Refrigerator Used to Hack Chlorine Plant

The Federal Bureau of Inquire announced today the arrest of William Cruikshank in connection with last month’s attack on the ChlorAlk plant in Le Sel, LA. That attack resulted in a chlorine release at the facility that injured twelve employees and caused overnight evacuation of the nearby Depatman Doubs Neighborhood. Cruikshank is being charged with twelve counts of attempted murder, unauthorized access to a sensitive computer system, and wiretapping.

Johnathan Quest, FBI spokesperson, confirmed that Cruikshank was arrested when he tried to recover a Bluetooth device that he had placed at the home of an unnamed control system engineer that worked at ChlorAlk. “We were keeping an eye on the device,” Quest said; “It was a specially modified cell phone, that Cruikshank had apparently used before, so we were pretty sure that he wanted it back.”

The Director of the National Critical Infrastructure Security Operations Center (CI-SOC), General Buck Turgidson, briefed reporters on the latest information about the ChlorAlk hack. “This was a sophisticated attack on the control systems at the facility,” Turgidson explained; “but there were no specific control system vulnerabilities exploited. We quickly determined that the attack was made via the engineering laptop used by one of the facility’s control system engineers.”

Special Agent R. (Ace) Bannon told reporters at the FBI press conference that the Bureau had initially looked at that engineer as a potential suspect, but quickly changed the focus of their investigation when Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) announced responsibility for the attack. “We have a lengthy ongoing investigation on this group, and a close examination of the laptop showed signs of it being hacked by Cruikshank,” Bannon explained.

A technician working at CI-SOC who was part of the investigation told me that it was surprising that Cruikshank was able to penetrate the well protected laptop. “Then we learned that the engineer was using the tools on the laptop to do some work at home on his smart refrigerator, she said; “That refrigerator had an old Bluetooth application that had a number of vulnerabilities that Cruikshank was able to exploit to get access to the laptop.”

Sueur Hargreaves-Bird, spokesperson for ChlorAlk that the engineer, only identified as ‘Chris’, had been hired after the hack of the facility’s chlorine sensors two years ago. “We specifically hired Chris because of his hacking background and put him to work looking for vulnerabilities in our systems,” Seuer said; “He has coordinated vulnerability disclosures with all of our vendors. Many were not happy with Chris’ efforts, but if they wanted to keep being suppliers for us and others in the industry, they knew that they had to fix the vulnerabilities that Chris found.”

Bannon confirmed that Cruikshank had targeted Chris. “Chris had a very active blog where he discussed each of the vulnerabilities that he had uncovered, and there were numerous hints that he worked in the chlor-alkali industry. He was an obvious target for someone like Cruikshank.”

Ransomware Class Action Suit

The City of Los Angeles filed a class action lawsuit against Hodes Automation for damages related to the recent ransomware attack against the City’s traffic light control system. Harry R. Haldeman announced the lawsuit this morning along with district attorneys from 25 other Southern California cities. “Not only was Hodes negligent in the design of their system, but they published a list of their customers on their web site,” Haldeman told reporters; “That list provided the hackers easy targets for publicly available exploits.”

Dean Hodes, owner of Hodes Automation, had no comment, referring reporters to his lawyer, Eunice Rivers. Rivers’ office issued a statement this morning; “We are looking at the details of the filing by the District Attorney and cannot comment on the facts of the case at this time, but Mr. Haldeman is clearly overreaching in trying to collect expenses the city incurred in their recovery from an incident from my client.” Rivers noted that Hodes had published an updated version of their software two weeks before the vulnerability was announced by Robert Lightman, the researcher who discovered the vulnerability.

Lightman published his report two months ago on the security bypass vulnerability in the TL Control program used by Los Angels and thirty other municipalities in Southern California. “I discovered the vulnerability while doing some work for the city of Montecito,” Lightman told reporters; “And I worked closely with Hodes to help them correct the problem.” Lightman explained that he had a disclosure agreement with Hodes that allowed him to publish his research two weeks after Hodes made their update available on their web site.

The City of Los Angeles installed the TL Control system two years ago after the hack of the Robotron system that the City had been using was discovered. Doug Wilson, the Los Angeles City Manager told reporters this morning that the city had decided to work with a local vendor after having problems working with Robotron. “We felt that a local vendor would be more responsive to our needs,” Wilson said.

When asked when the city became aware of the vulnerability in the TL Control product, Wilson told reporters that he was not able to comment on ongoing litigation. “All questions about the lawsuit should be referred to Haldeman’s office,” Wilson said.

A technician working with the Traffic Department who was not authorized to talk to the press told me that the city never received notification about the vulnerability from Hodes. “We read about the vulnerability in a newspaper article about the ransomware attack,” she said.

The Hodes web site announced the availability of a new version of the TL Control product on December 2^nd. There was no mention of security vulnerability on the web site. The TL Control web page was taken down early this afternoon, after the lawsuit was announced.

The lawsuit is seeking $15 million in damages.

The City Traffic department announced a request for bids on a new traffic light control system. The bid request includes new requirements for cybersecurity notifications, including notifying the Department when vulnerabilities are reported to the vendor and reporting when the vendor has mitigation measures available for reported vulnerabilities.

CAUTIONARY NOTE: This is a future news story - 

Robotron Drones Phone Home to China

This morning the Security and Applied Science (SAS) Directorate and the Federal Bureau of Inquiry announced this morning that they had shut down an automated espionage operation being conducted by the PRK’s UGG (Uilyo Gong-Gyeog) advanced persistent threat group. Their latest activity utilized hacked Robotron drones to collect photographic and electronic information about critical infrastructure. “The UGG effectively turned the fleet of Robotron BF 109 drones into a data collection bot,” Nelson E. R. Donally, SAS spokesperson told reporters.

An analyst with the SAS who is not authorized to speak to the press noted that: “While we were focusing on removing Chinese made drones from US airspace, the UGG was targeting the largest non-Chinese uncrewed aircraft manufacturer, Robotron Aero, to turn their aircraft into Chinese data collection tools.”

Johnathan Quest, FBI spokesperson, told reporters: “We have arrest warrants for three members of the UGG leadership, but we do not expect that Chinese authorities will cooperate in their apprehension and extradition. We do, however, have a programmer in custody who worked on the Robotron project for UGG. He was arrested on a federal warrant in Singapore and has been extradited.”

Donally told reporters that SAS became aware of the use of Robotron drones when Barkhorn Aviation of Dothan, AL approached the agency with communications logs from one of their BF 109’s. They noted a large block of data being transmitted to an unknown phone number after operations near Fort Novosel. We were able to track those communications through a number of links to a small server farm two blocks away from the Chinese mission in Atlanta. “We were able to seize those servers and use that access to track information back to an additional 150 BF 109 drones in use across the United States,” Donally explained.

A technician with Dragonfire Cyber who was not authorized to speak with reporters told me that the UGG chip was a communications control chip. The Robotron Aero design allows the drone to communicate via FM radio, cell phone and Bluetooth and encrypts all communications. UGG added additional communications monitoring capabilities and a separate encryption method for selected data.

The SAS Technical Division was able to isolate a single chip found in the BF 109 control system that allowed UGG to establish a physical backdoor in that control system. That chip was made in Taiwan by a manufacturer that was controlled by UGG. Quest told reporters that law enforcement personnel in Taiwan were helping the FBI in their investigation. “They seized customer records from that company,” Quest said; “We are currently tracking down locations where similar chips are in use in this country.”

Robotron Aero issued a statement that reported: “We are working in partnership with SAS and the FBI to try to determine how the electronic systems on our aircraft were compromised. We will have a team available to customers to remove the offending chip once the FBI or other regional law enforcement agencies have completed their forensic examination of each aircraft. The BF 109 fleet is currently grounded pending completion of those efforts.”

CAUTIONARY NOTE: This is a future news story –

Security Researcher Exonerated

Delano, GA lawyer, Junior Butts announced this morning that the Department of Justice had dropped all charges against his client, David Lightman, for the ransomware attack on Bliechen Chemicals last December. Butts told reporters: “My client is a diligent white-hat hacker who found a vulnerability in the Robotron SK-1a safety system and reported that defect to the manufacturer. It was hardly his fault that Robotron was unable to control access to their site.”

Lightman has been in federal custody in Atlanta since January 2^nd. He was released this morning. Lightman was arrested on December 31^st and all of his research computers and equipment were seized on that day. Lightman referred all questions from the press today to his lawyer.

Della Street, spokesperson for the DOJ confirmed that Barlow was no longer a suspect in the case. “Mr. Lightman’s story checked out in all particulars after we were able to convince his lawyer to provide us access to the unencrypted contents of his research computer,” Ms. Street said this morning; “We are now on the trail of the team that hacked the Robotron web site that allowed them to intercept David’s vulnerability disclosure.”

The Federal Bureau of Inquiry is reportedly on the trail of AssaB, a notorious environmental hacker, thought to be working with Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER). Johnathan Quest, FBI spokesperson, confirmed that AssaB was a person of interest in the case. “Anyone with information about the whereabouts of AssaB, should contact the FBI or their local law enforcement personnel,” Quest told reporters.

A reliable source at the National Critical Infrastructure Security Operations Center (CI-SOC) who is not authorized to talk to the press confirmed that someone had hacked the Robotron web site and substituted the links to their ‘Security.txt’ listing on the main page that pointed at a web site controlled by SFINCTER. That allowed the hacker collective to intercept Lightman’s vulnerability report which included proof-of-concept code. That vulnerability, along with at least one other zero-day vulnerability allowed SFINCTER to install ransomware on the Bleichen Chemical safety controller.

Carl Scheele, the Bleichen Delano Plant Manager, told reporters in December that the company was forced to shut down production at the plant for five days while they negotiated a final ransom payment to unblock the safety controller. “There was no way that we were going to run our chlorine production unity without that safety controller in place,” Scheele told reporters at the time; “We had to pay the ransom as we had no other way to restart that controller.” Bleichen has not disclosed how much ransom was paid to SFINCTER. Sources report that it was certainly less than the 100 bitcoin asked for in the initial ransom demand.

Kate Libby, security researcher at Dragonfire Cyber, provided background information on the ‘Security.Txt’ exploit used by the attackers. She explained that industry has been settling on using a standardized link on their web pages to allow independent security researchers like Lightman to reach out to the appropriate folks at a company to report cyber vulnerabilities. The ‘Security.txt’ link takes the researcher to a brief message that provides contact information, including an encryption key, to allow them to securely send information about vulnerabilities to teams at the company that are responsible for fixing such vulnerabilities.

“In this case,” Libby said; “Poor web site security allowed hackers to substitute their own contact information for those of the company’s security team.” That allowed SFINCTER to utilize the good work of Lightman for their own nefarious ends.

Erich Mielke, spokesperson for Robotron refused to take questions from reporters after issuing the following statement:

“Robotron thanks Mr. Lightman for his efforts to help us maintain our high standards of security. Researchers like Mr. Lightman are an important part of our security program. We are happy to see him vindicated and look forward to working with him in the future.”

CAUTIONARY NOTE: This is a future news story –

FlottSoft Hack Paralyses Federal Government

This morning, shortly after news broke about hundreds of stalled vehicles blocking traffic in Washington and its suburbs, the Federal Fleet Management Service announced that the entire federal motor vehicle fleet had been paralyzed by ransomware. “This morning at six-thirty Washington time, each of our FlottSoft terminals across the country flashed a red screen and then announced that every non-electric vehicle in our fleet would not be able to start until a ransom of 10,000 Bitcoin was paid,” Terry Ragozine, spokesperson for the FFMS told reporters. Vehicles in transit when the ransomware struck shutdown the next time that the vehicle came to a stop.

Shortly after that announcement, a brief announcement was made by Regina Louis Ziegler, White House spokesperson, that the President was working with his national security advisors on a solution to this problem. “It remains the policy of the United States that we will not pay ransoms, nor will we deal with terrorists,” she announced. Ziegler refused to answer questions about how many of the President’s advisors were still stuck in stalled vehicles in Washington.

General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), announced that the CI-SOC was working on the problem. “Fortunately, we have four vehicles here at out headquarters in Delano, GA that are affected by the stoppage to work with,” Turgidson explained. “We have confirmed that the malware is acting at the vehicle level, somewhere within the vehicle CAN bus network, the FlottSoft terminals are working normally after the ransomware announcement is disabled.”

An FFMS background document on FlottSoft explains that the software was adopted by the federal government about ten years ago to manage the ever expanding fleet of motor vehicles. The software allows FFMS managers to track vehicle use and maintenance. Just two years ago, the vendor added anti-theft protections that allowed stolen vehicles to be shutdown by managers.

Late Breaking News: According to a variety of sources, at 8:30 EST all of the shut-down vehicles in the federal inventory began systematically flashing their lights on and off. Multiple sources noticed that the lights were flashing in Morse Code, repeating “Pay Me”. This affected electric vehicles that were previously excluded from the effects of the attack.

CAUTIONARY NOTE: This is a future news story –

Chemical Plant Explosion Was Sabotage

Early this morning the Chemical Safety Investigative Office (CSIO) announced that it had determined that last week’s explosion at the Ravard Refinery in Los Angelas was the result of sabotage. Trevor Kletz, spokesperson for CSIO told reporters that: “Investigators have found a device on a pump in the crude oil distillation unit that is believed to be the source of the explosion.”

Background information provided by CISO on the device explained that that the singed remains were relatively intact because of where it was placed on the pump motor. The device consisted of an energy harvesting circuit, a flammable gas sensor, and a capacitor. Investigators from the National Critical Infrastructure Security Operations Center (CI-SOC) confirmed that the device was programed to short out the capacitor, producing an electric spark, when the gas sensor detected a flammable atmosphere. Gen. Turgidson, CI-SOC Director, confirmed that his team had been able to recover programming data from chips on the device that enable them to determine the way the device operated. “No communications were necessary to initiate the explosion, it was entirely automated,” Turgidson explained; “when the conditions were right for the spark to do the most damage, the device shorted out the capacitor.”

Shortly after the CISO announcement was made, a radical environmental group, Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), claimed responsibility for the attack. The social media claim stated: “We have begun a new engagement in our struggle against the corporate polluters responsible for the devastating changes in our climate. This is just the beginning.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry confirmed that the FBI had assumed control of the investigation of the refinery incident. “Now that this is confirmed to be a terrorist attack, the full weight of the Bureau will be employed to find the perpetrators and bring them to justice,” Quest announced.

John Muir, spokesperson for the Ravard Refinery, noted that there was significant damage to the crude oil distillation unit and the refinery was completely shutdown until that unit could be restored. “While there was little or no damage to other operating units, there will be no fuel or other chemicals produced here until that unit is back in operation.” Muir explained.

Gasoline prices on the West Coast, already the highest in the nation, are expected to rise sharply as the Ravard refinery is about 20% of the West Coast’s refinery capacity. The Governor’s Office on Climate Change (COCC) noted that: “This is just another reason why it is so critical for the State to develop and support alternative transportation fuels.”

CAUTIONARY NOTE: This is a future news story –

Rare Earth Recovery Company Victim of Ransomware Attack

Today, Rare Earth Recovery (RER – NASDAQ) announced that it was declaring force majeure on deliveries because of serial ransomware attacks. “During the last three weeks we have experienced ransomware attacks on our commercial sales system, our HR and email systems, and most recently on the control systems for our Materials Recovery unit;” RER spokesperson Carl A. Arrhenius told reporters; “In each case, we were able to recover systems without paying ransoms, but the cumulative effects have seriously interfered with our production and shipping operations.”

Investigators from the National Critical Infrastructure Security Operations Center (CI-SOC) are working with RER to ensure that their systems are free from infection and prepared to move forward without additional attacks. “Our people have found indications that earlier attacks left backdoors in the corporate system that have allowed the attacker to regain access to the system,” General Buck Turgidson, CI-SOC Director: “These appear to be sophisticated attackers.”

The Federal Bureau of Inquiry is also investigating these attacks. “RER recovered materials are being used in critical defense systems, and so for national security reasons, the FBI is taking responsibility for the criminal investigation,” Johnathan Quest told reporters. There are rumors that that this attack is related to the attacks reported last week at Bermite Ammo. “BAM is a customer of ours,” Arrhenius told reporters, “We do not have any cyber linkage beyond the occasional email.”

BAM is one of the companies that will have delayed deliveries from RER. Patrick Lizza, BAM spokesperson noted that the rare earth metals provided by RER are used in house to manufacture proprietary components that it uses in their fuses. “We can still manufacture and fill the shell casings, but without the fuses, we are unable to ship to the Army,” Lizza said.

Kate Libby, a technical response manager with Dragonfire Cyber, that is working with CI-SOC on this investigation, told reporters this morning that it was unusual for an attacker to take three separate shots at getting ransom from a target. “They have not acted like a normal money-driven ransomware attacker. They have not made any other data extortion efforts to get money out of the company,” she told reporters. Turgidson added that there appeared to be another motive in these attacks, but refused to talk about what that motive might be.

REM is a biotechnology company that extracts minerals and rare earth metals from coal power plant ash using bioengineered bacteria and produces geo-bricks from the remaining ash.

CAUTIONARY NOTE: This is a future news story –