NZ cloud storage company being used by ransomware attackers, says FBI

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Waikato DHB’s IT centre was the target of a major cyber security attack. Video / Waikato DHB

By Phil Pennington for RNZ

The FBI warns Auckland company Mega.NZ is being used by ransomware attackers.

The company has told RNZ there is no sign hackers are using its service to store patient data stolen from Waikato hospitals, but it cannot rule out the possibility.

The FBI has issued a series of alerts since last year, naming Mega.

The latest – on May 20, three days after Waikato DHB was crippled – said Mega was one of two cloud storage services that hackers behind mass attacks, including on health services, had been using.

Another, in March, said: “The cyber actors have uploaded stolen data to Mega.NZ, a cloud storage and file sharing service, by uploading the data through the Mega website or by installing the Mega client application directly on a victim’s computer.”

Mega said there was no way to prevent criminals using legitimate software since they fully controlled the system they hacked.

It was also impossible to know what its 220 million account holders kept on their encrypted files, except if law enforcement or a hacked company alerted it.

“If they found a Mega link, it would be reported to us and [the account] closed within minutes,” Mega chief executive and chair Stephen Hall told RNZ.

He could “not guarantee” Mega’s services were not being used by the Waikato DHB’s hackers, but so far the company had not been alerted by local police or Waikato DHB.

“All I can say is there’s no sign of that being on Mega at this stage,” Hall said.

The FBI alerts also referred to hackers using Microsoft’s Windows Sysinternals and Swiss firm pCloud.

Mega.NZ is a successor company to Megaupload, set up by Kim Dotcom. Megaupload’s domains were seized by the US Department of Justice.

Dotcom exited Mega years ago, and Hong Kong’s Cloud Tech Services owns most of it.

‘The last thing we would ever want’

It has been suggested the Waikato attack used ransomware called Conti, or Zeppelin.

The FBI said one indicator of a Conti ransomware attack was when large transfers went to Mega or pCloud servers.

Hall, asked if hackers had ever used Mega’s premium and very large accounts, which it charges for, said the company was not…