Tuesday, August 1, 2017

ECS-CERT Reports on Remote Access Vulnerability

Today ECS-CERT and the Federal Bureau of Inquiry held a news conference in New Orleans to discuss the results of their recent investigation into a series of chemical releases at the Blew Bayou Chemical Company. They announced that the source of the problem was an unexpected vulnerability in the remote access application for the Robotron industrial control system used at the facility.

The FBI spokesman, Johnathan Quest, told reporters that the investigation was initiated when Blew Bayou reported an unusual series of chlorine releases to the Agency for Chemical and Environmental Security (ACES). ACES contacted the FBI to start a criminal investigation of Blew Bayou for violations of a number of environmental and safety regulations related to those releases.

The FBI in turn contacted ECS-CERT for forensic investigation support when it quickly became apparent that the control system at the facility was going to be an integral part of their investigation. ECS-CERT spokesman, Immanuel C. Securitage, told reporters that their initial review of the control system historical records showed that each of the reported releases had been immediately preceded by access to the control system by the facility control system manager, Eaton Kaghun, the son of the company founder and President Issac B Kaghun.

While the FBI continued their investigation of the younger Kaghun, the team from ECS-CERT continued to delve deeper into the historical record at the facility. They discovered that every time that Eaton accessed the facility control system from his smart phone, the controllers for the three release valves sent a message via the opened VPN communications link to web site associated with Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), a radical environmental terrorist organization. Each of the reported releases coincided with the receipt back of a message from that site via the same VPN link.

While the FBI tried to track down the people associated with the operation of the SFINCTER web site, the focus of the ECS-CERT investigation switched to Robotron, the supplier of the remote access application. Erich Mielke, spokesman for Robotron, told reporters via a video link, that his company quickly and completely cooperated with the investigation.

It turned out that the web site for the Fernzugriff® software had been hacked and the VentilSteuerung worm was included in each download of the Fernzugriff software. The worm allowed an outsider to upload commands to the phone of the app user that would be piggybacked during any VPN session between the app user and the Robotron control system.

Quest noted that it appeared that the hack of the Robotron web site had been undertaken by the German hacking collective, Stasi Ehemalige. The FBI is still investigating ties between Stasi Ehemalige and SFINCTER.

Mielke reported that the worm had been removed from the Robotron web site and that an updated version of the app was available that would remove the worm from the users phone if it was present. Robotron is still working on upgrades to the various control system programs that would deal with the portions of the worm that had been transferred by the app to the actual Robotron control software.


Securitage told reporters that he encouraged all Robotron control system users to discontinue use of the remote application app until the worm had been removed from all software components, both on the phone and in the manufacturing facilities. Indicator of compromise information is available on the ECS-CERT web site.

Sunday, July 2, 2017

City Admits Severe Financial Loss from Water System Hack

William Henry Lee III, the Mayor of Delano, GA told a press conference Friday that the Water Maintenance Department (WMD) had suffered a 40% drop in revenues over the last year, forcing the city to seek emergency operating loans from the federal Water Protection Agency (WPA).

Lee announced that the preliminary investigation by the Georgia Bureau of Inquiry (GBI) indicated that the cause appears to be that someone has tampered with the smart water meters installed by the WMD two years ago. The investigation has been turned over to the Federal Bureau of Inquiry (FBI) because it is a Federal crime to tamper with municipal water systems.

Johnathan Quest, the spokesperson for the FBI, confirmed that an investigation of the Delano WMD was underway, but refused to discuss the on-going investigation.

A person close to the investigation, however, told this reporter that central management unit of the smart meter system had been hacked and used to reprogram the meters so that they reported smaller amounts of water usage than was really measured by the meters. It was apparently a pretty sophisticated attack with significant amounts of insider knowledge because the usage rates were reduced over a six-month period so that all customers were reportedly using only the maximum amount of water that would meet the minimum billing requirements.


Quest has stated that the FBI is looking to talk with Daniel Krumitz, a person of interest who used to work for Robotron Water Systems, the company contracted by Delano WMD to install the smart meter system. Robotron confirmed that Krumitz had work for them, but that he had left the company about a year ago.

Tuesday, June 13, 2017

ECS-CERT Reports on HighTempOverride Attack on Refinery

Today the DHS ECS-CERT announced that the recent shutdown of the Rafael Ravard Refinery in Louisiana was a direct result of a cyber-attack on the facility using the recently discovered HighTempOverride malware. The refinery is still in shutdown mode two weeks after the attack.

ECS-CERT spokesman Immanuel C. Securitage said that attack last month at Ravard Refinery was very similar to attacks on an unnamed chlorine production facility two months ago. That earlier attack caused a number of process shutdowns over the period of a couple of days and then shut the plant down when the control system software used at the plant was wiped from the system control computers.

Securitage explained that the process shutdowns were caused by spoofing temperature readouts in the reaction monitoring system, causing the control system to think that the process was entering a potentially dangerous out of control condition. This is the source of the ECS-CERT name for the malware, HighTempOverride.

The Federal Bureau of Inquiry spokesman Johnathan Quest said that the earlier attack was claimed by Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER). No one has yet claimed responsibility for the Ravard Refinery attack.

Cesar Chavez, President of the Ravard Refinery, noted that his facility had taken precautions against this type of attack by ensuring that all control system files were routinely backed up. This would normally allow for a quick restart after this type of attack. According to the Agency for Chemical and Environmental Security (ACES) the attackers had apparently modified the malware to include a module that infected backup files.

Chaves told reporters that he did not know when the refinery would be able to resume production. Due to retirements over the last couple of years, there were very few employees that were familiar with routine manual operations at the facility. ECS-CERT and the refinery engineering staff were working with Robotron, the control system supplier, to try to remove the malware from the control system.


Chaves noted that every day the refinery was shutdown cost the company $1.5 million.

Monday, May 22, 2017

Hospital Novovirus Outbreak Due to Cyber-Attack

Today the ECS-CERT and the Federal Bureau of Inquiry announced that the recent Novovirus outbreak at Angels Memorial Hospital in Los Angeles was caused by a cyberattack on the Robotron Hospital Sanitizer. That outbreak has been the cause of six deaths over the last week and a large number of patients returning to the hospital for treatment for the new intestinal illness.

Immanuel C. Securitage from ECS-CERT told reporters at this morning’s news conference that his organization had detected a new worm, WannaDie, that used the same attack profile as the recent WannaCry ransomware attack. Instead of infecting the system with ransomware, however, the new worm executes a man-in-the-middle attack that allows it to take control of the device while its outputs and controls seem to indicate normal operation. In the case of the attack on the Robotron devices at Angels Memorial the sanitizer operations were changed to a much lower temperature that failed to kill the Novovirus, allowing ‘sanitized’ devices to spread the infection.

Senior Agent Johnathon Quest announced that the FBI was investigating the cyberattack as a potential terror attack. The German hacking collective Stasi Ehemalige published a statement yesterday being responsible for the development of the WannaDie worm, but denying responsibility for the Angels Memorial attack. They did admit, however, that they had sold copies of the worm to a number of interested activist organizations.

Dr. Rollie Guthrie from Angels Memorial announced that the worm has been successfully removed from the devices with help from ECS-CERT. Additionally, the Hospital IT staff had disconnected all of its Robotron Hospital Sanitizer’s from the Hospital’s network to prevent re-infection.

Securitage noted that ECS-CERT was working with Robotron to develop a software update to remove the vulnerability that made the attack possible.


Thursday, April 27, 2017

Bulgarian Athletes Disqualified for Body Hacking

The European Athletics Confederation’s Karl Breitmeyer announced yesterday that Radoslava Maskirovka was disqualified from competing in any track and field events for the next two years for her participation in the Bulgarian glucose doping program. The EAC’s investigation of Maskirovka began after she passed out from dehydration on the medal stand at a track meet in Sophia earlier this year.

EAC doctors discovered that Maskirovka had a Chinese designed insulin pump implanted in her abdomen. Her coaches were able to remotely adjust the insulin levels in her body to provide additional concentrations of glucose during the distance races that Maskirovka excelled at. The so-called optogenetic pump produces insulin within the body upon command of a microchip controlled by a smart phone application.

Sports federations around the world are concerned with the rise of this type of body hacking in athletes. Not only does it provide the augmented athletes with nearly undetectable advantages over their opponents, but it also has severe physical and medical long term consequences for the athletes involved.


In related news, the German hacking collective, Stasi Ehemalige, announced today that they were opposed to this State sponsored body hacking as it was an attack on the health and welfare of the athletes involved. They said that they had found vulnerabilities in the Chinese device and would have hackers on hand at all future Euro sports events to disrupt the operation of such devices.

Sunday, February 19, 2017

ECS-CERT Describes Safety System Malware

Washington, DC

The ECS-CERT today announced that they had discovered a new cybersecurity worm that specifically targets safety control systems. The newly discovered UNSICHER worm was discovered during an ECS-CERT investigation of a control system incident at a chemical plant in the mid-west, according to Immanuel C. Securitage, an ECS-CERT spokesman.

Securitage reported that an ECS-CERT team was called to the facility when the safety systems started shutting down chemical manufacturing systems operating under safe conditions. The investigators quickly isolated the malware. Working with Robotron, the company that sells the SicherheitsKontrolle safety control system, ECS-CERT was able to identify how the isolated safety system was infected.

Erich Mielke, the Robotron spokesman, explained that the SicherheitsKontrolle was a completely air-gapped safety system. Technicians from the company are the only ones that are able to connect to the system as they are the only ones that have both the physical and software keys to access the firewire port on the system that is used for installing updates and patches.

Securitage reported that apparently the Robotron technician that installed the latest update had picked up the worm on his laptop when he plugged into an airport charging port in route to install the latest update. UNSICHER was found both on the technician’s laptop and all of the Robotron systems that he updated on that particular trip.

When the SicherheitsKontrolle system is infected, Mielke explained, it attempted to establish a communication link between one of the Robotron PLCs connected to the safety system using the wireless communications link Robotron uses to allow wireless connections to sensors used in the process. Once the connection link between the normally isolated safety system and the facility control system is made, the worm tries to establish a communications link to a command and control computer under the control of the attacker.

Securitage suggested that anyone using the Robotron PLCs as part of a safety system lock-out the wireless ports by setting the DIP switches provided for that purpose as the UNSICHER worm is able to bypass the software locks on those ports.


ECS-CERT reports that there was no physical damage caused at the facility where the worm was discovered, but that the company suffered almost $1 million in losses due to lost production and rework disposal costs.

Wednesday, February 8, 2017

FEC Fines Robotron for Control System Tracking

This afternoon the Federal Electronics Commission announced a $1.2 million fine was levied against Robotron, the German electronic control system manufacturer, for the exfiltration and sale of manufacturing data from hundreds of US companies. David Weeb, the FEC spokesman, reported that this is the first fine the Commission has levied for industrial data exfiltration.

The FEC notice explained that the Robotron had used its MotorSteuerung software to collect data from electric motors in thousands of facilities around the world. While the data collection was originally designed to provide preventive maintenance information to customers, Robotron has admitted that they have been selling the data to electric motor manufacturers around the world.

Robotron President Erich Mielke said in a prepared statement that Robotron had initially started using the data for marketing their variable speed motors. When the Electric Motors Division was sold off as part of a restructuring move three years ago, Robotron decided to start selling the data to other electric motor manufacturers.

Mielke explained that the detail performance data helped to provide important sales leads and data to enable motor sales people to make the case for switching to more expensive variable speed motors.

This practice came to the FEC’s notice recently when a terrorism investigation by the Federal Bureau of Inquiry discovered that sophisticated knowledge of the operation of a motor in an HVAC system allowed hackers from the Stasi Ehemalige hacking collective to start the recent fire in a synagogue near Houston, TX.


Johnathan Quest, an FBI spokesman, told reporters that Robotron was probably not the direct source of the information used by the Stasi group. He said that the FBI believes that an insider at an unnamed electric motor manufacturer with close ties to Stasi Ehemalige provided the Robotron information to the group. The FBI hopes to make arrests soon in that case where two people were killed and hundreds injured in the synagogue fire.