SALT LAKE CITY, Utah (KSTU) — The Church of Jesus Christ of Latter-day Saints announced a cyberattack that was able to access the personal data of church members, employees and others.

In a news release Thursday, church officials said the attack occurred in late March, but did not access donation history or banking information.

According to the church, law enforcement authorities believe there is a low possibility of the data breached during the attack could be used to harm individuals.

The church says it's working with federal authorities and third-party cybersecurity experts to determine the scope of the incident and "to mitigate possible impacts."

The attack was not announced until months later at the request of law enforcement.

Those impacted by the breach will be notified by church officials. Church members are being told to "remain vigilant" over their personal accounts and to change passwords.

This story was originally reported by Jeff Tavss on fox13now.com.

WASHINGTON —

At least 100,000 people could have had their data compromised by a hack of contractors at the Department of Health and Human Services, a department official said Thursday, making it the latest U.S. government agency to be caught up in a sweeping cyberattack connected to Russian cybercriminals.

HHS notified Congress of the breach on Tuesday and will update lawmakers as the investigation continues, the official said. Agencies are required to notify Congress of a data breach that involves the compromise of personal information of 100,000 or more people.

“While no HHS systems or networks were compromised, attackers gained access to data by exploiting the vulnerability in the MOVEit Transfer software of third-party vendors,” the official told CNN.

MOVEit is the popular file-transfer software that suspected Russian cybercriminals have exploited in recent weeks to compromise scores of companies, schools and government agencies in the U.S. and abroad. U.S. firm Progress Software, which makes MOVEit, issued a security update for the software but the hackers had a few days’ head start in getting into systems.

CNN first reported that several U.S. agencies were affected by the MOVEit vulnerability, a list that includes the Department of Energy, Office of Personnel Management and U.S. Department of Agriculture.

Bloomberg News first reported that HHS was affected.

Federal officials have blamed the hacking campaign exploiting the software on a Russian-speaking group known as CLOP. The hackers are generally stealing data from victims rather than encrypting their computers with ransomware and using the stolen data to make extortion demands.

CLOP’s impact on federal agencies has been limited, officials say, but elsewhere millions of Americans have had their personal data accessed. Motor vehicle departments in Louisiana and Oregon, and California’s public pension fund have all had data stolen.

Big-name victims or targets of the hack have continued to emerge.

A spokesperson for Siemens Energy told CNN on Tuesday that the company was “among the targets” of the hack, but that “no critical data has been compromised and our operations have not been affected.”

The University of California Los Angeles had its MOVEit platform hacked on May 28, a university spokesperson told CNN on Tuesday. “This is not a ransomware incident,” the spokesperson said. “There is no evidence of any impact to any other campus systems.”

The hackers have been known to demand tens of millions of dollars in ransom in previous campaigns. But they are publishing a lot of the data stolen through the MOVEit hacks on their dark-web extortion site – a sign that some efforts to extract ransoms have failed.

Some victims have paid the hackers, Charles Carmakal – an executive at Mandiant Consulting, a Google-owned firm hired by some victims to respond to the hacking – previously told CNN. It’s unclear how many of the victims have paid off the hackers or how much they have paid. Carmakal and others have declined to comment on that.

But even a handful of victims with high payouts can be profitable and fuel future hacks.

“We have many active forensic investigations involving this vulnerability involving data theft and extortion with unusually high ransom demands,” Shane Sims, a former supervisory special agent at the FBI who is now CEO of cybersecurity firm Kivu Consulting, told CNN. “Victims span the US and UK, and include the financial, industrial, legal, health care and technology sectors.”

CINCINNATI — Experts and federal officials are warning Americans to be vigilant against cyberattacks as Russia continues its invasion of Ukraine.

The FBI and U.S. Cybersecurity and Infrastructure Security Agency updated their warning to U.S. critical infrastructure firms Tuesday to reinforce their defenses.

“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data," the advisory said. "Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries."

WCPO sat down with cyber expert Richard Harknett Tuesday. Harknett is the director of the University of Cincinnati’s School of Public and International Affairs, co-director of the Ohio Cyber Range Institute, and Chair of the Center for Cyber Strategy and Cyber Policy. He’s also a former scholar-in-residence to the U.S. Cyber Command and the National Security Agency.

Q: Cyberattacks and cybercrime are nothing new. This is something companies are having to deal with on a minute-by-minute basis, probably. How is this situation different in the past two weeks with the invasion of Ukraine?

Cyberspace, as you correctly point out, is a vital asset for companies here in Cincinnati. You can’t conduct business without being on the digital platform. And they understand that it’s also an incredibly vulnerable space. At the criminal activity levels, our companies, our individuals, our citizens of Cincinnati have to deal with cyber operations against their personal information, about their business operations all the time. It’s something we call cyber persistence.

What happens during international crises, and we don’t have wars breaking out that often that involve a great power like Russia, the question becomes in this interaction between the United States and Russia, is cyber an opportunity for Russia to control the environment and advance their interests?

So the answer is possibly. … There’s a couple of possibilities of why Russia may consider using cyber means to kind of change the dynamic. And because we’re using economic sanctions, the possibility of using cyber operations against economic assets to disrupt the U.S. economy, to disrupt companies, that I think is on the table.

Q: Are there particular segments of the industry that are more sought-after targets?

The most sought-after target is the easiest target … you’re only as good as your weakest link. And lots of companies, large companies have third party contracts. So those third-party contracts could become cyber security issues. Of course, banks, you would think about disrupting the financial, but they’re probably the strongest industry we have in the U.S. with regard to cyber security. Your defense-based companies like GE Aircraft. I hope they don’t mind me saying it, but they’re the gold standard. They’re really good. Why? Because they get attacked every day from foreign adversaries who are trying to get their intellectual property.

Q: Anything else?

That’s only one category, Paula, that we have to be worried about. The second context is would Russia actually consider using their cyber operation to start to affect critical infrastructure? Duke Energy, our water treatment plants in the city — these are things that at the U.S. government level we have declared to be critical infrastructure and any significant attack, the phrase they use is an attack of significant consequence.

So, if you were able to knock out electricity, if you were able to affect water treatment ... we would, the United States would, consider that a use of force, an armed attack. So, the question becomes why would Russia, who right now is not fighting the United States in a direct war, what would create incentive for them to try to get the United States, through an attack, maybe to back down?

If the Ukrainians hold out and Putin gets frustrated, and the Russian economy starts to feel the pinch, if he’s as committed as people think he is, he’s likely to raise then the bar and not go home. And the question is for the United States, have we sent any signals that would encourage them to think that they could get away with this?

Q: Is there a DEFCON level for cyber threats and where are we at now?

That’s a great question. The Department of Homeland Security has a particular agency which is focused on cyber and critical infrastructure. And they do post warnings in coordination with the National Security Agency, the FBI, the U.S. Cyber Command … when they pick up intelligence and when they discover malware. There is a site called Virus Total and there’s been a number of times recently where the U.S. Cyber Command has found malware and instead of keeping it secret has actually published it on Virus Total so that the entire private sector is informed.

We assume in national cyber security and in business security, you’re going to get attacked. … Would it be a good thing right now for U.S. companies to talk to their employees and reemphasize good cyber hygiene — not clicking on links that you’re not sure where they came from, hovering over that link, make sure there’s not a .ru after it, that would be pretty obvious that would mean it’s coming from a Russian server. … Do you get a call that seems suspicious and is asking for personal identified information? Yeah, it would be good that we heighten our cyber security.

Q: Is there anything individual citizens should do?

So at the individual citizen level, we have to actually realize that we don’t have a neutral effect here. Every day we either contribute to national cyber security by being good at our cyber hygiene and making sure that we don’t have viruses on our computers, or we aid and abet the bad guys. … There’s more of a civic duty here and maybe in a wartime environment that would resonate with people more.

It’s not just about protecting yourself, it’s about protecting the entire space that we all benefit from.

Q: What is the psychological impact of a cyberattack on the general public?

The question becomes if you have an intentional act on something big, like critical infrastructure, would we read that and understand that differently than if a missile strike occurred?

Cyber doesn’t have that visual. We won’t see transformers destroyed if the electricity goes down. … To be honest with you we don’t have good research and good data for a good reason: we haven’t had one of these big attacks. We’ve been talking about big-scale cyberattacks for over a decade. … The United States has adversaries working every day to undermine U.S. national sources of power, but it’s done in an incremental way. They’re accumulating over time. Why? Because it doesn’t bring the U.S. military into play. It doesn’t get to that deterrent level that would say, now you’ve crossed the line and we’re going to war with you.

If you actually disrupt critical infrastructure, electric grids, water treatment — things of that nature, it should be no different than if I dropped a bomb on it or I used a piece of code. If the effect is war, then we have to make that clear to the Russians. Because deterrence only works, if you’re actually clear to the other side of what you intend to do.

I think it would be dangerous for the United States, which is the most digitally connected state at scale in the world, if we make a distinction between code and kinetic bomb. If we don’t respond in the same way then what you’re saying is it's okay if you shut us down with code, just don’t do it with a bomb.

Some answers were shortened for brevity.

The White House blamed Russia on Friday for this week's cyberattacks targeting Ukraine's defense ministry and major banks and warned of the potential for more significant disruptions in the days ahead.

Anne Neuberger, the Biden administration's deputy national security adviser for cyber and emerging technologies, said the U.S. had rapidly linked Tuesday's attacks to Russian military intelligence officers. 

Britain joined the U.S. in blaming the GRU military intelligence agency for the distributed denial-of-service attacks that unfolded as tensions escalate between Russia and Ukraine.

The attacks, which knocked government websites and a couple of major banks offline for much of the day, were of "limited impact" since Ukrainian officials were able to quickly get their systems back up and running, Neuberger said. 

But she said the Russians could also be laying the groundwork for more disruptive activities that could accompany an invasion of Ukraine.

"We do expect that should Russia decide to proceed with a further invasion of Ukraine, we may see further destabilizing or destructive cyber activity, and we've been working closely with allies and partners to ensure we're prepared to call out that behavior and respond," Neuberger said.

She said the U.S. was publicly blaming the Kremlin because of a need to "call out the behavior quickly."

"The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity," Neuberger said.

The British Foreign Office said the attack "showed a continued disregard for Ukrainian sovereignty. This activity is yet another example of Russia's aggressive acts against Ukraine."

Neuberger said there was no intelligence indicating that the U.S. would be targeted by a cyberattack, but that remained a concern, given that the banking system does not have the "cyber resilience" that it should.

Ukrainian officials called Tuesday's attacks the worst in the country's history. But while they definitely disrupted online banking, impeded some government-to-public communications and were clearly intended to cause panic, they were not particularly serious by global or historic standards, said Roland Dobbins, the top engineer for DDoS at the cybersecurity firm Netscout.

"Most DDoS attacks succeed due to the lack of preparation on the part of the defenders," said Dobbins, adding that most commercial mitigation services designed to counter such attacks would likely have been able to fend off Tuesday's attacks.

This story was originally published by Willie James Inman and Rob Nelson of Newsy, the Associated Press contributed.

Suspected Iranian hackers have targeted dozens of defense technology and maritime transportation firms, successfully breaching a small number, in a spying campaign launched since July that could leave some of the companies vulnerable to follow-on hacking attempts, Microsoft announced Monday.

Among the targets were companies that work with the U.S., European Union and Israeli governments to make satellite systems, drones technology and "military-grade radars," Microsoft said.

It's just the latest effort by an alleged Iranian hacking group to access sensitive data held in the maritime sector. Another Iranian group last year stole information on the military unit of U.S. Navy members, according to IBM.

"Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program," Microsoft researchers wrote in a blog post on Monday.

Microsoft did not attribute the activity directly to an Iranian government organization but instead said the hacking "supports the national interests" of Iran based on a number of factors, including hacking techniques associated with another Iranian group.

John Lambert, head of Microsoft Threat Intelligence Center, told CNN that Microsoft discovered the hacking activity when responding to a breach of a U.S. financial services firm this summer.

The goal of releasing information on the intrusions now is to help organizations prepare for follow-on breach attempts, Lambert said. The hackers, he added, could look to use stolen login information to break into the internal networks of targeted organizations.

The suspected Iranian operatives tried guessing passwords at roughly 250 organizations, including unnamed U.S. and Israeli defense firms and organizations operating in Persian Gulf ports, according to Microsoft. The hackers managed to breach "less than 20" of those organizations, the tech firm said.

The maritime sector has long been of interest to Iran's intelligence services and the country sits on the Strait of Hormuz, through which about a fifth of the world's oil shipments pass.

"Given Iran's past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors," the Washington State-based technology provider said.

While this activity appears concentrated on Persian Gulf ports, U.S. maritime authorities have also had to raise their network defenses in response to threats.

Unidentified hackers in August breached a computer network at the Port of Houston, U.S. officials have said. Early detection of the incident meant the intruders weren't in a position to disrupt shipping operations, according to a Coast Guard analysis of the incident obtained by CNN.

"The shipping lanes are the highways of the sea," Lambert said. "And anything related to that is going to be in the crosshairs and subject to geopolitical dynamics."

BOSTON —

The single biggest global ransomware attack yet continued to bite Monday as details emerged on how the Russia-linked gang responsible breached the company whose software was the conduit. In essence, the criminals used a tool that helps protect against malware to spread it widely.

An affiliate of the notorious REvil gang, best known for extorting $11 million from the meat-processor JBS after a Memorial Day attack, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said.

REvil was demanding ransoms of up to $5 million. But late Sunday it offered in a posting on its dark web site a universal decryptor software key that would unscramble all affected machines in exchange for $70 million in cryptocurrency. It wasn't clear who they expected might pay that amount.

Sweden may have been hardest hit by the attack — or at least most transparent about it. Its defense minister, Peter Hultqvist, bemoaned on Monday "a serious attack on basic functions in Swedish society."

"It shows how fragile the system is when it comes to IT security and that you must constantly work to develop your ability to defend yourself," he said in a TV interview. Most of the Swedish grocery chain Coop's 800 stores were closed all weekend because their cash register software supplier was crippled. They remained closed Monday. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT were also hit.

A broad array of businesses and public agencies were affected, including in financial services, travel and leisure and the public sector — though few large companies, the cybersecurity firm Sophos reported. The cybersecurity firm ESET identified victims in countries including the United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya.

Ransomware criminals infiltrate networks and sow malware that cripples them by scrambling all their data. Victims get a decoder key when they pay up.

In Germany, an unnamed IT services company told authorities several thousand of its customers were compromised, the news agency dpa reported. Also among reported victims were two big Dutch IT services companies — VelzArt and Hoppenbrouwer Techniek. Most ransomware victims don't publicly report attacks or disclose if they've paid ransoms.

On Sunday, the FBI said in a statement that while it was investigating the attack, its scale "may make it so that we are unable to respond to each victim individually." Deputy National Security Advisor Anne Neuberger later issued a statement saying President Joe Biden had "directed the full resources of the government to investigate this incident" and urged all who believed they were compromised to alert the FBI.

Biden suggested Saturday the U.S. would respond if it was determined that the Kremlin is at all involved. Less than a month ago, Biden pressed Russian President Vladimir Putin to stop giving safe haven to REvil and other ransomware gangs whose unrelenting extortionary attacks the U.S. deems a national security threat.

On Monday, Putin spokesman Dmitry Peskov was asked if Russia was aware of the attack or had looked into it. He said no, but suggested it could be discussed by the U.S. and Russia in consultations on cybersecurity issues for which no timeline has been specified.

Experts say it was no coincidence that REvil launched the attack at the start of the Fourth of July holiday weekend, knowing U.S. offices would be lightly staffed and many victims might not learn of it until back at work Monday or Tuesday.

Most end users of managed service providers "have no idea" whose software keep their networks humming, said CEO Fred Voccola of the breached software company, Kaseya.

He estimated the victim number in the low thousands, mostly small businesses like "dental practices, architecture firms, plastic surgery centers, libraries, things like that."

Voccola said only between 50-60 of the company's 37,000 customers were compromised. But 70% were managed service providers who use the company's hacked VSA software to manage multiple customers. It automates the installation of software and malware-detection updates and manages backups and other vital tasks.

Kaseya said it sent a detection tool to nearly 900 customers on Saturday night.

The REvil offer to offer blanket decryption for all victims of the Kaseya attack in exchange for $70 million suggested its inability to cope with the sheer quantity of infected networks, said Allan Liska, an analyst with the cybersecurity firm Recorded Future.

But Kevin Reed of Acronis said the offer of a universal decryptor could be a PR stunt because no human involvement would be needed to pay a $45,000 base ransom demand apparently sent to the vast majority of targets. Analysts reported seeing demands of $5 million and $500,000 for bigger targets, which would require negotiation.

Analyst Brett Callow of Emsisoft said he suspects REvil is hoping insurers might crunch the numbers and determine the $70 million will be cheaper for them than extended downtime.

Sophisticated ransomware gangs on REvil's level usually examine a victim's financial records — and insurance policies if they can find them — from files they steal before activating the ransomware. The criminals then threaten to dump the stolen data online unless paid, although that does not appear to have happened in this case. But this attack was apparently bare-bones. REvil seems only to have scrambled victims' data.

Dutch researchers said they alerted Miami-based Kaseya to the breach and said the criminals used a "zero day," the industry term for a previous unknown security hole in software. Voccola would not confirm that or offer details of the breach — except to say that it was not phishing.

"The level of sophistication here was extraordinary," he said.

It was not the first ransomware attack to leverage managed services providers. In 2019, criminals hobbled the networks of 22 Texas municipalities through one. That same year, 400 U.S. dental practices were crippled in a separate attack.

Active since April 2019, REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms. U.S. officials say the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.

___

AP reporters Jim Heintz in Moscow, Jan Olsen in Stockholm, Kirsten Grieshaber in Berlin, Jari Tanner in Helsinki and Sylvie Corbet in Paris contributed to this report.

Video above: Biden to confer with Europe allies, confront Putin

Set to embark on the first overseas trip of his term, President Joe Biden is eager to reassert the United States on the world stage, steadying European allies deeply shaken by his predecessor and pushing democracy as the only bulwark to rising forces of authoritarianism.

Biden has set the stakes for his eight-day trip in sweeping terms, believing that the West must publicly demonstrate it can compete economically with China as the world emerges from the coronavirus pandemic.

Building toward his trip-ending summit with Russia’s Vladimir Putin, Biden will aim to reassure European capitals that the United States can once again be counted on as a dependable partner to thwart Moscow’s aggression both on their eastern front and their internet battlefields.

The trip will be far more about messaging than specific actions or deals. And the paramount priority for Biden, who leaves Wednesday for his first stop in the United Kingdom, is to convince the world that his administration is not just a fleeting deviation in the trajectory of an American foreign policy that many allies fear irrevocably drifted toward a more transactional outlook under former President Donald Trump.

“The trip, at its core, will advance the fundamental thrust of Joe Biden’s foreign policy,” said national security adviser Jake Sullivan, “to rally the world’s democracies to tackle the great challenges of our time.”

Biden’s to-do list is ambitious.

In their face-to-face sit-down in Geneva, Biden wants to privately pressure Putin to end myriad provocations, including cybersecurity attacks on American businesses by Russian-based hackers, the jailing of opposition leader Alexei Navalny and repeated overt and covert efforts by the Kremlin to interfere in U.S. elections.

Biden is also looking to rally allies on their COVID-19 response and to urge them to coalesce around a strategy to check emerging economic and national security competitor China even as the U.S. expresses concern about Europe's economic links to Moscow. Biden also wants to nudge outlying allies, including Australia, to make more aggressive commitments to the worldwide effort to curb global warming.

The week-plus journey is a big moment for Biden, who traveled the world for decades as vice president and as chair of the Senate Foreign Relations Committee, and will now step off Air Force One on international soil as commander in chief. He will face world leaders still grappling with the virus and rattled by four years of Trump’s inward-looking foreign policy and moves that strained longtime alliances as the former president made overtures to strongmen.

“In this moment of global uncertainty, as the world still grapples with a once-in-a-century pandemic,” Biden wrote in a Washington Post op-ed previewing his diplomatic efforts, “this trip is about realizing America’s renewed commitment to our allies and partners, and demonstrating the capacity of democracies to both meet the challenges and deter the threats of this new age."

The president first travels to Britain for a summit of the Group of Seven leaders and then Brussels for a NATO summit and a meeting with the heads of the European Union. It comes at a moment when Europeans have diminished expectations for what they can expect of U.S. leadership on the foreign stage.

Central and Eastern Europeans are desperately hoping to bind the U.S. more tightly to their security. Germany is looking to see the U.S. troop presence maintained there so it doesn’t need to build up its own. France, meanwhile, has taken the tack that the U.S. can’t be trusted as it once was and that the European Union must pursue greater strategic autonomy going forward.

“I think the concern is real that the Trumpian tendencies in the U.S. could return full bore in the midterms or in the next presidential election,” said Alexander Vershbow, a former U.S. diplomat and once deputy secretary general of NATO.

The sequencing of the trip is deliberate: Biden consulting with Western European allies for much of a week as a show of unity before his summit with Putin.

His first stop late Wednesday will be an address to U.S. troops stationed in Britain, and the next day he sits down with British Prime Minster Boris Johnson. The two men will meet a day ahead of the G-7 summit to be held above the craggy cliffs of Cornwall overlooking the Atlantic Ocean.

The most tactile of politicians, Biden has grown frustrated by the diplomacy-via-Zoom dynamics of the pandemic and has relished the ability to again have face-to-face meetings that allow him to size up and connect with world leaders. While Biden himself is a veteran statesman, many of the world leaders he will see in England, including Johnson and French President Emmanuel Macron, took office after Biden left the vice presidency. Another, Germany’s Angela Merkel, will leave office later this year.

There are several potential areas of tension. On climate change, the U.S. is aiming to regain its credibility after Trump pulled the country back from the fight against global warming. Biden could also feel pressure on trade, an issue to which he's yet to give much attention. And with the United States well supplied with COVID-19 vaccines yet struggling to persuade some of its own citizens to use it, leaders whose inoculation campaigns have been slower will surely pressure Biden to share more surplus around the globe.

Another central focus will be China. Biden and the other G-7 leaders will announce an infrastructure financing program for developing countries that is meant to compete directly with Beijing’s Belt-and-Road Initiative. But not every European power has viewed China in as harsh a light as Biden, who has painted the rivalry with the techno-security state as the defining competition for the 21st century.

The European Union has avoided taking as strong a stance on Beijing’s crackdown on Hong Kong’s democracy movement or treatment of Uyghur Muslims and other ethnic minorities in the western Xinjiang province as the Biden administration may like. But there are signs that Europe is willing to put greater scrutiny on Beijing.

The EU in March announced sanctions targeting four Chinese officials involved with human rights abuses in Xinjiang. Beijing, in turn, responded by imposing sanctions on several members of the European Parliament and other Europeans critical of the Chinese Communist Party.

Biden is also scheduled to meet with Turkish President Recep Tayyip Erdogan while in Brussels, a face-to-face meeting between two leaders who have had many fraught moments in their relationship over the years.

Biden waited until April to call Erdogan for the first time as president. In that call, he informed the Turkish leader that he would formally recognize that the systematic killings and deportations of hundreds of thousands of Armenians by Ottoman Empire forces in the early 20th century were “genocide” — using a term for the atrocities that his White House predecessors had avoided for decades over concerns of alienating Turkey.

The trip finale will be Biden's meeting with Putin.

Biden has taken a very different approach to Russia than Trump's friendly outreach. Their sole summit, held in July 2018 in Helsinki, was marked by Trump’s refusal to side with U.S. intelligence agencies over Putin’s denials of Russian interference in the election two years earlier.

Biden could well be challenged by unrest at home as Russia looks to exploit the Jan. 6 Capitol insurrection and the debate over voting rights to undermine the U.S. position as a global role model. The American president, in turn, is expected to push Russia to quell its global meddling.

“By and large, these are not meetings on outcomes, these are 'get to know you again' meetings for the U.S. and Europe,” said Richard Haass, president of the Council on Foreign Relations. “It's about delivering a message to Putin, to reviving old alliances and to demonstrate again that the U.S. is back on the right course.”

Related video: Biden to speak to Russia about JBS cyberattackThe meat supplier JBS USA paid an $11 million ransom in response to a cyberattack that led to the shutdown of its entire U.S. beef processing operation last week, the company said in a statement Wednesday evening.The ransom was paid after most of the company's facilities had come back online, JBS said."This was a very difficult decision to make for our company and for me personally," said Andre Nogueira, CEO of JBS USA, in the statement. "However, we felt this decision had to be made to prevent any potential risk for our customers." JBS's payment was first reported by The Wall Street Journal.The cyberattack affected servers supporting JBS's IT systems in North America and Australia. The U.S. government has attributed the ransomware attack to REvil, a criminal gang believed to be based in Russia or Eastern Europe."Preliminary investigation results confirm that no company, customer or employee data was compromised," JBS said in Wednesday's statement.JBS USA is part of JBS Foods, which it says is one of the world's largest food companies. It has operations in 15 countries and has customers in about 100 countries, according to its website. Its brands include Pilgrim's, Great Southern and Aberdeen Black.

WASHINGTON —

A pipeline company CEO on Tuesday defended his decisions to abruptly halt fuel distribution for much of the East Coast and pay millions to a criminal gang in Russia as he faced down one of the most disruptive ransomware attacks in U.S. history.

Colonial Pipeline CEO Joseph Blount said he had no choice, telling senators uneasy with his actions that he feared far worse consequences given the uncertainty the company was confronting as the attack unfolded last month.

"I know how critical our pipeline is to the country," Blount said, "and I put the interests of the country first."

His testimony to the Senate Homeland Security Committee on the May 7 cyberattack provided a rare window into the dilemma faced by the private sector amid a storm of ransomware attacks in which overseas hackers breach a company's network and encrypt their data, demanding a ransom to release it back to them.

U.S. authorities tell companies not to pay the ransom, arguing the crooks may not provide the keys to unencrypt the data and that the payments will encourage future attacks and help sustain criminal networks typically based in Russia and Eastern Europe. Blount chose to disregard that advice within the first 24 hours of the attack and paid the equivalent of $4.4 million in bitcoin to retrieve the company's data. U.S. officials said Monday they had recovered much of the payment.

"I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible," Blount said. "It was the hardest decision I've made in my 39 years in the energy industry."

The company, he said, was "deeply sorry" for the effect of the shutdown but had to act fast as it worked feverishly to determine whether the criminal gang had compromised the operational systems or physical security of the 5,500-mile pipeline — and to try to avoid a more sustained shutdown.

Asked how much worse it would have been if the company hadn't paid to get its data back, Blount said, "That's an unknown we probably don't want to know. And it may be an unknown we probably don't want to play out in a public forum."

His appearance before the Senate comes as lawmakers consider possible measures to address the ransomware attacks that have been launched against thousands of businesses as well as state and local government agencies.

"We've got to recognize these ransomware attacks for what they are. It's a serious national security threat," said Sen. Rob Portman, a Republican from Ohio. "Attacks against critical infrastructure are not just attacks on companies. They are attacks on our country itself."

Already, the Justice Department and FBI have established a task force to deal with ransomware with some success, including managing to seize 85% of the bitcoin that Colonial paid as ransom. But many of the criminals behind the attacks are beyond their reach in Russia or other countries that will not extradite suspects to the U.S.

The Biden administration has also made ransomware, and cybersecurity more broadly, a national priority in the wake of a series of high-profile intrusions.

Last month, the administration issued new regulations for the pipeline industry, requiring companies to conduct cybersecurity assessments and immediately report any breaches to the federal government. The industry has until now operated under voluntary guidelines.

Blount disputed a media report that his company had refused to participate in one of the voluntary assessments, conducted by the Transportation Security Administration, earlier this year, saying it had merely been delayed because of COVID-19 and other issues. "That was quite a shock to me," he said of the account.

The attack on Colonial Pipeline — which supplies roughly 45% of the fuel consumed on the East Coast — has been attributed to a Russia-based gang of cybercriminals using the DarkSide ransomware variant, one of more than 100 variants the FBI is currently investigating.

It began after hackers accessed the company's IT system through a virtual private network that was no longer in active use. Blount said it only required a "complicated" password to gain entry rather than multifactor authentication, which provides additional security and is now required at Colonial.

"The ransomware attack on Colonial Pipeline affected millions of Americans, " said Sen. Gary Peters, a Michigan Democrat. "The next time an incident like this happens, unfortunately, it could be even worse."

Blount said the Georgia-based company began negotiating with the hackers on the evening of the May 7 attack and paid a ransom of 75 bitcoin — then valued at roughly $4.4 million — the following day. The hack prompted the company to halt operations before the ransomware could spread to its operating systems.

The encryption tool the hackers provided the company in exchange for the payment helped "to some degree" but was not perfect, with Colonial still in the process of fully restoring its systems while working with consultants to assess the damage and improve cybersecurity, Blount said.

It took the company five days to resume pipeline operations. What took place in that time illustrated why they needed to quickly pay the ransom, he told the lawmakers.

"We already started to see pandemonium going on in the markets, people doing unsafe things like filling garbage bags full of gasoline or people fist-fighting in line at the fuel pump," he said. "The concern would be what would happen if it had stretched on beyond that amount of time."

The pandemic slammed businesses, including health care systems. On top of the stress of COVID-19, they also saw more cybersecurity attacks.

“Health care has always been a target, but it tremendously just blew up when the pandemic started,” said Angela Kobel, Chief Financial Officer of Lincoln Health in Hugo, Colorado.

She’s talking about cybersecurity. As the pandemic stressed health care systems, the industry also saw more attempted cyberattacks.

“A lot of our employees were working remotely as we closed the hospital down, which made us vulnerable,” Kobel said. “Everybody was so busy fighting COVID and trying to figure out what was happening with COVID that we didn't have the resources to put towards IT security.”

Hospitals are at a higher risk for attacks. Many of us have personal, private information shared with our doctors, often stored digitally. So for the past few years, Lincoln Health has used a third-party company to manage its IT system. That’s where Lance Goudzwaard with ReliableIT comes in.

“Health care organizations, they need to be very careful with that information. And I'll tell you the value of each of these records is very high. It's scary to think how much a hacker can sell one record for,” said Lance Goudzwaard, Virtual CIO at ReliableIT.

And hacking is getting easier.

“My 15-year-old daughter could go to the internet and download instructions on how to hack a lot of health care systems,” Goudzwaard said.

“It's incredibly easy to find and use hacking tools, and there are services you can outsource all of this too, if you want to,” cybersecurity expert Nathan Evans said.

It’s not just hospitals that are seeing these data breaches and ransomware attacks. Earlier this year, a cyberattack on the Colonial Pipeline caused a disruption in fuel transportation, leading to gas shortages in the southeastern U.S.

And JBA USA, a large meat supplier, recently announced it too was targeted by a cybersecurity attack. There are more that go unreported, as there aren’t regulations in place in most industries to report these incidents.

“The health care sector and financial sector have government requirements to report when they actually get breached,” said Nathan Evans, an assistant teaching professor at the University of Denver.

So what does all of this mean for your data, and your accounts? Evans said part of it is trust in the organization you give your information to.

“There's not really anything we can do on an individual basis to protect our medical information. There are HIPAA guidelines that require you to, if you're handling patient data, to encrypt it and make sure it's protected when it’s in transit or in storage,” Evans said.

Another safety net you can control is enabling two-factor authentication for your accounts.

“Two-factor authentication is combining something you know, which would be like a password, with something physical, so either your cell phone or a hardware key device,” he said. “The idea is that if an attacker gets just your password, they won't be able to log into your account because they won't have this second factor.”

It all boils down to education.

“The more we are aware of these common exploits, the better job we’re going to do at preventing them,” Goudzwaard said.

He said they are able to educate employees about common attacks and tools they can use to monitor themselves, especially with e-mails where many hackers can pose as co-workers, clients, or vendors.

“We’ve definitely become more aware,” Kobel said.

The world's largest meat processing company has resumed most production after a weekend cyberattack, but experts say the vulnerabilities exposed by this attack and others are far from resolved.

In a statement late Wednesday, the FBI attributed the attack on Brazil-based meat processor JBS SA to REvil, also known as Sodinokibi, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months. The FBI said it will work to bring the group to justice and it urged anyone who is the victim of a cyberattack to contact the bureau immediately.

President Joe Biden will talk with Russia's president about the cyberattack.

White House Press Secretary Jen Psaki said Wednesday the JBS hack was expected to be discussed at a mid-June summit with Russian President Vladimir Putin.

She was also asked how the U.S. could respond to this attack.

"We are not taking any options off the table in terms of how we may respond," Psaki said. "But, of course, there is an internal policy review process to consider that. We are in direct touch with the Russians as well to convey our concerns about these reports."

REvil has not posted anything related to the hack on its dark web site. But that's not unusual. Ransomware syndicates as a rule don't post about attacks when they are in initial negotiations with victims — or if the victims have paid a ransom.

In October, a REvil representative who goes by the handle "UNKN" said in an interview published online that the agriculture sector would now be a main target for the syndicate. REvil also threatened to auction off sensitive stolen data from victims who refused to pay it.

The attack targeted servers supporting JBS's operations in North America and Australia. Backup servers weren't affected and the company said it was not aware of any customer, supplier or employee data being compromised.

JBS said late Tuesday that it had made "significant progress" and expected the "vast majority" of its plants to be operating Wednesday.

It is not known if JBS paid a ransom. The company hasn't discussed it in public statements, and did not respond to phone and email messages Wednesday seeking comment.

The FBI and the White House declined to comment on the ransom. White House Press Secretary Jen Psaki said Wednesday the U.S. is considering all options in dealing with the attack.

"I can assure you that we are raising this through the highest levels of the U.S. government," she said.

Ransomware expert Allan Liska of the cybersecurity firm Recorded Future said JBS was the largest food manufacturer yet to be attacked. But he said at least 40 food companies have been targeted by hackers over the last year, including brewer Molson Coors and E & J Gallo Winery.

Food companies, Liska said, are at "about the same level of security as manufacturing and shipping. Which is to say, not very."

The attack was the second in a month on critical U.S. infrastructure. Earlier in May, hackers shut down operation of the Colonial Pipeline, the largest U.S. fuel pipeline, for nearly a week. The closure sparked long lines and panic buying at gas stations across the Southeast. Colonial Pipeline confirmed it paid $4.4 million to the hackers.

Cybersecurity experts said the attacks targeting critical sectors of the U.S. economy are evidence that industry hasn't been taking years of repeated warnings seriously.

Cybercriminals previously active in online ID theft and bank fraud moved into ransomware in the mid-2010s as programmers developed sophisticated programs that permitted the software's more efficient dissemination.

The ransomware scourge reached epidemic dimensions last year. The firm CrowdStrike observed over 1,400 ransomware and data extortion incidents in 2020. Most targeted manufacturing, industrials, engineering and technology companies, said Adam Meyers, the company's vice president of intelligence.

"The problem has been spiraling out of control," said John Hultquist, who heads intelligence analysis at FireEye. "We're already deep into a vicious cycle."

Hultquist said ransomware syndicates are going after more critical and visible targets because they've invested heavily in identifying "whales" - companies they think will yield big ransoms.

JBS is the second-largest producer of beef, pork and chicken in the U.S. If it were to shut down for even one day, the U.S. would lose almost a quarter of its beef-processing capacity, or the equivalent of 20,000 beef cows, according to Trey Malone, an assistant professor of agriculture at Michigan State University.

Mark Jordan, who follows the meat industry as the executive director of Leap Market Analytics, said the disruption to the food supply will likely be minimal in this case. Meat has around a 14-day window to move through the market, he said. If a plant is closed for a day or two, companies can usually make up for lost production with extra shifts.

"Several plants owned by a major meatpacker going offline for a couple of days is a major headache, but it is manageable assuming it doesn't extend much beyond that," he said.

Jordan said a closure that runs closer to a week would be more serious, especially for a company like JBS, which controls around one-fifth of the country's beef, pork and chicken supply.

Critical U.S. infrastructure might be better hardened against ransomware attacks were it not for the 2012 defeat of legislation that would have set cybersecurity standards for critical industries.

The U.S. Chamber of Commerce and other business groups lobbied hard against the bill, condemning it as government interference in the free market. Even a watered-down version that would have made the standards voluntary was blocked by a Republican filibuster in the Senate.

Right now, the U.S. has no cybersecurity requirements for companies outside of the electric, nuclear and banking systems, said David White, president of the cyber risk management company Axio.

White said regulations would help, particularly for companies with inadequate or immature cybersecurity programs. Those rules should be sector-specific and should consider the national economic risks of outages, he said.

But he said regulations can also have an unintentional negative effect. Some companies might consider them the ceiling — not the starting point — for how they need to manage risk, he said.

"Bottom line: regulation can help, but it is not the panacea,"' White said.

JBS plants in Australia resumed limited operations Wednesday in New South Wales and Victoria states, Agriculture Minister David Littleproud said. The company hoped to resume work in Queensland state on Thursday, he said.

JBS, which is a majority shareholder of Pilgrim's Pride, didn't say which of its 84 U.S. facilities were closed Monday and Tuesday because of the attack. It said JBS USA and Pilgrim's were able to ship meat from nearly all facilities Tuesday. Several of the company's pork, poultry and prepared foods plants were operational Tuesday and its Canada beef facility resumed production, it said.

The plant closures reflect the reality that modern meat processing is heavily automated, for both food- and worker-safety reasons. Computers collect data at multiple stages of the production process; orders, billing, shipping and other functions are all electronic.

___

Bajak reported from Boston. AP Writers Rod McGuirk in Canberra, Australia; Alan Suderman in Richmond, Virginia; and Nancy Benac, Eric Tucker and Alexandra Jaffe in Washington contributed to this report.

The Colonial Pipeline launched the restart of its operations Wednesday evening following a six-day shutdown caused by a ransomware attack, but the pipeline's operators warned it will take several days for service to return to normal.

"Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period," the pipeline company said in a statement.

The Colonial Pipeline will move as much gasoline, diesel and jet fuel "as is safely possible and will continue to do so until markets return to normal," the company said.

The restart can't come soon enough. The shutdown sparked panic-buying and hoarding that has overwhelmed gas stations in the Southeast. A significant percentage of gas stations in Virginia, Georgia, North Carolina and South Carolina are without fuel, according to GasBuddy, which tracks fuel demand, prices and outages.

The Colonial Pipeline took itself offline Friday after suffering a ransomware attack. The 5,500-mile pipeline is responsible for carrying fuel from refineries along the Gulf Coast to New Jersey. It provides nearly half the gasoline and diesel consumed by the East Coast, making it perhaps America's most important pipeline.

Oil industry executives warned Wednesday that gas hoarding by Americans during the shutdown of the Colonial Pipeline is worsening the supply crunch.

"This situation is now being exacerbated by panic buying and hoarding," Frank Macchiarola, an executive at the American Petroleum Institute, said during a press briefing.

Executives also called on the White House to grant waivers that would allow foreign ships to send fuel to the East Coast to meet skyrocketing demand following the shutdown of the Colonial Pipeline.

The restart should begin to help ease the shortages.

"It means the worst is over in terms of the hysteria that I've called GuzzleGate," Tom Kloza, global head of energy analysis at the Oil Price Information Service, told CNN Business in an email.

Kloza said the first priority is to restart Line 1, which pumps gasoline from Texas and Louisiana to Greensboro, North Carolina.

"The crest of the outages comes perhaps tomorrow or Friday," said Kloza, adding Friday is always the busiest day of the week for gasoline sales.

While the shortage should resolve fairly quickly, "motorists could help the situation by holding off for a day or two to let stations refuel faster," Patrick De Haan, head of petroleum analysis at GasBuddy, said in an email.

"Now finally Americans can have some peace of mind that gasoline, diesel and jet fuel will begin flowing to affected areas once again," De Haan said.

Still, the issue won't resolve immediately.

"The restarting of the Colonial Pipeline is the beginning of the end of the crisis, not the end of the end of the supply crunch," Michael Tran, managing director of global energy strategy for RBC Capital Markets, said in an email. "With an operational pipeline, the race to logistically replenish regional and localized gas stations is the next step."

As the Colonial Pipeline starts to resume service, "our primary focus remains safety," the company said in its Wednesday statement.

"As part of this startup process, Colonial will conduct a comprehensive series of pipeline safety assessments in compliance with all Federal pipeline safety requirements," it said.

The company also expressed thanks to the White House for its "leadership and collaboration," along with the Department of Energy, Federal Bureau of Investigation and other government agencies.

In recent days, Biden administration officials privately voiced frustration with what they see as Colonial Pipeline's weak security protocols and a lack of preparation that could have allowed the ransomware group DarkSide to carry out the attack, officials familiar with the government's initial investigation into the incident told CNN Tuesday.

In the weeks leading up to the attack, Colonial Pipeline had been looking to hire a cybersecurity manager.

In the wake of the attack, cybersecurity experts said, Colonial likely took all of its systems offline in order to isolate what the bad actors had accessed and ensure they weren't able to move into other parts of the company's network.

People briefed on the matter also told CNN that the company halted operations because its billing system was compromised and they were concerned they wouldn't be able to determine how much to bill customers for fuel they received.

One person familiar with the response said the billing system is central to the unfettered operation of the pipeline. That is part of the reason getting it back up and running has taken time, this person said.

President Joe Biden on Thursday attempted to reassure Americans that the supply of gasoline in the southeast would soon return to normal following the restart of the Colonial Pipeline.

The pipeline, which delivers gasoline from Texas through the southeast and up the eastern seaboard, restarted operations around 5 p.m. on Wednesday. The pipeline went offline on Friday, when the company that operates the pipeline experienced a ransomware attack.

The shutdown has led to a gasoline shortage in parts of the southeast U.S. — a shortage that was worsened when some in the region bought extra gasoline in a panic. The lack of supply has caused gas prices in the southeast to spike to as much as $7 a gallon in some places.

Biden noted Thursday that while fuel is now flowing through the pipeline, it may take some time to get the system back to full capacity.

"It's going to take some time, and there may be some hiccups along the way,” Biden said. “We should see a region-by-region return to normalcy by this weekend.”

Biden also noted that in the meantime, his administration has temporarily suspended regulations on the transport of gasoline in the hopes of restoring supplies in the southeast.

He also urged drivers in the region to refrain from hoarding gasoline.

"Do not get more gas than you need in the next few days,” Biden said. “Panic buying will only slow the process."

The president also warned gas station owners that those who participate in price gouging will be prosecuted.

"Do not, I repeat, do not try to take advantage of consumers during this time," Biden said. "Nobody should be using this situation for financial gain. That's what the hackers are trying to do. That's what they're about. Not us."

The FBI says the criminal syndicate whose ransomware was used in the attack is named DarkSide, whose members are Russian speakers. Russia denies any involvement.

During his address on Thursday, Biden said that intelligence reports indicated that the hackers "live in Russia," but that the Russian government was not involved. He also specifically noted that he did not believe Russian President Vladimir Putin was behind the hack.

"I am confident that I've read the report of the FBI accurately, and they say he was not (involved)," Biden said.

On Thursday morning, Bloomberg reported that the company that operates the pipeline paid $5 million in order to regain access to its system. Biden said he would not not comment on whether those reports were accurate.

While the FBI has been investigating that strain of malware since October, deputy national security adviser for cyber and emerging technology Anne Neuberger said during a press briefing on Monday that the "intent" of the group — whether financial or a deliberate attack on U.S. infrastructure — is still unknown.