North Korean, Russian hackers target COVID-19 researchers: Microsoft

By Raphael Satter

WASHINGTON (Reuters) – Hackers working for the Russian and North Korean governments have targeted more than half a dozen organizations involved in COVID-19 treatment and vaccine research around the globe, Microsoft said on Friday.

The software company said a Russian hacking group commonly nicknamed “Fancy Bear” – along with a pair of North Korean actors dubbed “Zinc” and “Cerium” by Microsoft – were implicated in recent attempts to break into the networks of seven pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States.

Microsoft said the majority of the targets were organizations that were in the process of testing COVID-19 vaccines. Most of the break-in attempts failed but an unspecified number succeeded, it added.

Few other details were provided by Microsoft. It declined to name the targeted organizations, say which ones had been hit by which actor, or provide a precise timeline or description of the attempted intrusions.

The Russian embassy in Washington – which has repeatedly disputed allegations of Russian involvement in digital espionage – said in an email that there was “nothing that we can add” to their previous denials.

North Korea’s representative to the United Nations did not immediately respond to messages seeking comment. Pyongyang has previously denied carrying out hacking abroad.

The allegations of cyber espionage come as world powers are jockeying behind the scenes in the race to produce a vaccine for the virus.

They also highlight how Microsoft is pressing its case for a new set of global rules barring digital intrusions aimed at healthcare providers.

Microsoft executive Tom Burt said in a statement his company was timing its announcement with Microsoft President Brad Smith’s appearance at the virtual Paris Peace Forum, where he would call on world leaders “to affirm that international law protects health care facilities and to take action to enforce the law.”

(Reporting by Raphael Satter Additional reporting by Christopher Bing in Washington, Jack Stubbs in London, and Michelle Nichols in New York; Editing by Tom Brown and Grant McCool)

Exclusive: Hackers test defenses of Trump campaign websites ahead of U.S. election, security staff warn

By Jack Stubbs

LONDON (Reuters) – Hackers have stepped up efforts to knock Trump campaign and business websites offline ahead of the U.S. election, in what a security firm working for the campaign said could be preparation for a larger digital assault, according to emails seen by Reuters.

The security assessment was prepared by staff at U.S. cybersecurity firm Cloudflare, which has been hired by President Donald Trump to help defend his campaign’s websites in an election contest overshadowed by warnings about hacking, disinformation and foreign interference.

Cloudflare is widely used by businesses and other organizations to help defend against distributed denial-of-service (DDoS) attacks, which aim to take down websites by flooding them with malicious traffic.

Internal Cloudflare emails sent to senior company managers – including CEO Matthew Prince – on July 9 state that the number and severity of attacks on Trump websites increased in the preceding two months and reached record levels in June. The emails did not give the total number of attacks.

“As we get closer to the election, attacks are increasing in both numbers (and) sophistication” and succeeded in disrupting access to the targeted websites for short periods of time between March 15 and June 6, the assessment said.

Cloudflare did not respond directly to questions about the emails or their contents. The company said it was providing security services to both U.S. presidential campaigns and declined to answer further questions about the nature or details of its work.

“We have seen an increase in cyber attacks targeting political candidates. We will continue to work to ensure these attacks do not disrupt free and fair elections,” it said in a statement when asked about the emails.

A spokesman for the Trump campaign did not respond to a request for comment. The Biden campaign declined to comment on its work with Cloudflare or any attacks on its websites.

A spokeswoman for the Trump Organization said no Trump websites had been taken offline by cyber attacks. She did not respond to further questions about the attacks or Trump’s work with Cloudflare.

Cloudflare’s security team did not comment on the identity of the hackers and Reuters was not able to determine who was responsible for the attacks.

DDoS attacks are viewed by cybersecurity experts as a relatively crude form of digital sabotage – easily deployed by anyone from tech-savvy teenagers to top-end cyber criminals.

But seven of the attacks on Trump websites, including donaldjtrump.com and a Trump-owned golf course, were judged to be more serious by the Cloudflare security team, the emails show.

The increasing number and sophistication of attempts suggested the attackers were “probing” the website defenses to establish what would be needed to take them fully offline, the security assessment said.

“We therefore cannot discount the possibility that there are attackers using this as an opportunity to collect information for more sophisticated attacks,” it added.

The Cloudflare team said they would continue to monitor the attacks and carry out “a further round of security hardening” to better protect the websites.

(Additional reporting by Joseph Menn in SAN FRANCISCO; Editing by Jonathan Weber and Edward Tobin)

Hackers and hucksters reinvigorate ‘Anonymous’ brand amid protests

By Joseph Menn

SAN FRANCISCO (Reuters) – The amorphous internet activist movement known as Anonymous staged an online resurgence in the past week on the back of real-world protests against police brutality.

Born from internet chat boards more than a dozen years ago, the collective was once known for organizing low-skill but effective denial-of-service attacks that temporarily shut down access to payment processors that had stopped handling donations to the anti-secrecy site WikiLeaks.

But accounts using variations of the Anonymous name recently claimed credit for temporarily knocking a Minneapolis police website offline and, inaccurately, for hacking police passwords.

At the same time, millions of Twitter accounts began following longstanding Anonymous posters and retweeting them, helping boost Anonymous into Twitter’s Trending column and greater attention. Many of the boosted tweets opposed police actions, defended Black Lives Matter or faulted President Donald Trump.

It is unclear who or what is driving the resurgence, and exactly why. McGill University anthropology professor Gabriella Coleman, who wrote a book on Anonymous, said she was told by insiders that some key figures from a decade ago are involved and they are being assisted by mechanical amplification.

“The ability to create so many new accounts is classic Anonymous social-technological hacking,” Coleman said. “It’s low-hanging fruit.”

Even one of the heavily boosted old accounts, YourAnonNews, tweeted that it had no idea what was going on. It experimented by tweeting nonsense and asking not to be retweeted, only to see those tweets repeated hundreds of thousands of times.

A Twitter spokeswoman said the company had seen no evidence of “substantial coordinated activity” among longstanding Anonymous accounts but deleted one spammy new one brought to its attention by a researcher Tuesday.

“We have seen a few accounts change their profile names, photos, etc. in an attempt to visibly associate with the group and gain followers,” said Twitter spokeswoman Liz Kelley.

Anyone can call themselves a member of Anonymous and adopt its Guy Fawkes mask, other imagery and slogans, such as “we are legion.” It has no acknowledged leaders, making it more of a brand than an ordinary assemblage.

One account with 120,000 followers, AnonNewz, had deleted all prior tweets before June 1, when it started promoting protests. But it had neglected to delete its old “likes,” which were about Korean pop music, and it had interacted in the past with other K-pop fans touting giveaways.

After researcher Marcus Hutchins of cybersecurity company Kryptos Logic tweeted about the account, Twitter suspended it.

Twitter told Reuters it removed AnonNewz for “spam and coordination with other spammy accounts.”

(Reporting by Joseph Menn; Editing by Greg Mitchell and Leslie Adler)

U.S. accuses China-linked hackers of stealing coronavirus research

By Raphael Satter

(Reuters) – China-linked hackers are breaking into American organizations carrying out research into COVID-19, U.S. officials said on Wednesday, warning both scientists and public health officials to be on the lookout for cyber theft.

In a joint statement, the Federal Bureau of Investigation and the Department of Homeland Security said the FBI was investigating digital break-ins at U.S. organizations by China-linked “cyber actors” that it had monitored “attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”

The statement offered no further details on the identities of the targets or the hackers.

The Chinese Embassy in Washington did not immediately respond to a request for comment. China routinely denies longstanding American allegations of cyberespionage.

Coronavirus-related research and data have emerged as a key intelligence priority for hackers of all stripes. Last week Reuters reported that Iran-linked cyberspies had targeted staff at U.S. drugmaker Gilead Sciences Inc., whose antiviral drug remdesivir is the only treatment so far proven to help COVID-19 patients.

In March and April, Reuters reported on advanced hackers’ attempts to break into the World Health Organization as the pandemic spread across the globe.

(Reporting by Raphael Satter; Editing by Howard Goller)

State-backed hackers targeting coronavirus responders, U.S. and UK warn

By Jack Stubbs and Christopher Bing

LONDON/WASHINGTON (Reuters) – Government-backed hackers are attacking healthcare and research institutions in an effort to steal valuable information about efforts to contain the new coronavirus outbreak, Britain and the United States said on Tuesday in a joint warning.

In a statement, Britain’s National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the hackers had targeted pharmaceutical companies, research organisations and local governments.

The NCSC and CISA did not say which countries were responsible for the attacks. But one U.S. official and one UK official said the warning was in response to intrusion attempts by suspected Chinese and Iranian hackers, as well as some Russian-linked activity.

The two officials spoke on condition of anonymity to discuss non-public details of the alert. Tehran, Beijing and Moscow have all repeatedly denied conducting offensive cyber operations and say they are the victims of such attacks themselves.

State hacking groups “frequently target organisations in order to collect bulk personal information, intellectual property and intelligence that aligns with national priorities,” the NCSC and CISA said.

“For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research.”

The warning follows efforts by a host of state-backed hackers to compromise governments, businesses and health agencies in search of information about the new disease and attempts to combat it.

Reuters has reported in recent weeks that Vietnam-linked hackers targeted the Chinese government over its handling of the coronavirus outbreak and that multiple groups, some with ties to Iran, tried to break into the World Health Organization.

The officials said the alert was not triggered by any specific incident or compromise, but rather intended as a warning – both to the attackers and the targeted organizations that need to better defend themselves.

“These are organizations that wouldn’t normally see themselves as nation-state targets, and they need to understand that now they are,” said one of the officials.

The agencies said hackers had been seen trying to identify and exploit security weaknesses caused by staff working from home as a result of the coronavirus outbreak.

In other incidents, the attackers repeatedly tried to compromise accounts with a series of common and frequently-used passwords – a technique known as “password spraying”.

“It’s no surprise that bad actors are doing bad things right now, in particular targeting organizations supporting COVID-19 response efforts,” a CISA spokesman said.

“We’re seeing them use a variety of tried and true techniques to gain access to accounts and compromise credentials.”

(Writing by Jack Stubbs; Editing by Peter Graff; Editing by Alex Richardson and Peter Graff)

Hacking against corporations surges as workers take computers home

By Joseph Menn

SAN FRANCISCO (Reuters) – Hacking activity against corporations in the United States and other countries more than doubled by some measures last month as digital thieves took advantage of security weakened by pandemic work-from-home policies, researchers said.

Corporate security teams have a harder time protecting data when it is dispersed on home computers with widely varying setups and on company machines connecting remotely, experts said.

Even those remote workers using virtual private networks (VPNs), which establish secure tunnels for digital traffic, are adding to the problem, officials and researchers said.

Software and security company VMWare Carbon Black said this week that ransomware attacks it monitored jumped 148% in March from the previous month, as governments worldwide curbed movement to slow the novel coronavirus, which has killed more than 130,000.

“There is a digitally historic event occurring in the background of this pandemic, and that is there is a cybercrime pandemic that is occurring,” said VMWare cybersecurity strategist Tom Kellerman.

“It’s just easier, frankly, to hack a remote user than it is someone sitting inside their corporate environment. VPNs are not bullet-proof, they’re not the be-all, end-all.”

Using data from U.S.-based Team Cymru, which has sensors with access to millions of networks, researchers at Finland’s Arctic Security found that the number of networks experiencing malicious activity was more than double in March in the United States and many European countries compared with January, soon after the virus was first reported in China.

The biggest jump in volume came as computers responded to scans when they should not have. Such scans often look for vulnerable software that would enable deeper attacks.

The researchers plan to release their country-by-country findings next week.

Rules for safe communication, such as barring connections to disreputable web addresses, tend to be enforced less when users take computers home, said analyst Lari Huttunen at Arctic.

That means previously safe networks can become exposed. In many cases, corporate firewalls and security policies had protected machines that had been infected by viruses or targeted malware, he said. Outside of the office, that protection can fall off sharply, allowing the infected machines to communicate again with the original hackers.

That has been exacerbated because the sharp increase in VPN volume led some stressed technology departments to permit less rigorous security policies.

“Everybody is trying to keep these connections up, and security controls or filtering are not keeping up at these levels,” Huttunen said.

The U.S. Department of Homeland Security’s (DHS) cybersecurity agency agreed this week that VPNs bring with them a host of new problems.

“As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors,” wrote DHS’ Cybersecurity and Infrastructure Security Agency.

The agency said it is harder to keep VPNs updated with security fixes because they are used at all hours, instead of on a schedule that allows for routine installations during daily boot-ups or shutdowns.

Even vigilant home users may have problems with VPNs. The DHS agency on Thursday said some hackers who broke into VPNs provided by San Jose-based Pulse Secure before patches were available a year ago had used other programs to maintain that access.

Other security experts said financially motivated hackers were using pandemic fears as bait and retooling existing malicious programs such as ransomware, which encrypts a target’s data and demands payment for its release.

(Reporting by Joseph Menn in San Franciso and Raphael Satter in Washington; Editing by Peter Henderson and Christopher Cushing)

Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike

By Raphael Satter, Jack Stubbs and Christopher Bing

WASHINGTON/LONDON (Reuters) – Elite hackers tried to break into the World Health Organization earlier this month, sources told Reuters, part of what a senior agency official said was a more than two-fold increase in cyberattacks.

WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear, but the effort was unsuccessful. He warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.

The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.

Urbelis said he picked up on the activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO’s internal email system.

“I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” he said.

Urbelis said he didn’t know who was responsible, but two other sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007.

Messages sent to email addresses maintained by the hackers went unreturned.

When asked by Reuters about the incident, the WHO’s Aggio confirmed that the site spotted by Urbelis had been used in an attempt to steal passwords from multiple agency staffers.

“There has been a big increase in targeting of the WHO and other cybersecurity incidents,” Aggio said in a telephone interview. “There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

The WHO published an alert last month – available here warning that hackers are posing as the agency to steal money and sensitive information from the public.

The motives in the case identified by Reuters aren’t clear. United Nations agencies, the WHO among them, are regularly targeted by digital espionage campaigns and Aggio declined to say who precisely at the organization the hackers had in their sights.

Cybersecurity firms including Romania’s Bitdefender and Moscow-based Kaspersky said they have traced many of DarkHotel’s operations to East Asia – an area that has been particularly affected by the coronavirus. Specific targets have included government employees and business executives in places such as China, North Korea, Japan, and the United States.

Costin Raiu, head of global research and analysis at Kaspersky, could not confirm that DarkHotel was responsible for the WHO attack but said the same malicious web infrastructure had also been used to target other healthcare and humanitarian organizations in recent weeks.

“At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country,” he said.

Officials and cybersecurity experts have warned that hackers of all stripes are seeking to capitalize on international concern over the spread of the coronavirus.

Urbelis said he has tracked thousands of coronavirus-themed web sites being set up daily, many of them obviously malicious.

“It’s still around 2,000 a day,” he said. “I have never seen anything like this.”

(Additional reporting by Hyonhee Shin in Seoul; Editing by Chris Sanders and Edward Tobin)

U.S. charges two Russians in international hacking, malware conspiracy

U.S. charges two Russians in international hacking, malware conspiracy
By Jonathan Stempel and Raphael Satter

WASHINGTON (Reuters) – Two Russian residents have been criminally charged in the United States over an alleged multi-year, international scheme to steal money and property by using malware to hack into computers, according to an indictment made public on Thursday.

Maksim Yakubets was accused of being the leader of a group of conspirators involved with Bugat malware and botnet, while his close associate Igor Turashev allegedly handled various functions for the conspiracy, the indictment said.

The indictment identifies Yakubets as one of the earliest users of a family of malicious software tools called Bugat — better known as Dridex — which has been bedeviling American banks and businesses for more than eight years.

Cybersecurity experts say the malware, which first appeared in late 2011, is responsible for millions of dollars in damages worldwide. Experts have long speculated that the malware is the brainchild of a Russian hacking group.

The conspiracy allegedly began around November 2011, and several entities – including a school, an oil firm, First Commmonwealth Bank – were among the defendants’ victims, according to the indictment filed with the federal court in Pittsburgh. Two of the transactions were processed through Citibank in New York, the indictment says.

The indictment is dated Nov. 12 but was unsealed on Thursday.

U.S. and British authorities are expected later Thursday to detail charges against a Russian national over allegations of computer hacking and bank fraud schemes, according to a U.S. Department of Justice statement.

That announcement characterized the Russian national as being “allegedly responsible for two of the worst computer hacking and bank fraud schemes of the past decade.”

Malware is a software program designed to gather sensitive information, such as passwords and bank account numbers, from private computers by installing viruses and other malicious programs.

Spokespeople for First Commonwealth Bank and Citibank did not immediately respond to requests for comment.

(Reporting by Susan Heavy, Lisa Lambert and Jonathan Stempel; additional reporting by Raphael Satter Editing by Steve Orlofsky and Nick Zieminski)

Explainer: What do you do after a data breach?

FILE PHOTO: The logo and ticker for Capital One are displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., May 21, 2018. REUTERS/Brendan McDermid/File Photo

(Reuters) – A hacker has stolen the personal information of over 100 million people from Capital One Financial Corp, the company said this week, in the latest high-profile breach of sensitive consumer data.

Security experts say data breaches will continue to happen as cyber criminals and state-backed hackers target the protected information held by companies and government agencies.

Such attacks leave consumers vulnerable to fraud and identity theft. Here are some steps you can take to assess the severity of the breach and better secure yourself:

WHAT WAS COMPROMISED?

Breaches often cover a wide range of data. Information which is already publicly available, such as your name or email address, is seen as less of a concern.

Other details, however, can be extremely sensitive and need to remain private. For example, full credit card numbers, which could be used to make fraudulent purchases in your name, or passwords for your online accounts.

Even if stolen, the data may still be protected by encryption. Hacks by foreign governments are also usually seen as less dangerous for general consumers compared to data thefts by financially-motivated criminal gangs because most spy agencies do not sell or trade such information.

Much of the information stolen from Capital One was already public, including names and addresses of over 100 million people in the United States and Canada. But the breach also included 140,000 Social Security numbers which could be used to steal people’s identities.

To assess the severity of the breach, try and determine what information was compromised and in what format it was stolen.

AM I AFFECTED?

Try to establish if your data is likely to have been compromised in the breach. Are you a customer of the affected company? Do you know what data they hold on you? Does the breach only concern data collected in a specific time period?

Answering those questions will allow you to judge the level of risk, but remember some organizations may hold your data without you being aware. Those include credit-reporting companies such as Equifax Inc <EFX.N>, which suffered a breach in 2017 that affected 147 million people.

Breached companies are usually obliged to notify the people who are impacted, but this does not always happen immediately. Affected companies will typically post guidance for consumers on their own websites about data breaches.

Under the European Union’s General Data Protection Regulation (GDPR), companies have to inform victims of severe data breaches “without undue delay.” They must then describe in “clear and plain language” the nature of the breach, the likely consequences and what measures being taken to deal with it.

IS THIS A SCAM?

If you think you data was compromised, be on high alert for scams and fraud.

Watch your bank account balances and payment card statements carefully, especially if you believe your financial information has been compromised. If you spot any unusual activity, contact your bank or card provider immediately and inform the appropriate law enforcement agency.

Be aware of so-called “phishing” websites purporting to offer information about the breach, or even compensation, but actually set up by criminals to try and trick you into revealing more personal details or making a payment to the wrong account.

Fraudsters may also contact you directly, by phone or email, and could now be armed with large amounts of detailed personal information which will make them harder to spot. If you’re unsure about someone’s identity, find the affected company’s contact information and contact them independently.

Experts recommend changing passwords frequently and using a combination of letters, characters and symbols to maintain a complex passphrase that is less likely to be guessed.

(Reporting by Jack Stubbs and Christopher Bing; Editing by Jonathan Weber and Susan Thomas)

Hackers hit aluminum maker Hydro, knock some plants offline

A note warning visitors about a cyber attack is seen at the headquarters of aluminum producer Norsk Hydro in Oslo, Norway March 19, 2019. NTB Scanpix/Terje Pedersen via REUTERS

By Gwladys Fouche and Terje Solsvik

OSLO (Reuters) – Norsk Hydro, one of the world’s largest producers of aluminum, battled on Tuesday to contain a cyber attack which hit parts of its production, sending its shares lower and aluminum prices higher.

The company shut several metal extrusion plants, which transform aluminum ingots into components for car makers, builders and other industries, while its giant smelters in countries including Norway, Qatar and Brazil were being operated manually.

The attack began on Monday evening and escalated overnight, hitting Hydro’s IT systems for most of its activities and forcing staff to issue updates via social media.

FILE PHOTO: An aluminium coil is seen during opening of a production line for the car industry at a branch of Norway's Hydro aluminum company in Grevenbroich, Germany May 4, 2017. REUTERS/Wolfgang Rattay/File Photo

FILE PHOTO: An aluminum coil is seen during the opening of a production line for the car industry at a branch of Norway’s Hydro aluminum company in Grevenbroich, Germany May 4, 2017. REUTERS/Wolfgang Rattay/File Photo

The Norwegian National Security Authority (NNSA), the state agency in charge of cybersecurity, said the attack used a virus known as LockerGoga, a relatively new strain of so-called ransomware which encrypts computer files and demands payment to unlock them.

Citing a message sent by the NNSA, public broadcaster NRK said on its website hackers had demanded ransom money from Hydro to stop the attack, but the company has not confirmed this.

The malware is not widely used by cybercrime groups, researchers said, but has been linked to an attack on French engineering consultancy Altran Technologies in January.

“Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation,” the company said in a statement.

It added that the attack had not affected the safety of its staff and it was too early to assess the impact on customers.

News of the attack pushed aluminum prices up 1.2 percent to a three-month high of $1,944 a tonne in early trade on the London Metal Exchange, before giving up some gains to trade at $1,938 by 1253 GMT.

The event was a rare case of an attack on industrial operations in Norway. The last publicly acknowledged cyber attack in the Nordic country was on software firm Visma, when hackers allegedly working on behalf of Chinese intelligence breached its network to steal secrets from its clients.

PLANT CLOSURES

Companies and governments have become increasingly concerned about the damage hackers can cause to industrial systems and critical national infrastructure following a number of high-profile cyber attacks.

In 2017, hackers later accused by the United States of working for the North Korean government unleashed billions of dollars worth of damage with the Wannacry ransomware virus, which crippled hospital, banks and other companies worldwide.

Pyongyang has denied the allegations.

Other cyber attacks have downed electricity grids and transport systems in recent years, and an attack on Italian oil services firm Saipem late last year destroyed more than 300 of the company’s computers.

Hydro makes products across the aluminum value chain, from the refinement of alumina raw material via metal ingots to bespoke components used in cars and construction.

“Some extrusion plants that are easy to stop and start have chosen to temporarily shut production,” said a Hydro spokesman.

The company’s hydroelectric power plants were running as normal on isolated IT systems unaffected by the outage.

Norsk Hydro’s main website page was unavailable on Tuesday, although some of the web pages belonging to subsidiaries could still be accessed. The company was giving updates on the situation on its Facebook page.

“Hydro’s main priority now is to limit the effects of the attack and to ensure continued people safety,” it wrote in a Facebook post.

Hydro shares fell 3.4 percent in early trade before a partial recovery to trade down 0.4 percent by 1253 GMT. They were still lagging the Oslo benchmark index, which was up 0.7 percent.

Hydro, which has 36,000 employees in 40 countries, made a net profit of 4.3 billion Norwegian crowns ($505 million) last year on sales of 159.4 billion.

(Additional reporting by Nerijus Adomaitis in Oslo, with Jack Stubbs and Barbara Lewis in London; Editing by Kirsten Donovan and David Holmes)