Health insurer Premera Blue Cross said on Tuesday it was a victim of a cyber attack that may have exposed medical data and financial information of 11 million customers in the latest case of a health care company reporting a serious breach.

It said the attackers may have gained access to claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data in an attack that began in May 2014 and was uncovered Jan. 29.

It is the largest breach reported to date involving patient medical information, according to Dave Kennedy, an expert in health care security who is chief executive of TrustedSEC.

Breaches over the past year at health insurer Anthem and hospital operator Community Health Systems involved a larger number of records, but those companies said they believe the attackers did not access medical information.

Medical records are highly valuable on underground criminal exchanges where stolen data is sold because the information is not only highly confidential, it can also be used to engage in insurance fraud.

“Medical records paint a really personal picture of somebody’s life and medical procedures,” Kennedy said. “They allow you to perpetrate really in-depth medical fraud.”

The insurer said it has so far uncovered no evidence to show that member data was “used inappropriately.”

The attack affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions.

“We at Premera take this issue seriously and sincerely regret the concern it may cause,” Chief Executive Jeff Roe said in a statement.

Premera has set up a hot line to field members’ calls and is offering free credit monitoring. More information is available at www.premeraupdate.com.

“As much as possible, we want to make this event our burden, not that of the affected individuals,” Rowe said in the statement.

Premera is working with the FBI and FireEye to investigate the matter.

(Reporting by Jim Finkle; Editing by Dan Grebler)

This article originally appeared on Recode.net.

Sony Corp worked for a third day on Saturday to restore services to its PlayStation online gaming network after a Christmas Day cyber attack shuttered access to some customers, including holiday recipients of new game consoles.

“If you received a PlayStation console over the holidays and have been unable to log onto the network, know that this problem is temporary and is not caused by your game console,” Sony executive Catherine Jensen said in a Saturday posting on the company’s U.S. PlayStation blog.

She said the problems were the result of “high levels of traffic designed to disrupt connectivity and online game play,” a technique widely known as a distributed denial-of-service, or DDoS.

It was Sony’s second recent high-profile encounter with hackers after an unprecedented attack on its Hollywood studio, which Washington has attributed to the North Korean government and linked to the release of the low-brow comedy “The Interview.”

Sony spokeswoman Jennifer Clark declined to say how many of PSN’s 56 millions users could not gain access to the network.

Customer response was mixed to requests from Sony’s Twitter support account to be patient.

One person tweeted: “You keep repeating this same line like a parrot. WHAT exactly is the team doing?”

“That’s OK. We know you’re trying your best,” another said via Twitter. “We all hate the hackers that did this.”

A hacker activist group known as Lizard Squad said it was responsible for the PSN outage as well as delays on Microsoft’s Corp’s Xbox network; Microsoft quickly fixed the problem.

Mikko Hypponen, chief research officer of security software maker F-Secure, said he knows of no reasonable motive for attacking Sony or Microsoft.

“The attackers have no motive whatsoever for their DDoS attacks against Sony or Microsoft,” he said.

The group has claimed responsibility for previous cyber attacks, including ones on PSN in early December and August.

The attack in August coincided with a bomb scare on a commercial jet in which Lizard Squad tweeted to American Airlines that it heard explosives were on board a Dallas-to-San Diego flight carrying an executive with Sony Online Entertainment.

Sony has been the victim of some of the most notorious cyber attacks in history. Besides the breach at its Hollywood studio, hackers stole data belonging to 77 million PlayStation Network users in 2011.

(Reporting by Jim Finkle; editing by Stephen Powell and Steve Orlofsky)

This article originally appeared on Recode.net.

The Federal Bureau of Investigation has warned U.S. businesses to be on the alert for a sophisticated Iranian hacking operation whose targets include defense contractors, energy firms and educational institutions, according to a confidential agency document.

The operation is the same as one flagged last week by cyber security firm Cylance Inc as targeting critical infrastructure organizations worldwide, cyber security experts said. Cylance has said it uncovered more than 50 victims from what it dubbed Operation Cleaver, in 16 countries, including the United States.

The FBI’s confidential “Flash” report, seen by Reuters on Friday, provides technical details about malicious software and techniques used in the attacks, along with advice on thwarting the hackers. It asked businesses to contact the FBI if they believed they were victims.

Cylance Chief Executive Stuart McClure said the FBI warning suggested that the Iranian hacking campaign may have been larger than its own research revealed. “It underscores Iran’s determination and fixation on large-scale compromise of critical infrastructure,” he said.

The FBI’s technical document said the hackers typically launch their attacks from two IP addresses that are in Iran, but did not attribute the attacks to the Tehran government. Cylance has said it believes Iran’s government is behind the campaign, a claim Iran has vehemently denied.

An FBI official did not provide further details, but said the agency routinely provides private industry with advisories to help it fend off cyber threats.

The Pentagon and National Security Agency had no immediate comment.

Tehran has been substantially increasing investment in its cyber capabilities since 2010, when its nuclear program was hit by the Stuxnet computer virus, widely believed to have been launched by the United States and Israel.

Cyber security professionals who investigate cyber attacks said that they are seeing evidence that Iran’s investment is paying off.

“They are good and have a lot of talent in the country,” said Dave Kennedy, CEO of TrustedSEC LLC. “They are definitely a serious threat, no question.”

Iranian hackers are increasingly being blamed for sophisticated cyberattacks.

Bloomberg Businessweek on Thursday reported that Iranian hacker activists were responsible for a devastating February 2014 attack on casino operator Las Vegas Sands Corp, which crippled thousands of servers by wiping them with destructive malware. It said the hackers sought to punish Sands CEO Sheldon Adelson for comments he made about detonating a nuclear bomb in Iran.

(Reporting by Jim Finkle. Additional reporting by Mark Hosenball and Andrea Shalal in Washington; Editing by Christian Plumb)

This article originally appeared on Recode.net.

Iranian hackers have infiltrated some of the world’s top energy, transport and infrastructure companies over the past two years in a campaign that could allow them to eventually cause physical damage, according to U.S. cyber security firm Cylance.

Aerospace firms, airports and airlines, universities, energy firms, hospitals, and telecommunications operators based in the United States, Israel, China, Saudi Arabia, India, Germany, France, England have been hit by the campaign, the research firm said, without naming individual companies.

A person familiar with the research said U.S. energy firm Calpine Corp, state-controlled oil companies Saudi Aramco and Petroleos Mexicanos (Pemex), as well as flag carriers Qatar Airlines and Korean Air were among the specific targets.

The 87-page report comes as governments scramble to better understand Iran’s cyber capabilities, which researchers say have grown rapidly as Tehran seeks to retaliate for Western cyber attacks on its nuclear program.

“We believe that if the operation is left to continue unabated, it is only a matter of time before the team impacts the world’s physical safety,” Cylance said.

The California-based company said its researchers uncovered breaches affecting more than 50 entities and had evidence they were committed by the same Tehran-based group that was behind a previously reported 2013 cyber attack on a U.S. Navy network.

A Pemex spokesman said the company had not detected any attacks from the Iranian groups but was constantly monitoring. Officials at the other companies were not immediately available to comment.

A diplomatic representative for Iran said Cylance’s claim was groundless. “This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image, particularly aimed at hampering current nuclear talks,” said Hamid Babaei, spokesman for Iran’s mission to the United Nations.

Reuters was unable to independently vet the research ahead of its publication. Cylance said it has reported the alleged hacking operation to some victims as well as to the U.S. Federal Bureau of Investigation. An FBI spokesman declined comment.

Cylance’s research provides a new example of how governments may be using cyber technology as a tool for spying and staging attacks on rival states.

Russian and Chinese hackers have been blamed for a variety of corporate and government cyber attacks, while the United States and Israel are believed to have used a computer worm to slow development of Iran’s nuclear program.

Tehran has been investing heavily in its cyber capabilities since 2010, when its nuclear program was hit by the Stuxnet computer virus, widely believed to have been launched by the United States and Israel. Iran has said its nuclear program is intended for the production of civilian electricity, and denies Western accusations it is seeking to build a nuclear bomb.

Cylance said the Iranian hacking group has so far focused its campaign – dubbed Operation Cleaver – on intelligence gathering, but that it likely has the ability to launch attacks.

It said researchers who succeeded in gaining access to some of the hackers’ infrastructure found massive databases of user credentials and passwords, diagrams, and screenshots from organizations including energy, transportation, and aerospace companies, as well as universities.

It would not be the first time Saudi Aramco has been targeted by hackers. In 2012, some 30,000 computers at the oil company were infected by a virus known as Shamoon, in one of the most destructive such strikes conducted against a single business. Some U.S. officials have said they believe Iran was behind that attack.

Cylance said its researchers also obtained hundreds of files apparently stolen by the Iranian group from the U.S. Navy’s Marine Corps Intranet (NMCI). U.S. government sources had confirmed that Iran was behind the 2013 NMCI breach, but did not provide further details.

A U.S. defense official said on Monday it took about four months to “maneuver the (NMCI) network” to ensure that it was free of intruders. The official said that while the incident was officially characterized as a “serious intrusion,” no networks were damaged as a result of the breach.

Cylance said ten companies targeted in Operation Cleaver were U.S.-based.

Cylance’s report is the latest to show evidence of Iranian hacking of U.S. interests. Cyber security firm FireEye Inc in May said that an Iranian hacking group was behind an series of attacks on U.S. defense companies.

The cyber intelligence firm iSight Partners also reported in May that it had uncovered an unprecedented, three-year campaign in which Iranian hackers had created false social networking accounts and a bogus news website to spy on leaders in the United States, Israel and other countries.

(Reporting by Jim Finkle. Additional reporting by Tanya Ashreena, Tova Cohen, Katharine Houreld, Michelle Nichols, Randall Palmer, Euan Rocha, Alwyn Scott, Andrea Shalal, Matthew Smith, Bernie Woodall, and David Alire Garcia; Editing by Richard Valdmanis, Christian Plumb and W Simon)

This article originally appeared on Recode.net.

Security researchers say they have uncovered a cyber espionage ring focused on stealing corporate secrets for the purpose of gaming the stock market, in an operation that has compromised sensitive data about dozens of publicly held companies.

Cybersecurity firm FireEye, which disclosed the operation on Monday, said that since the middle of last year, the group has attacked email accounts at more than 100 firms, most of them pharmaceutical and healthcare companies.

Victims also include firms in other sectors, as well as corporate advisors including investment bankers, attorneys and investor relations firms, according to FireEye.

The cybersecurity firm declined to identify the victims. It said it did not know whether any trades were actually made based on the stolen data.

Still, FireEye Threat Intelligence Manager Jen Weedon said the hackers only targeted people with access to highly insider data that could be used to profit on trades before that data was made public.

They sought data that included drafts of U.S. Securities and Exchange Commission filings, documents on merger activity, discussions of legal cases, board planning documents and medical research results, she said.

“They are pursuing sensitive information that would give them privileged insight into stock market dynamics,” Weedon said.

The victims ranged from small to large cap corporations. Most are in the United States and trade on the New York Stock Exchange or Nasdaq, she said.

An FBI spokesman declined comment on the group, which FireEye said it reported to the bureau.

The security firm designated it as FIN4 because it is number 4 among the large, advanced financially motivated groups tracked by FireEye.

The hackers don’t infect the PCs of their victims. Instead they steal passwords to email accounts, then use them to access those accounts via the Internet, according to FireEye.

They expand their networks by posing as users of compromised accounts, sending phishing emails to associates, Weedon said.

FireEye has not identified the hackers or located them because they hide their tracks using Tor, a service for making the location of Internet users anonymous.

FireEye said it believes they are most likely based in the United States, or maybe Western Europe, based on the language they use in their phishing emails, Weedon said.

She said the firm is confident that FIN4 is not from China, based on the content of their phishing emails and their other techniques.

Researchers often look to China when assessing blame for economically motivated cyber espionage. The United States has accused the Chinese government of encouraging hackers to steal corporate secrets, allegations that Beijing has denied, causing tension between the two countries.

Weedon suspects the hackers were trained at Western investment banks, giving them the know-how to identify their targets and draft convincing phishing emails.

“They are applying their knowledge of how the investment banking community works,” Weedon said.

(Editing by Eric Walsh)

This article originally appeared on Recode.net.

The U.S. Department of Homeland Security is investigating about two dozen cases of suspected cyber security flaws in medical devices and hospital equipment that officials fear could be exploited by hackers, a senior official at the agency told Reuters.

The products under review by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira and implantable heart devices from Medtronic and St. Jude Medical, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.

These people said they do not know of any instances of hackers attacking patients through these devices, so the cyber threat should not be overstated. Still, the agency is concerned that malicious actors may try to gain control of the devices remotely and create problems, such as instructing an infusion pump to overdose a patient with drugs, or forcing a heart implant to deliver a deadly jolt of electricity, the sources said.

The senior DHS official said the agency is working with manufacturers to identify and repair software coding bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment. He declined to name the companies.

“These are the things that shows like ‘Homeland’ are built from,” said the official, referring to the U.S. television spy drama in which the fictional vice president of the United States is killed by a cyber attack on his pacemaker.

“It isn’t out of the realm of the possible to cause severe injury or death,” said the official, who did not want to be identified due to the sensitive nature of his work.

Hospira, Medtronic and St. Jude Medical declined to comment on the DHS investigations. All three companies said they take cyber security seriously and have made changes to improve product safety, but declined to give details.

ICS-CERT’s mandate is to help protect critical U.S. infrastructure from cyber threats, whether they are introduced through human error, virus infections or through attacks by criminals or extremists.

According to the senior DHS official, the agency started examining health care equipment about two years ago, when cyber security researchers were becoming more interested in medical devices that increasingly contained computer chips, software, wireless technology and Internet connectivity, making them more susceptible to hacking.

The U.S. Food and Drug Administration, which regulates the sale of medical devices, recently released guidelines for manufacturers and health care providers to better secure medical devices and is holding its first public conference on the topic this week.

“The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too,” said William Maisel, chief scientist at the FDA’s Center for Devices and Radiological Health. He declined to comment on the DHS reviews.

The senior DHS official said the two dozen cases currently under investigation cover a wide range of equipment, including medical imaging equipment and hospital networking systems. A DHS review does not imply the government thinks a company has done anything wrong — it means the agency is looking into a suspected vulnerability to try to help rectify it.

One of the cases involves an alleged vulnerability in a type of infusion pump, a piece of hospital equipment that delivers medication directly into a patient’s bloodstream. Private cyber security researcher Billy Rios said he discovered the alleged bug but declined to identify the manufacturer of the pump. Two people familiar with his research said the manufacturer was Hospira.

Rios said he wrote a program that could remotely force multiple pumps to dose patients with potentially lethal amounts of drugs. He submitted his analysis to the DHS.

“This is a issue that is going to be extremely difficult to patch,” said Rios, a former Marine platoon commander who has worked for several Silicon Valley technology firms and recently founded security startup Laconicly.

Reuters was not able to independently review his research or identify the type of pump Rios studied from Hospira’s line, which includes multiple models.

Hospira spokeswoman Tareta Adams, while declining to comment on specifics, said the company is working to improve the security of its products.

“Hospira has implemented software adjustments, distributed customer communications and made a commitment to evaluate other changes going forward, while ensuring we are not adversely impacting the ability of our devices to meet hospital and patient needs, and maintain compliance with FDA product requirements,” Adams said in the statement.

Hospital security officers say there is increasing awareness about cyber threats, and medical centers around the country have been shoring up networks to better defend against hackers.

At the University of Texas M.D. Anderson Cancer Center, all medical devices will soon need to be tested to make sure they meet security standards before they can be put on the hospital’s network, according to Lessley Stoltenberg, the center’s chief information security officer.

“I’m pretty concerned,” said Stoltenberg. “Coming out of the block, medical devices don’t really have security built into them.”

The DHS is also reviewing suspected vulnerabilities in implantable heart devices from Medtronic and St. Jude Medical, according to two people familiar with the matter.

They said the probe was based in part on research by Barnaby Jack, a well-known hacker who died in July 2013. Jack had said he could hack into wireless communications systems that link implanted pacemakers and defibrillators with bedside monitors.

Medtronic spokeswoman Marie Yarroll said in an email that the company has “made changes to enhance the security” of its implantable cardiac devices, but declined to give specifics “in the interest of patient safety.”

St. Jude Medical spokeswoman Candace Steele Flippin also declined to discuss specific products but said the company has “an ongoing program to perform extensive security testing on our medical devices and networked equipment. If a risk is identified, we will issue patches for any known issues.”

Experts said it is important that security vulnerabilities in medical devices are exposed so manufacturers can fix them, but many said there was no need for patients to panic.

“It’s very easy to sort of sensationalize these problems,” said Kevin Fu, who runs the Archimedes Research Center for Medical Device Security at the University of Michigan.

Still, worries about cyber security have made some individuals wary of medical devices with wireless and Internet connections.

In 2007, then-U.S. Vice President Dick Cheney ordered some of the wireless features to be disabled on his defibrillator due to security concerns. When asked if he would recommend other patients do the same, Cheney said not necessarily.

“You’ve got to look at all eventualities and do whatever you have to safeguard the capabilities of the individual,” Cheney told Reuters on Tuesday. “In terms of how it would affect others, I think the president and vice president are in relatively unique circumstances.”

Cyber researcher Jay Radcliffe used to be among the hundreds of thousands of diabetics relying on computerized insulin pumps. He said he stopped using his Medtronic pump after he found that he could hack into its wireless communications system and potentially dump fatal doses of insulin into his body.

“I don’t feel safe wearing these devices,” said Radcliffe, who works for Rapid7, a security software maker. “It’s better for me to stick myself with a needle.”

Medtronic said it has made security improvements to its insulin pumps, though the company declined to give specifics.

George Grunberger, who has led the insulin pump management task force of the American Association of Clinical Endocrynologists, said he believes the benefits of pumps far outweigh any cyber risks, so he would not advise patients to follow Radcliffe’s example.

(Reporting by Jim Finkle; Editing by Tiffany Wu)

This article originally appeared on Recode.net.

A newly discovered security bug in a widely used piece of Linux software, known as “Bash,” could pose a bigger threat to computer users than the “Heartbleed” bug that surfaced in April, cyber experts warned on Wednesday.

Bash is the software used to control the command prompt on many Linux computers. Hackers can exploit a bug in Bash to take complete control of a targeted system, security experts said.

The “Heartbleed” bug allowed hackers to spy on computers, but not take control of them, according to Dan Guido, chief executive of cyber security firm Trail of Bits.

“The method of exploiting this issue is also far simpler. You can just cut and paste a line of code and get good results,” he said.

Guido said he is considering taking his company’s non-essential servers offline to protect them from being attacked by the Bash bug until he can patch the software.

Tod Beardsley, an engineering manager at cyber security firm Rapid7, warned that the bug was rated a “10” for severity, meaning it has maximum impact, and rated “low” for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

“Using this vulnerability, attackers can potentially take over the operating system, access confidential information, make changes, etc.,” Beardsley said. “Anybody with systems using Bash needs to deploy the patch immediately.”

“Heartbleed,” discovered in April, is a bug in an open-source encryption software called OpenSSL. The bug put the data of millions of people at risk as OpenSSL is used in about two-thirds of all websites. It also forced dozens of technology companies to issue security patches for hundreds of products that use OpenSSL.

(Reporting by Jim Finkle; Editing by Tiffany Wu)

This article originally appeared on Recode.net.

USB devices such as keyboards, thumb-drives and mice can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

Karsten Nohl, chief scientist with Berlin’s SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.

The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.

Nohl said his firm has performed attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.

Computers do not detect the infections when tainted devices are inserted because anti-virus programs are only designed to scan for software written onto memory and do not scan the “firmware” that controls the functioning of those devices, he said.

Nohl and Jakob Lell, a security researcher at SR Labs, will describe their attack method at next week’s Black Hat hacking conference in Las Vegas, in a presentation titled: “Bad USB – On Accessories that Turn Evil.”

Thousands of security professionals gather at the annual conference to hear about the latest hacking techniques, including ones that threaten the security of business computers, consumer electronics and critical infrastructure.

Nohl said he would not be surprised if intelligence agencies, like the National Security Agency, have already figured out how to launch attacks using this technique.

Last year, he presented research at Black Hat on breakthrough methods for remotely attacking SIM cards on mobile phones. In December, documents leaked by former NSA contractor Edward Snowden demonstrated that the U.S. spy agency was using a similar technique for surveillance, which it called “Monkey Calendar.”

An NSA spokeswoman declined to comment.

SR Labs tested the technique by infecting controller chips made by a major Taiwanese manufacturer, Phison Electronics, and placing them in USB memory drives and smartphones running Google’s Android operating system.

Alex Chiu, an attorney with Phison, told Reuters via email that Nohl had contacted the company about his research in May.

“Mr. Nohl did not offer detailed analysis together with work product to prove his finding,” Chiu said. “Phison does not have ground to comment (on) his allegation.”

Chiu said that “from Phison’s reasonable knowledge and belief, it is hardly possible to rewrite Phison’s controller firmware without accessing our confidential information.”

Similar chips are made by Silicon Motion Technology Corp and Alcor Micro Corp. Nohl said his firm did not test devices with chips from those manufacturers.

Google did not respond to requests for comment. Officials with Silicon Motion and Alcor Micro could not immediately be reached.

Nohl believed hackers would have a “high chance” of corrupting other kinds of controller chips besides those made by Phison, because their manufacturers are not required to secure software. He said those chips, once infected, could be used to infect mice, keyboards and other devices that connect via USB.

“The sky is the limit. You can do anything at all,” he said.

In his tests, Nohl said he was able to gain remote access to a computer by having the USB instruct the computer to download a malicious program with instructions that the PC believed were coming from a keyboard. He was also able to change what are known as DNS network settings on a computer, essentially instructing the machine to route Internet traffic through malicious servers.

Once a computer is infected, it could be programmed to infect all USB devices that are subsequently attached to it, which would then corrupt machines that they contact.

“Now all of your USB devices are infected. It becomes self-propagating and extremely persistent,” Nohl said. “You can never remove it.”

Christof Paar, a professor of electrical engineering at Germany’s University of Bochum who reviewed the findings, said he believed the new research would prompt others to take a closer look at USB technology, and potentially lead to the discovery of more bugs. He urged manufacturers to improve protection of their chips to thwart attacks.

“The manufacturer should make it much harder to change the software that runs on a USB stick,” Paar said.

(Additional reporting by Michael Gold in Taipei; Editing by Richard Valdmanis, Richard Chang and Bernadette Baum)

This article originally appeared on Recode.net.