FBI warning over NZ firm and ransomware

Waikato Hospital was recently the victim of a ransomware attack. File Image.

The FBI warns Auckland company Mega.NZ is being used by ransomware attackers.

The company has stated to RNZ that there is no sign hackers are using its service to store patient data stolen from Waikato hospitals, but it cannot rule out the possibility.

The FBI has issued a series of alerts since last year, naming Mega.

The latest - on 20 May, three days after Waikato DHB was crippled - says Mega was one of two cloud storage services that hackers behind mass attacks, including on health services, have been using.

Another, in March, says: "The cyber actors have uploaded stolen data to MEGA.NZ, a cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim's computer."

Mega says there was no way to prevent criminals using legitimate software since they fully controlled the system they hacked.

It was also impossible to know what its 220 million account holders kept on their encrypted files, except if law enforcement or a hacked company alerted it.

"If they found a Mega link, it would be reported to us and [the account] closed within minutes," Mega chief executive and chair Stephen Hall says.

He could "not guarantee" Mega's services were not being used by the Waikato DHB's hackers, but so far the company had not been alerted by local police or Waikato DHB.

"All I can say is there's no sign of that being on Mega at this stage," Hall says.

The FBI alerts also referred to hackers using Microsoft's Windows Sysinternals and Swiss firm pCloud.

Mega.NZ is a successor company to Megaupload, set up by Kim Dotcom. Megaupload's domains were seized by the US Department of Justice.

Dotcom exited Mega years ago, and Hong Kong's Cloud Tech Services owns most of it.

It has been suggested the Waikato attack used ransomware called Conti, or Zeppelin.

The FBI says one indicator of a Conti ransomware attack was when large transfers went to Mega or pCloud servers.

Hall, asked if hackers had ever used Mega's premium and very large accounts, which it charges for, says the company was not making money out of stolen data.

"Absolutely not. Certainly, not our intention, nor is that the outcome.

"These people often just use a free account with a small limit, it's transitory.

"And we would never aim to or want to, or nor do we make money from it.

"Because it in fact causes us a lot of grief in tracking down, closing the account, dealing with law enforcement inquiries, and so on.

"It's the last thing we would ever want."

Using cloud storage was akin to the hacker using the phone wires or local computers in an attack, Hall says. Hackers were looking for efficient and fast platforms to exfiltrate data, and Mega was among those.

In an FBI alert issued in July, it says attackers had "transitioned from uploading and releasing stolen data on MEGA to uploading the stolen data to another file sharing service:".

Dark Web search

The FBI alert in May reported at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies and emergency medical services, within the last year, among 400 organisations worldwide hit by Conti.

An RNZ search on the Dark Web of a site labelled 'Conti' did not find any mention of Waikato DHB.

Just one New Zealand company name was found, among the hundreds on the site, with a link to thousands of files purportedly hacked from it.

Hall says he was not aware of the general FBI online alerts, but he did respond to its alerts specific to Mega.

Mega has a good relationship with New Zealand police, and the FBI has sent him letters praising the company's responses to hacking; law enforcement agencies were "very, very satisfied".

"I had a very appreciative letter from one major overseas law enforcement operation this week," Hall says, but would not name the agency.

It was difficult to identify people with a track history of stealing data, to block them from opening an account, he said.

Mega's users upload about 65 million files a day or 750 files per second.

"We can't filter or investigate or index the whole wide world," Hall says.

Though files are encrypted, Mega has access to user registration information and IP addresses, its 2020 transparency report says.

In "extremely limited situations", Mega might disclose user information and data when it had written assurance from authorities that life or health was at stake.

Mega was served eight legal orders and disclosed information for accounts "alleged to be involved in serious criminal activity overseas," in 2019-2020, the report says.

It also closed down 565,000 accounts for sharing stolen or exploitative content.

Mega promotes its storage saying: "Strong, user-generated end-to-end encryption guarantees that nobody else will have unauthorised access to your data. Not even us."

More on SunLive...
You must be logged in to make a comment. Login Now

Mega and similar services...

Posted on 03-06-2021 00:19 | By morepork

... are not interested in the content stored by their customers. Maybe they should be. Perhaps it is NOT OK to say, "nobody can read your data, not even us..." Confidentiality is one thing; criminals leveraging it for their own purposes is quite another. I believe there is an argument that ALL public Cloud storage should be readable by Law Enforcement Authorities, under special circumstances and with a Court Order. But it probably wouldn’t solve the problem because the bad guys would just build their own private clouds... The only defense currently is to prevent malware getting in, make regular backups, and keep them offline.


Posted on 02-06-2021 10:15 | By jed

Criminals also use Vodafone and Spark phones to plan their crimes. Criminals use google , apple, dropbox and other such providers . I don’t get how this is any different.

Simple Really

Posted on 01-06-2021 21:41 | By The Caveman

The FBI are not going to make PUBLIC comments like they have UNLESS they have evidence to back up their comments !!! And given the Waikato DHB problems who should we (NZ) be taking notice of ???