Sunday, July 2, 2017

City Admits Severe Financial Loss from Water System Hack

William Henry Lee III, the Mayor of Delano, GA told a press conference Friday that the Water Maintenance Department (WMD) had suffered a 40% drop in revenues over the last year, forcing the city to seek emergency operating loans from the federal Water Protection Agency (WPA).

Lee announced that the preliminary investigation by the Georgia Bureau of Inquiry (GBI) indicated that the cause appears to be that someone has tampered with the smart water meters installed by the WMD two years ago. The investigation has been turned over to the Federal Bureau of Inquiry (FBI) because it is a Federal crime to tamper with municipal water systems.

Johnathan Quest, the spokesperson for the FBI, confirmed that an investigation of the Delano WMD was underway, but refused to discuss the on-going investigation.

A person close to the investigation, however, told this reporter that central management unit of the smart meter system had been hacked and used to reprogram the meters so that they reported smaller amounts of water usage than was really measured by the meters. It was apparently a pretty sophisticated attack with significant amounts of insider knowledge because the usage rates were reduced over a six-month period so that all customers were reportedly using only the maximum amount of water that would meet the minimum billing requirements.


Quest has stated that the FBI is looking to talk with Daniel Krumitz, a person of interest who used to work for Robotron Water Systems, the company contracted by Delano WMD to install the smart meter system. Robotron confirmed that Krumitz had work for them, but that he had left the company about a year ago.

Tuesday, June 13, 2017

ECS-CERT Reports on HighTempOverride Attack on Refinery

Today the DHS ECS-CERT announced that the recent shutdown of the Rafael Ravard Refinery in Louisiana was a direct result of a cyber-attack on the facility using the recently discovered HighTempOverride malware. The refinery is still in shutdown mode two weeks after the attack.

ECS-CERT spokesman Immanuel C. Securitage said that attack last month at Ravard Refinery was very similar to attacks on an unnamed chlorine production facility two months ago. That earlier attack caused a number of process shutdowns over the period of a couple of days and then shut the plant down when the control system software used at the plant was wiped from the system control computers.

Securitage explained that the process shutdowns were caused by spoofing temperature readouts in the reaction monitoring system, causing the control system to think that the process was entering a potentially dangerous out of control condition. This is the source of the ECS-CERT name for the malware, HighTempOverride.

The Federal Bureau of Inquiry spokesman Johnathan Quest said that the earlier attack was claimed by Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER). No one has yet claimed responsibility for the Ravard Refinery attack.

Cesar Chavez, President of the Ravard Refinery, noted that his facility had taken precautions against this type of attack by ensuring that all control system files were routinely backed up. This would normally allow for a quick restart after this type of attack. According to the Agency for Chemical and Environmental Security (ACES) the attackers had apparently modified the malware to include a module that infected backup files.

Chaves told reporters that he did not know when the refinery would be able to resume production. Due to retirements over the last couple of years, there were very few employees that were familiar with routine manual operations at the facility. ECS-CERT and the refinery engineering staff were working with Robotron, the control system supplier, to try to remove the malware from the control system.


Chaves noted that every day the refinery was shutdown cost the company $1.5 million.

Monday, May 22, 2017

Hospital Novovirus Outbreak Due to Cyber-Attack

Today the ECS-CERT and the Federal Bureau of Inquiry announced that the recent Novovirus outbreak at Angels Memorial Hospital in Los Angeles was caused by a cyberattack on the Robotron Hospital Sanitizer. That outbreak has been the cause of six deaths over the last week and a large number of patients returning to the hospital for treatment for the new intestinal illness.

Immanuel C. Securitage from ECS-CERT told reporters at this morning’s news conference that his organization had detected a new worm, WannaDie, that used the same attack profile as the recent WannaCry ransomware attack. Instead of infecting the system with ransomware, however, the new worm executes a man-in-the-middle attack that allows it to take control of the device while its outputs and controls seem to indicate normal operation. In the case of the attack on the Robotron devices at Angels Memorial the sanitizer operations were changed to a much lower temperature that failed to kill the Novovirus, allowing ‘sanitized’ devices to spread the infection.

Senior Agent Johnathon Quest announced that the FBI was investigating the cyberattack as a potential terror attack. The German hacking collective Stasi Ehemalige published a statement yesterday being responsible for the development of the WannaDie worm, but denying responsibility for the Angels Memorial attack. They did admit, however, that they had sold copies of the worm to a number of interested activist organizations.

Dr. Rollie Guthrie from Angels Memorial announced that the worm has been successfully removed from the devices with help from ECS-CERT. Additionally, the Hospital IT staff had disconnected all of its Robotron Hospital Sanitizer’s from the Hospital’s network to prevent re-infection.

Securitage noted that ECS-CERT was working with Robotron to develop a software update to remove the vulnerability that made the attack possible.


Thursday, April 27, 2017

Bulgarian Athletes Disqualified for Body Hacking

The European Athletics Confederation’s Karl Breitmeyer announced yesterday that Radoslava Maskirovka was disqualified from competing in any track and field events for the next two years for her participation in the Bulgarian glucose doping program. The EAC’s investigation of Maskirovka began after she passed out from dehydration on the medal stand at a track meet in Sophia earlier this year.

EAC doctors discovered that Maskirovka had a Chinese designed insulin pump implanted in her abdomen. Her coaches were able to remotely adjust the insulin levels in her body to provide additional concentrations of glucose during the distance races that Maskirovka excelled at. The so-called optogenetic pump produces insulin within the body upon command of a microchip controlled by a smart phone application.

Sports federations around the world are concerned with the rise of this type of body hacking in athletes. Not only does it provide the augmented athletes with nearly undetectable advantages over their opponents, but it also has severe physical and medical long term consequences for the athletes involved.


In related news, the German hacking collective, Stasi Ehemalige, announced today that they were opposed to this State sponsored body hacking as it was an attack on the health and welfare of the athletes involved. They said that they had found vulnerabilities in the Chinese device and would have hackers on hand at all future Euro sports events to disrupt the operation of such devices.

Sunday, February 19, 2017

ECS-CERT Describes Safety System Malware

Washington, DC

The ECS-CERT today announced that they had discovered a new cybersecurity worm that specifically targets safety control systems. The newly discovered UNSICHER worm was discovered during an ECS-CERT investigation of a control system incident at a chemical plant in the mid-west, according to Immanuel C. Securitage, an ECS-CERT spokesman.

Securitage reported that an ECS-CERT team was called to the facility when the safety systems started shutting down chemical manufacturing systems operating under safe conditions. The investigators quickly isolated the malware. Working with Robotron, the company that sells the SicherheitsKontrolle safety control system, ECS-CERT was able to identify how the isolated safety system was infected.

Erich Mielke, the Robotron spokesman, explained that the SicherheitsKontrolle was a completely air-gapped safety system. Technicians from the company are the only ones that are able to connect to the system as they are the only ones that have both the physical and software keys to access the firewire port on the system that is used for installing updates and patches.

Securitage reported that apparently the Robotron technician that installed the latest update had picked up the worm on his laptop when he plugged into an airport charging port in route to install the latest update. UNSICHER was found both on the technician’s laptop and all of the Robotron systems that he updated on that particular trip.

When the SicherheitsKontrolle system is infected, Mielke explained, it attempted to establish a communication link between one of the Robotron PLCs connected to the safety system using the wireless communications link Robotron uses to allow wireless connections to sensors used in the process. Once the connection link between the normally isolated safety system and the facility control system is made, the worm tries to establish a communications link to a command and control computer under the control of the attacker.

Securitage suggested that anyone using the Robotron PLCs as part of a safety system lock-out the wireless ports by setting the DIP switches provided for that purpose as the UNSICHER worm is able to bypass the software locks on those ports.


ECS-CERT reports that there was no physical damage caused at the facility where the worm was discovered, but that the company suffered almost $1 million in losses due to lost production and rework disposal costs.

Wednesday, February 8, 2017

FEC Fines Robotron for Control System Tracking

This afternoon the Federal Electronics Commission announced a $1.2 million fine was levied against Robotron, the German electronic control system manufacturer, for the exfiltration and sale of manufacturing data from hundreds of US companies. David Weeb, the FEC spokesman, reported that this is the first fine the Commission has levied for industrial data exfiltration.

The FEC notice explained that the Robotron had used its MotorSteuerung software to collect data from electric motors in thousands of facilities around the world. While the data collection was originally designed to provide preventive maintenance information to customers, Robotron has admitted that they have been selling the data to electric motor manufacturers around the world.

Robotron President Erich Mielke said in a prepared statement that Robotron had initially started using the data for marketing their variable speed motors. When the Electric Motors Division was sold off as part of a restructuring move three years ago, Robotron decided to start selling the data to other electric motor manufacturers.

Mielke explained that the detail performance data helped to provide important sales leads and data to enable motor sales people to make the case for switching to more expensive variable speed motors.

This practice came to the FEC’s notice recently when a terrorism investigation by the Federal Bureau of Inquiry discovered that sophisticated knowledge of the operation of a motor in an HVAC system allowed hackers from the Stasi Ehemalige hacking collective to start the recent fire in a synagogue near Houston, TX.


Johnathan Quest, an FBI spokesman, told reporters that Robotron was probably not the direct source of the information used by the Stasi group. He said that the FBI believes that an insider at an unnamed electric motor manufacturer with close ties to Stasi Ehemalige provided the Robotron information to the group. The FBI hopes to make arrests soon in that case where two people were killed and hundreds injured in the synagogue fire.

Thursday, January 26, 2017

Homeland Security Confirms Chemical Facility Attack

This morning the Agency for Chemical and Environmental Security (ACES) confirmed during a press conference in Atlanta that yesterday’s chlorine release at a water treatment plant outside of Atlanta, GA was apparently the result of a terrorist attack. The release of about 2,000 pounds of chlorine gas killed one employee at the facility, but the local community was not affected.

Daniel Varg, the ACES Director, reported that the secondary containment system at the facility stopped the release from spreading. The affected employee, whose name has not yet been released, was doing routine work in the containment building when the release occurred. The release occurred when the automated vent valve on the chlorine storage tank was remotely opened.

A private chemical response company is on-site remediating the chlorine released into the containment building. They are expected to complete their work this afternoon and the facility should be operational shortly thereafter. There was no effect on the quality of the drinking water produced by the facility.

Immanuel C. Securitage from ECS-CERT reported that they also have a team on-site looking at how the valve could have been tampered with. Initial reports are that the valve was provided by Robotron and that a variant of the GUMMI BAREN worm was responsible for allowing a terrorist group to gain access to operational control of the valve.

Securitage reported that his agency had received reports about the variant from an unnamed security researcher and that it apparently targeted the particular type of valve used in chlorine storage facilities. He explained that a classified report on the GUMMI BAREN CL had been posted to the ECS-CERT secure web site last month.

When asked if the facility was aware of the GUMMI BARREN CL report, Varg explained that the security contractor for the site did not have the necessary security clearance to be able to read the report. Only the facility manager had the appropriate clearance, but he was not aware of the ECS-CERT report. Varg admitted that his agency had not notified facilities of the report, noting that that was an ECS-CERT responsibility. Securitage responded that his agency did not know what facilities were using the affected valves. That was why ECS-CERT published the report on their secure web site; facility managers should be periodically checking that web site for reports affecting their facility.

Johnathan Quest of the Federal Bureau of Inquiry told the same news conference that his agency was investigating the apparent terrorist attack on the facility. He reported that they had been working with ECS-CERT on tracking down the group behind the GUMMI BARREN CL malware. Currently the FBI believes that Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) are responsible.

“We know,” he said “that they have been known to work with elements of Stasi Ehemalige – the radical German hacking collective. That group was responsible for the GUMMI BARREN ransomware and is likely the source of the CL variant.”

SFINCTER has been very vocal in their attempt to stop all uses of chlorine gas. In recent years they have become much more militant and have threatened direct action against facilities using chlorine gas. If this attack was conducted by SFINCTER, it would be the first time that they had moved beyond civil disobedience activities.

During the question and answer portion of the conference Varg was asked whey a remotely accessible valve was used in the safety system. Varg explained that the valve was the same one that was used in all chlorine contact systems at the plant. The safety system controlling the operation of that valve is a stand-alone system, but the valve was connected to the facility control system human-machine interface (HMI) for alerting purposes. That was supposed to be a one-way communication process, but a default maintenance setting on the valve allowed two-way communication over that port.