1 Jun 2021

NZ cloud storage company being used by ransomware attackers - FBI

2:37 pm on 1 June 2021

The FBI warns Auckland company Mega.NZ is being used by ransomware attackers.

The company has told RNZ there is no sign hackers are using its service to store patient data stolen from Waikato hospitals, but it cannot rule out the possibility.

Man wearing hoodie hacking server in dark room

The FBI has issued a series of alerts since last year, naming Mega.

The latest - on 20 May, three days after Waikato DHB was crippled - said Mega was one of two cloud storage services that hackers behind mass attacks, including on health services, had been using.

Another, in March, said: "The cyber actors have uploaded stolen data to MEGA.NZ, a cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim's computer."

Mega said there was no way to prevent criminals using legitimate software since they fully controlled the system they hacked.

It was also impossible to know what its 220 million account holders kept on their encrypted files, except if law enforcement or a hacked company alerted it.

"If they found a Mega link, it would be reported to us and [the account] closed within minutes," Mega chief executive and chair Stephen Hall told RNZ.

He could "not guarantee" Mega's services were not being used by the Waikato DHB's hackers, but so far the company had not been alerted by local police or Waikato DHB.

"All I can say is there's no sign of that being on Mega at this stage," Hall said.

Waikato District Health Board notice of outage of systems from cyber attack.

Computer services remain offline at all Waikato DHB hospitals nearly two weeks after a ransomware cyber attack. Photo: RNZ / Andrew McRae

The FBI alerts also referred to hackers using Microsoft's Windows Sysinternals and Swiss firm pCloud.

Mega.NZ is a successor company to Megaupload, set up by Kim Dotcom. Megaupload's domains were seized by the US Department of Justice.

Dotcom exited Mega years ago, and Hong Kong's Cloud Tech Services owns most of it.

'The last thing we would ever want'

It has been suggested the Waikato attack used ransomware called Conti, or Zeppelin.

The FBI said one indicator of a Conti ransomware attack was when large transfers went to Mega or pCloud servers.

Hall, asked if hackers had ever used Mega's premium and very large accounts, which it charges for, said the company was not making money out of stolen data.

"Absolutely not. Certainly not our intention, nor is that the outcome.

"These people often just use a free account with a small limit, it's transitory.

"And we would never aim to or want to, or nor do we make money from it.

"Because it in fact causes us a lot of grief in tracking down, closing the account, dealing with law enforcement inquiries, and so on.

"It's the last thing we would ever want."

Using cloud storage was akin to the hacker using the phone wires or local computers in an attack, Hall said. Hackers were looking for efficient and fast platforms to exfiltrate data, and Mega was among those.

In an FBI alert issued in July, it said attackers had "transitioned from uploading and releasing stolen data on MEGA to uploading the stolen data to another file sharing service: website.dropmefiles.com".

Dark Web search

The FBI alert in May reported at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies and emergency medical services, within the last year, among 400 organisations worldwide hit by Conti.

An RNZ search on the Dark Web of a site labelled 'Conti' did not find any mention of Waikato DHB.

Just one New Zealand company name was found, among the hundreds on the site, with a link to thousands of files purportedly hacked from it.

Hall said he was not aware of the general FBI online alerts, but he did respond to its alerts specific to Mega.

Mega had a good relationship with New Zealand police, and the FBI had sent him letters praising the company responses to hacking; law enforcement agencies were "very, very satisfied".

"I had a very appreciative letter from one major overseas law enforcement operation this week," Hall said, but would not name the agency.

It was difficult to identify people with a track history of stealing data, to block them from opening an account, he said.

Mega's users upload about 65 million files a day, or 750 files per second.

"We can't filter or investigate or index the whole wide world," Hall said.

Though files are encrypted, Mega has access to user registration information and IP addresses, its 2020 transparency report said.

In "extremely limited situations", Mega might disclose user information and data when it had written assurance from authorities that life or health was at stake.

Mega was served eight legal orders and disclosed information for accounts "alleged to be involved in serious criminal activity overseas," in 2019-2020, the report said.

It also closed down 565,000 accounts for sharing stolen or exploitative content.

Mega promoted its storage saying: "Strong, user generated end-to-end encryption guarantees that nobody else will have unauthorised access to your data. Not even us."

Get the RNZ app

for ad-free news and current affairs