file library which included more than a dozen folders catalogued under the names of porn stars and porn websites.

The infamous hacker group wrote: “Thanks God for [named IT Director]. While he was [masturbating] we downloaded several hundred gigabytes of private information about his company’s customers. God bless his hairy palms, Amen!”

The blog post has been deleted in the last couple of weeks, which experts say usually implies that the extortion attempt worked and the hackers have been paid to restore data, and not publish any more details.

The company did not respond to requests for comment.

The same hacker group is also currently trying to pressure another US utility company into paying a ransom, by posting an employee’s username and password for a members-only porn website.

‘The new norm’

Another ransomware group which also has a darknet website shows the use of similar tactics.

The relatively new gang has published private emails and pictures, and is calling directly for the mayor of a hacked municipality in the US to negotiate its ransom.

In another case, hackers claim to have found an email trail showing evidence of insurance fraud at a Canadian agriculture company.

Brett Callow, a threat analyst at cyber-security company Emsisoft, says the trend points to an evolution of ransomware hacking.

“This is the new norm. Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out. These incidents are no longer simply cyber-attacks about data, they are full-out extortion attempts.”

Another example of this was seen in December 2020, when the cosmetic surgery chain The Hospital Group was held to ransom with the threat of publication of ‘before and after’ images of patients.

Ransomware is evolving

Ransomware has evolved considerably since it first appeared decades ago.

Criminals used to operate alone, or in small teams, targeting individual internet users at random by booby-trapping websites and emails.

In the last few years, they’ve become more sophisticated, organised and ambitious.

Criminal gangs are estimated to be making tens of millions of dollars a year, by spending time and resources targeting and attacking large companies or public bodies for huge pay-outs, sometimes totalling millions of dollars.

Brett Callow has been following ransomware tactics for years, and says he saw another shift in methods in late 2019.

“It used to be the case that the data was just encrypted to disrupt a company, but then we started seeing it downloaded by the hackers themselves.

“It meant they could charge victims even more because the threat of selling the data on to others was strong.”

Tough to defend against 

This latest trend of threatening to publicly damage an organisation or individual has particularly concerned experts because it is hard to defend against.

Keeping good backups of company data helps businesses to recover from crippling ransomware attacks, but that is not enough when the hackers use extortionware tactics.

Cyber-security consultant Lisa Ventura said: “Employees should not be storing anything that could harm a firm reputationally on company servers. Training around this should be provided by organisations to all their staff.

“It’s a troubling shift in angle for the hackers because ransomware attacks are not only getting more frequent, they are also getting more sophisticated.

“By identifying factors such as reputational damage, it offers far more leverage to extort money from victims.”

A lack of victim reporting and a culture of cover-up makes estimating the overall financial cost of ransomware difficult.

Experts at Emsisoft estimate that ransomware incidents in 2020 cost as much as $170bn (£123bn) in ransom payments, downtime and disruption.

By Joe Tidy
Cyber reporter 

School cyber-attack affects 40,000 pupils’ email

A ransomware attack on multiple schools has left 37,000 pupils unable to access their email.

The Harris Federation, which runs 50 primary and secondary academies in and around London, said it had temporarily disabled email while it deals with the cyber-attack.

Data on the systems has been encrypted and hidden by the attackers.

Last week, the National Cyber Security Centre (NCSC) issued a warning that hackers are targeting schools.

‘Sophisticated attack’

“We are at least the fourth multi-academy trust to have been targeted in March,” a statement on the Harris Federation website said. 

“This is a highly sophisticated attack that will have a significant impact on our academies but it will take time to uncover the exact details of what has or has not happened, and to resolve.

“As a precaution, we have temporarily disabled our email system.”

Any devices which the Harris Federation have given to pupils have also been disabled, the statement added. 

However, schools have recently returned to in-person learning as part of the easing of lockdown restrictions – meaning students can still attend classes. captionTechnology explained: what is ransomware?

Harris Federation schools break up for Easter later this week.

Its statement did not detail what information or data has been compromised, and it has not yet responded to the BBC’s request for comment.

The trust is working with “a specialised firm of cyber-technology consultants”, the National Crime Agency and the NCSC to resolve the issues.

The NCSC said it has “recently alerted the education sector to the significant threat posed by ransomware attacks” and urged schools and colleges to follow its advice to protect themselves online.

Presentational grey line
Analysis box by Joe Tidy, Cyber reporter

It used to be the case that ransomware groups concentrated their efforts on large multinational companies.

Big corporate budgets and potential business interruption mean large ransom payouts.

Publicly funded schools and colleges are therefore an odd and particularly cruel target.

One hacker group recently posted part of their negotiation conversation with another unnamed institution on the dark net.

It made for grim reading, and once again showed me how ruthless they are.

At one stage, when the hackers demanded $15m, the school wrote: “Sir, please, this is NOT a business with profits. We operate much like a charity operates. This is a state-funded school, our salaries are paid for by taxing the people that live in the state. We have no idea how you think we can afford this.”

This wave of attacks in the US and UK show the hackers have no regard for where the money comes from or who is affected.

Channel Nine cyber attack disrupts live broadcasts in Australia

A cyber attack has disrupted live broadcasts on Australia’s Channel Nine TV network, prompting concerns about the country’s vulnerability to hackers.

The broadcaster said it was unable to air several shows on Sunday, including Weekend Today.

Nine said it was investigating whether the hack was “criminal sabotage or the work of a foreign nation”.

Australia’s Parliament was also investigating a possible cyber attack in Canberra on Sunday.

Assistant Defence Minister Andrew Hastie said access to IT and emails at Parliament House had been cut as a precaution. He said this was done in response to issues affecting an “external provider”, without elaborating.

“This is a timely reminder that Australians cannot be complacent about their cyber security,” the minister told the website on Sunday.

“The government acted quickly, and we have the best minds in the world working to ensure Australia remains the most secure place to operate online,” he said.

It’s not clear if the parliamentary outage and the cyber attack on Channel Nine were connected.

The Australian government and other institutions have fallen victim to a string of cyber attacks in recent years.

Last year Prime Minister Scott Morrison saidAustralian organisations were being targeted by a sophisticated foreign “state-based” hacker.

Broadcaster ABC News said Australian government sources believed China was behind the attacks. Relations between Australia and China have grown increasingly acrimonious amid disputes about trade and the coronavirus.

What did Channel Nine say about the cyber attack?

At first, Nine said it was “responding to technical issues” affecting its live broadcasting.

Weekend Today, which runs from 07:00 to 13:00 local time (21:00 to 03:00 GMT) from Sydney, did not air.

Its online news site,, was also affected.

On Sunday night, Nine confirmed there had been a “cyber attack on our systems”.

“Our IT teams are working around the clock to fully restore our systems which have primarily affected our broadcast and corporate business units. Publishing and radio systems continue to be operational,” the company said in a statement.

A later report by Mark Burrows, a senior journalist for the network, said the company was “under attack by hackers”. He said emails and editing systems had gone down.

“I’m not surprised,” Mr Hastie, the assistant defence minister, told Nine. “Last year alone we had 60,000 reports to Australian cyber security of cyber crime. That’s one every 10 minutes.”

Nine has told all its staff to work at home until further notice. It hopes to air all shows as normal on Monday.

Cyber-attack on school: Pupils’ grading system tempered

Pupils’ coursework has been destroyed in a “significant” cyber-attack on a school.

Redborne School
image captionThe school said the attack was likely to cause long-term disruption

Redborne Upper School and Community College in Bedfordshire said the attack took place on Wednesday.

Although no data was taken, the school’s servers were left unreadable resulting in “the loss of a significant amount of data”, it added.

The school said it was working “to ensure that no students will be disadvantaged”.

In a letter sent to parents on Friday, the school, based in Flitwick Road, Ampthill, said it had rebuilt its servers.

It said: “This process has resulted in the loss of a significant amount of data including student user areas.”

The school said no data had left its servers “and no unauthorised persons have access to any information”.

Exam board discussions

Students’ personal data including academic records was kept on a different server, said the school.

The letter said: “It is this data that will form the basis of the grades we will be supplying to exam boards this summer in most cases.”

However, it added coursework, which would play “a significant role” in some subjects, had been lost.

“To mitigate this we have already contacted the exam boards and are in the process of putting in place arrangements to ensure that no students will be disadvantaged by the impact of this,” the letter said.

The school added it still has “sufficient data” to “award accurate grades this summer”.

The incident comes days after the University of Northampton reported it had been hit by a cyber-attack which had interrupted IT and telephone services.

The National Cyber Security Centre said since late February an increased number of ransomware attacks had affected education establishments.

Speaking on the Today programme on Friday, its chief executive Lindy Cameron said the coronavirus pandemic has “highlighted both the scale of our dependence on the digital world and the challenges we face”.

But she added the UK is “one of the safest places to live and work online”.

New wave of ‘hacktivism’ adds twist to cybersecurity woes

At a time when U.S. agencies and thousands of companies are fighting off major hacking campaigns originating in Russia and China, a different kind of cyber threat is re-emerging: activist hackers looking to make a political point.

Three major hacks show the power of this new wave of “hacktivism” – the exposure of AI-driven video surveillance being conducted by the startup Verkada, a collection of Jan. 6 riot videos from the right-wing social network Parler, and disclosure of the Myanmar military junta’s high-tech surveillance apparatus.

And the U.S. government’s response shows that officials regard the return of hacktivism with alarm. An indictment last week accused 21-year-old Tillie Hottmann, a Swiss hacker who took credit for the Verkada breach, of a broad conspiracy.

“Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft and fraud,” Seattle-based Acting U.S. Attorney Tessa Gorman said.

According to a U.S. counter-intelligence strategy released a year ago, “ideologically motivated entities such as hacktivists, leaktivists, and public disclosure organizations,” are now viewed as “significant threats,” alongside five countries, three terrorist groups, and “transnational criminal organizations.”

Earlier waves of hacktivism, notably by the amorphous collective known as Anonymous in the early 2010s, largely faded away under law enforcement pressure. But now a new generation of youthful hackers, many angry about how the cybersecurity world operates and upset about the role of tech companies in spreading propaganda, are joining the fray.

And some former Anonymous members are returning to the field, including Aubrey Cottle, who helped revive the group’s Twitter presence last year in support of the Black Lives Matter protests.

Anonymous followers drew attention for disrupting an app that the Dallas police department was using to field complaints about protesters by flooding it with nonsense traffic. They also wrested control of Twitter hashtags promoted by police supporters.

“What’s interesting about the current wave of the Parler archive and Gab hack and leak is that the hacktivism is supporting antiracist politics or antifascism politics,” said Gabriella Coleman, an anthropologist at McGill University, Montreal, who wrote a book on Anonymous.

Gab, a social network favored by white nationalists and other right-wing extremists, has also been hurt by the hacktivist campaign and had to shut down for brief periods after breaches.


Most recently, Cottle has been focused on QAnon and hate groups.

“QAnon trying to adopt Anonymous and merge itself into Anonymous proper, that was the straw that broke the camel’s back,” said Cottle, who has held a number of web development and engineering jobs, including a stint at Ericsson.

He found email data showing that people in charge of the 8kun image board, where the persona known as Q posted, were in steady contact with major promoters of QAnon conspiracies here.

The new-wave hacktivists also have a preferred place for putting materials they want to make public – Distributed Denial of Secrets, a transparency site that took up the mantle of WikiLeaks with less geopolitical bias. The site’s collective is led by Emma Best, an American known for filing prolific freedom of information requests.

Best’s two-year-old site coordinating access by researchers and media to a hoard of posts taken from Gab by unidentified hackers. In an essay this week, Best praised Hottmann and said leaks would keep coming, not just from hacktivists but insiders and the ransomware operators who publish files when companies don’t pay them off.

“Indictments like Tillie’s show just how scared the government is, and just how many corporations consider embarrassment a greater threat than insecurity,” Best wrote here.

The events covered by the Hottmann indictment here took place from November 2019 through January 2021. The core allegation is that the Lucerne software developer and associates broke into a number of companies, removed computer code and published it. The indictment also said Hottmann spoke to the media about poor security practices by the victims and stood to profit, if only by selling shirts saying things like “venture anticapitalist” and “catgirl hacker.”

But it was only after Hottmann publicly took credit for breaching Verkada and posted alarming videos from inside big companies, medical facilities and a jail that Swiss authorities raided their home at the behest of the U.S. government. Hottmann uses non-binary pronouns.

“This move by the U.S. government is clearly not only an attempt to disrupt the freedom of information, but also primarily to intimidate and silence this newly emerging wave of hacktivists and leaktivists,” Hottmann said in an interview with Reuters.

Hottmann and their lawyer declined to discuss the U.S. charges of wire fraud for some of Hottmann’s online statements, aggravated identity theft for using employee credentials, and conspiracy, which together are enough for a lengthy prison sentence.

The FBI declined an interview request. If it seeks extradition, the Swiss would determine whether Hottmann’s purported actions would have violated that country’s laws.


Hottmann was open about their disdain for the law and corporate powers-that-be. “Like many people, I’ve always been opposed to intellectual property as a concept and specifically how it’s used to limit our understanding of the systems that run our daily lives,” Hottmann said.

A European friend of Hottmann’s known as “donk_enby,” a reference to being non-binary in gender, is another major figure in the hacktivism revival. Donk grew angry about conspiracy theories spread by QAnon followers on the social media app Parler that drove protests against COVID-19 health measures.

Following a Cottle post about a leak from Parler in November, Donk dissected the iOS version of Parler’s app and found a poor design choice. Each post bore an assigned number, and she could use a program to keep adding 1 to that number and download every single post in sequence.

After the Jan. 6 U.S. Capitol riots, Donk shared links to the web addresses of a million Parler video posts and asked her Twitter followers to download them before rioters who recorded themselves inside the building deleted the evidence. The trove included not just footage but exact locations and timestamps, allowing members of Congress to catalogue the violence and the FBI to identify more suspects.

Popular with far-right figures, Parler has struggled to stay online after being dropped by Google and Amazon. Donk’s actions alarmed users who thought some videos would remain private, hindering the its attempt at a comeback.

In the meantime, protesters in Myanmar asked Donk for help, leading to file dumps that prompted Google to pull its blogging platform and email accounts here from leaders of the Feb. 1 coup. Donk’s identification of numerous other military contractors helped fuel sanctions that continue to pile up.

One big change from the earlier era of hacktivisim is that hackers can now make money legally by reporting the security weaknesses they find to the companies involved, or taking jobs with cybersecurity firms.

But some view so-called bug bounty programs, and the hiring of hackers to break into systems to find weaknesses, as mechanisms for protecting companies who should be exposed.

“We’re not going to hack and help secure anyone we think is doing something extremely unethical,” said John Jackson, an American researcher who works with Cottle on above-ground projects. “We’re not going to hack surveillance companies and help them secure their infrastructure.”

Source: Reuters