ECS-CERT Reports on Remote Access Vulnerability

Today ECS-CERT and the Federal Bureau of Inquiry held a news conference in New Orleans to discuss the results of their recent investigation into a series of chemical releases at the Blew Bayou Chemical Company. They announced that the source of the problem was an unexpected vulnerability in the remote access application for the Robotron industrial control system used at the facility.

The FBI spokesman, Johnathan Quest, told reporters that the investigation was initiated when Blew Bayou reported an unusual series of chlorine releases to the Agency for Chemical and Environmental Security (ACES). ACES contacted the FBI to start a criminal investigation of Blew Bayou for violations of a number of environmental and safety regulations related to those releases.

The FBI in turn contacted ECS-CERT for forensic investigation support when it quickly became apparent that the control system at the facility was going to be an integral part of their investigation. ECS-CERT spokesman, Immanuel C. Securitage, told reporters that their initial review of the control system historical records showed that each of the reported releases had been immediately preceded by access to the control system by the facility control system manager, Eaton Kaghun, the son of the company founder and President Issac B Kaghun.

While the FBI continued their investigation of the younger Kaghun, the team from ECS-CERT continued to delve deeper into the historical record at the facility. They discovered that every time that Eaton accessed the facility control system from his smart phone, the controllers for the three release valves sent a message via the opened VPN communications link to web site associated with Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), a radical environmental terrorist organization. Each of the reported releases coincided with the receipt back of a message from that site via the same VPN link.

While the FBI tried to track down the people associated with the operation of the SFINCTER web site, the focus of the ECS-CERT investigation switched to Robotron, the supplier of the remote access application. Erich Mielke, spokesman for Robotron, told reporters via a video link, that his company quickly and completely cooperated with the investigation.

It turned out that the web site for the Fernzugriff® software had been hacked and the VentilSteuerung worm was included in each download of the Fernzugriff software. The worm allowed an outsider to upload commands to the phone of the app user that would be piggybacked during any VPN session between the app user and the Robotron control system.

Quest noted that it appeared that the hack of the Robotron web site had been undertaken by the German hacking collective, Stasi Ehemalige. The FBI is still investigating ties between Stasi Ehemalige and SFINCTER.

Mielke reported that the worm had been removed from the Robotron web site and that an updated version of the app was available that would remove the worm from the users phone if it was present. Robotron is still working on upgrades to the various control system programs that would deal with the portions of the worm that had been transferred by the app to the actual Robotron control software.

Securitage told reporters that he encouraged all Robotron control system users to discontinue use of the remote application app until the worm had been removed from all software components, both on the phone and in the manufacturing facilities. Indicator of compromise information is available on the ECS-CERT web site.

City Admits Severe Financial Loss from Water System Hack

William Henry Lee III, the Mayor of Delano, GA told a press conference Friday that the Water Maintenance Department (WMD) had suffered a 40% drop in revenues over the last year, forcing the city to seek emergency operating loans from the federal Water Protection Agency (WPA).

Lee announced that the preliminary investigation by the Georgia Bureau of Inquiry (GBI) indicated that the cause appears to be that someone has tampered with the smart water meters installed by the WMD two years ago. The investigation has been turned over to the Federal Bureau of Inquiry (FBI) because it is a Federal crime to tamper with municipal water systems.

Johnathan Quest, the spokesperson for the FBI, confirmed that an investigation of the Delano WMD was underway, but refused to discuss the on-going investigation.

A person close to the investigation, however, told this reporter that central management unit of the smart meter system had been hacked and used to reprogram the meters so that they reported smaller amounts of water usage than was really measured by the meters. It was apparently a pretty sophisticated attack with significant amounts of insider knowledge because the usage rates were reduced over a six-month period so that all customers were reportedly using only the maximum amount of water that would meet the minimum billing requirements.

Quest has stated that the FBI is looking to talk with Daniel Krumitz, a person of interest who used to work for Robotron Water Systems, the company contracted by Delano WMD to install the smart meter system. Robotron confirmed that Krumitz had work for them, but that he had left the company about a year ago.

ECS-CERT Reports on HighTempOverride Attack on Refinery

Today the DHS ECS-CERT announced that the recent shutdown of the Rafael Ravard Refinery in Louisiana was a direct result of a cyber-attack on the facility using the recently discovered HighTempOverride malware. The refinery is still in shutdown mode two weeks after the attack.

ECS-CERT spokesman Immanuel C. Securitage said that attack last month at Ravard Refinery was very similar to attacks on an unnamed chlorine production facility two months ago. That earlier attack caused a number of process shutdowns over the period of a couple of days and then shut the plant down when the control system software used at the plant was wiped from the system control computers.

Securitage explained that the process shutdowns were caused by spoofing temperature readouts in the reaction monitoring system, causing the control system to think that the process was entering a potentially dangerous out of control condition. This is the source of the ECS-CERT name for the malware, HighTempOverride.

The Federal Bureau of Inquiry spokesman Johnathan Quest said that the earlier attack was claimed by Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER). No one has yet claimed responsibility for the Ravard Refinery attack.

Cesar Chavez, President of the Ravard Refinery, noted that his facility had taken precautions against this type of attack by ensuring that all control system files were routinely backed up. This would normally allow for a quick restart after this type of attack. According to the Agency for Chemical and Environmental Security (ACES) the attackers had apparently modified the malware to include a module that infected backup files.

Chaves told reporters that he did not know when the refinery would be able to resume production. Due to retirements over the last couple of years, there were very few employees that were familiar with routine manual operations at the facility. ECS-CERT and the refinery engineering staff were working with Robotron, the control system supplier, to try to remove the malware from the control system.

Chaves noted that every day the refinery was shutdown cost the company $1.5 million.

Hospital Novovirus Outbreak Due to Cyber-Attack

Today the ECS-CERT and the Federal Bureau of Inquiry announced that the recent Novovirus outbreak at Angels Memorial Hospital in Los Angeles was caused by a cyberattack on the Robotron Hospital Sanitizer. That outbreak has been the cause of six deaths over the last week and a large number of patients returning to the hospital for treatment for the new intestinal illness.

Immanuel C. Securitage from ECS-CERT told reporters at this morning’s news conference that his organization had detected a new worm, WannaDie, that used the same attack profile as the recent WannaCry ransomware attack. Instead of infecting the system with ransomware, however, the new worm executes a man-in-the-middle attack that allows it to take control of the device while its outputs and controls seem to indicate normal operation. In the case of the attack on the Robotron devices at Angels Memorial the sanitizer operations were changed to a much lower temperature that failed to kill the Novovirus, allowing ‘sanitized’ devices to spread the infection.

Senior Agent Johnathon Quest announced that the FBI was investigating the cyberattack as a potential terror attack. The German hacking collective Stasi Ehemalige published a statement yesterday being responsible for the development of the WannaDie worm, but denying responsibility for the Angels Memorial attack. They did admit, however, that they had sold copies of the worm to a number of interested activist organizations.

Dr. Rollie Guthrie from Angels Memorial announced that the worm has been successfully removed from the devices with help from ECS-CERT. Additionally, the Hospital IT staff had disconnected all of its Robotron Hospital Sanitizer’s from the Hospital’s network to prevent re-infection.

Securitage noted that ECS-CERT was working with Robotron to develop a software update to remove the vulnerability that made the attack possible.

Bulgarian Athletes Disqualified for Body Hacking

The European Athletics Confederation’s Karl Breitmeyer announced yesterday that Radoslava Maskirovka was disqualified from competing in any track and field events for the next two years for her participation in the Bulgarian glucose doping program. The EAC’s investigation of Maskirovka began after she passed out from dehydration on the medal stand at a track meet in Sophia earlier this year.

EAC doctors discovered that Maskirovka had a Chinese designed insulin pump implanted in her abdomen. Her coaches were able to remotely adjust the insulin levels in her body to provide additional concentrations of glucose during the distance races that Maskirovka excelled at. The so-called optogenetic pump produces insulin within the body upon command of a microchip controlled by a smart phone application.

Sports federations around the world are concerned with the rise of this type of body hacking in athletes. Not only does it provide the augmented athletes with nearly undetectable advantages over their opponents, but it also has severe physical and medical long term consequences for the athletes involved.

In related news, the German hacking collective, Stasi Ehemalige, announced today that they were opposed to this State sponsored body hacking as it was an attack on the health and welfare of the athletes involved. They said that they had found vulnerabilities in the Chinese device and would have hackers on hand at all future Euro sports events to disrupt the operation of such devices.

ECS-CERT Describes Safety System Malware

Washington, DC

The ECS-CERT today announced that they had discovered a new cybersecurity worm that specifically targets safety control systems. The newly discovered UNSICHER worm was discovered during an ECS-CERT investigation of a control system incident at a chemical plant in the mid-west, according to Immanuel C. Securitage, an ECS-CERT spokesman.

Securitage reported that an ECS-CERT team was called to the facility when the safety systems started shutting down chemical manufacturing systems operating under safe conditions. The investigators quickly isolated the malware. Working with Robotron, the company that sells the SicherheitsKontrolle safety control system, ECS-CERT was able to identify how the isolated safety system was infected.

Erich Mielke, the Robotron spokesman, explained that the SicherheitsKontrolle was a completely air-gapped safety system. Technicians from the company are the only ones that are able to connect to the system as they are the only ones that have both the physical and software keys to access the firewire port on the system that is used for installing updates and patches.

Securitage reported that apparently the Robotron technician that installed the latest update had picked up the worm on his laptop when he plugged into an airport charging port in route to install the latest update. UNSICHER was found both on the technician’s laptop and all of the Robotron systems that he updated on that particular trip.

When the SicherheitsKontrolle system is infected, Mielke explained, it attempted to establish a communication link between one of the Robotron PLCs connected to the safety system using the wireless communications link Robotron uses to allow wireless connections to sensors used in the process. Once the connection link between the normally isolated safety system and the facility control system is made, the worm tries to establish a communications link to a command and control computer under the control of the attacker.

Securitage suggested that anyone using the Robotron PLCs as part of a safety system lock-out the wireless ports by setting the DIP switches provided for that purpose as the UNSICHER worm is able to bypass the software locks on those ports.

ECS-CERT reports that there was no physical damage caused at the facility where the worm was discovered, but that the company suffered almost $1 million in losses due to lost production and rework disposal costs.

FEC Fines Robotron for Control System Tracking

This afternoon the Federal Electronics Commission announced a $1.2 million fine was levied against Robotron, the German electronic control system manufacturer, for the exfiltration and sale of manufacturing data from hundreds of US companies. David Weeb, the FEC spokesman, reported that this is the first fine the Commission has levied for industrial data exfiltration.

The FEC notice explained that the Robotron had used its MotorSteuerung software to collect data from electric motors in thousands of facilities around the world. While the data collection was originally designed to provide preventive maintenance information to customers, Robotron has admitted that they have been selling the data to electric motor manufacturers around the world.

Robotron President Erich Mielke said in a prepared statement that Robotron had initially started using the data for marketing their variable speed motors. When the Electric Motors Division was sold off as part of a restructuring move three years ago, Robotron decided to start selling the data to other electric motor manufacturers.

Mielke explained that the detail performance data helped to provide important sales leads and data to enable motor sales people to make the case for switching to more expensive variable speed motors.

This practice came to the FEC’s notice recently when a terrorism investigation by the Federal Bureau of Inquiry discovered that sophisticated knowledge of the operation of a motor in an HVAC system allowed hackers from the Stasi Ehemalige hacking collective to start the recent fire in a synagogue near Houston, TX.

Johnathan Quest, an FBI spokesman, told reporters that Robotron was probably not the direct source of the information used by the Stasi group. He said that the FBI believes that an insider at an unnamed electric motor manufacturer with close ties to Stasi Ehemalige provided the Robotron information to the group. The FBI hopes to make arrests soon in that case where two people were killed and hundreds injured in the synagogue fire.

Homeland Security Confirms Chemical Facility Attack

This morning the Agency for Chemical and Environmental Security (ACES) confirmed during a press conference in Atlanta that yesterday’s chlorine release at a water treatment plant outside of Atlanta, GA was apparently the result of a terrorist attack. The release of about 2,000 pounds of chlorine gas killed one employee at the facility, but the local community was not affected.

Daniel Varg, the ACES Director, reported that the secondary containment system at the facility stopped the release from spreading. The affected employee, whose name has not yet been released, was doing routine work in the containment building when the release occurred. The release occurred when the automated vent valve on the chlorine storage tank was remotely opened.

A private chemical response company is on-site remediating the chlorine released into the containment building. They are expected to complete their work this afternoon and the facility should be operational shortly thereafter. There was no effect on the quality of the drinking water produced by the facility.

Immanuel C. Securitage from ECS-CERT reported that they also have a team on-site looking at how the valve could have been tampered with. Initial reports are that the valve was provided by Robotron and that a variant of the GUMMI BAREN worm was responsible for allowing a terrorist group to gain access to operational control of the valve.

Securitage reported that his agency had received reports about the variant from an unnamed security researcher and that it apparently targeted the particular type of valve used in chlorine storage facilities. He explained that a classified report on the GUMMI BAREN CL had been posted to the ECS-CERT secure web site last month.

When asked if the facility was aware of the GUMMI BARREN CL report, Varg explained that the security contractor for the site did not have the necessary security clearance to be able to read the report. Only the facility manager had the appropriate clearance, but he was not aware of the ECS-CERT report. Varg admitted that his agency had not notified facilities of the report, noting that that was an ECS-CERT responsibility. Securitage responded that his agency did not know what facilities were using the affected valves. That was why ECS-CERT published the report on their secure web site; facility managers should be periodically checking that web site for reports affecting their facility.

Johnathan Quest of the Federal Bureau of Inquiry told the same news conference that his agency was investigating the apparent terrorist attack on the facility. He reported that they had been working with ECS-CERT on tracking down the group behind the GUMMI BARREN CL malware. Currently the FBI believes that Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) are responsible.

“We know,” he said “that they have been known to work with elements of Stasi Ehemalige – the radical German hacking collective. That group was responsible for the GUMMI BARREN ransomware and is likely the source of the CL variant.”

SFINCTER has been very vocal in their attempt to stop all uses of chlorine gas. In recent years they have become much more militant and have threatened direct action against facilities using chlorine gas. If this attack was conducted by SFINCTER, it would be the first time that they had moved beyond civil disobedience activities.

During the question and answer portion of the conference Varg was asked whey a remotely accessible valve was used in the safety system. Varg explained that the valve was the same one that was used in all chlorine contact systems at the plant. The safety system controlling the operation of that valve is a stand-alone system, but the valve was connected to the facility control system human-machine interface (HMI) for alerting purposes. That was supposed to be a one-way communication process, but a default maintenance setting on the valve allowed two-way communication over that port.

Students at Cybersecurity Lab Report Congressional Data Breach

Today George E.E. Kilgore from Ronald Reagan High School told a press conference that school’s Cybersecurity Investigation (CSI) class had found large amounts of sensitive data on computers donated to the school by the office of Congresswoman Dana Miller. Kilgore explained that while he had been assured that all data had been removed from the computers prior to the donation, the students in his CSI class had used the tools and techniques that they had been studying for the last six months to do a deep dive into the memory of the six computers to find information that had been missed when the drives had been sanitized.

Dana Miller explained that the computers had been donated to the Ronald Reagan High School as part of a new program recently signed into law by the President. Miller had been one of the cosponsors of the bill that allowed Congressional offices to donate their used computers to primary and secondary schools. Miller told the press conference that she was proud of the abilities that the students demonstrated in finding the data. She also expressed some concern that the Congressional Data Protection Office (CDPO) had not been able to find the data before the computers were sent to the school.

Kilgore’s presentation at the press conference included a number of slides that showed what types of information were found. The information included:

Copies of documents found in various application directories;

Web browsing histories;

Email contact lists; and

Account information for the Congressional Cloud.

Kilgore explained that the data included in the account information allowed member of his class to access the accounts of Miller and her staff. Asked if the hacking of those accounts was illegal; Miller assured the audience that she had given her permission for the access and that she had confirmed with the local US Attorney that permission ensured that the students had not violated 18 USC 1030.

Also present at the press conference was Larry Ost from the CDPO. When asked why his office had not detected the data breach when they cleared the computers, he replied: “With just two computer technicians in the ten-person office, we only had enough time to check that the standard data files on the computers were erased before the computers were forwarded to the school.”

In apparently related news, Johnathan Quest from the Federal Bureau of Inquiry announced that the FBI had arrested Chester (Moe) Lester, a staffer in Miller’s Washington Office, on child pornography charges. Quest reported that an anonymous tipster had provided the FBI with links to child pornography stored on the Congressional Cloud in Lester’s account.

A statement issued in Washington by Rep. Miller’s office said that the allegations were deplorable and if proven to be true, the alleged behavior was reprehensible. Miller’s office promised full cooperation with the FBI investigation.

FEGA Announces Cybersecurity Research Grants

Today at a joint news conference the DHS Federal Emergency Grant Administration (FEGA) and the Security and Applied Science (SAS) Directorate announced the funding of Cybersecurity Applied Research (CSAR) program for the coming year. The CSAR program was started in 2016 and Congress has been adding directed research programs to it ever since.

Isham M. Gelt started off the press conference by saying that he was proud to announce that the funding for the CSAR program had once again withstood calls for reducing the amount of money available in the program. He reported that the funding has remained stable over the last five years.

Nelson E. R. Donally then announced that in addition to the funding that the CSAR program had been providing to numerous educational institutions for general cybersecurity research and training, that Congress had added for this fiscal year a number of new research requirements for cybersecurity research specifically addressing electronic control system security (ECSS). He announced that educational institutions could apply for grant money for the following new ECSS programs:

• Encryption for communications in supervisory control and data analysis (SCADA) applications;

• Isolation of ECS from data systems;

• Remote data logging of changes in programable logic controllers (PLC);

• Easing data communication between ECS and enterprise data systems; and

• Providing remote access to ECS operations from smart phones.

Donally remarked that Congress was very clear about the requirements for the encryption programs that would be used by ECS systems. The systems had to be based upon a 125-bit key and copies of all encryption keys for ECS had to be on file with the encryption office of ECS-CERT.

Gelt announced that since this was the first year that FEGA would be issuing ECSS grants under the CSAR program the size of the initial grants had been doubled to $20,000 and a total of ten grants would be made this year. When asked if grants had been larger earlier in the CSAR program, Gelt reminded the reporters that Congress had been adding to the CSAR coverage mandate for some time without any increases in the amount of money in the program. The addition of the ECSS program meant that other CSAR grants had been reduced to $9,000 and the total number of grants provided under the program had been reduced by 10.

Donally also announced that due to the decrease in the number of university programs that had been applying for CSAR grants that SAS was expanding the application pool to two-year technical colleges with computer technology programs. Last year over $100,000 in available grant money had been returned to the federal treasury due to the lack of applications.

Local Company Claims Chinese Hackers Cause of Bankruptcy

New Orleans, LA

Today Isaac B (IB) Kaghun announced that the bankruptcy proceedings completed today meant that the Blew Bayou Chemical Company was not going to re-open its doors. IB reported that Chinese hackers were responsible for the high-rework rate over the last six months that destroyed the profitability of the company. He claimed that hackers supporting Tianjin Chemical, his only competitor in the production of Tetramethyldeath (TMD), the revolutionary plasticizer being used as a replacement for BPA.

IB Kaghun, the son of Russian emigres, developed TMD during his graduate studies at LSU. TMD is a monomer that can be added to the polymerization of PVC and other plastics to provide both increased flexibility and strength to those plastics. Tianjin Chemical started production of the chemical after a well-publicized hack of Blew Bayou Chemical computers stole proprietary information about the production of the material. The FBI was never able to find prove that Tianjin Chemical had anything to do with the data theft.

Blew Bayou had been successfully manufacturing TMD for about ten years with multiple expansions of their facility east of New Orleans. Last spring the company started to experience manufacturing problems that resulted in high contamination rates in their product that made the TMD unusable. The costs associated with the lost production and disposal of the flammable chemical quickly ate into the bottom line of Blew Bayou Chemical.

Recent disclosures about vulnerabilities in the Robotron programmable logic controllers (PLC) raised the possibility that a hack of those devices being used in the Blew Bayou manufacturing facility raised the possibility of that being the cause of the manufacturing problems at the plant. IB contacted the Electronic Control System CERT for assistance to determine if a cyber attack had taken place.

Immanuel C. Securitage, a spokesman for ECS-CERT, confirmed that the agency had completed an on-site investigation and did find unauthorized modifications to the programming of some of the PLCs used in the manufacturing process.

“This was a very sophisticated attack,” Securitage said. “There is a critical temperature that must be maintained in the manufacturing process. Any temperature above that critical point causes an increase in the production of undesirable byproducts. The programing of the PLC was modified to change the temperature being reported by two separate temperature probes so that they reported lower temperatures than was actually being experienced in the reaction vessel.”

Kaghun added that whoever was responsible for the hack had very detailed knowledge of the manufacturing process. The revised PLC programming used a complex algorithm so that the rate of change of the reported temperature increased as the temperature approached the critical point. The reported temperature changes then slowly decreased back to actual temperatures above the critical temperature. This was important because at about 15 degrees above the critical point the pressure would have started to rise in the vessel, alerting operators to problems with the reaction.

UPDATE

Houston, TX

Rumors have been confirmed that as part of the bankruptcy settlement, IB Kaghun is providing the details about the manufacturing process for TMD to one of his suppliers, a major chemical company outside of Houston. This is being used in lieu of cash payment for the debts to that company. There are no plans to re-open the facility in Louisiana, according to industry sources.

There are also rumors that the Federal government is considering sanctions against Tianjin Chemical for their alleged part in the hacking of Blew Bayou Chemical.

ECS-CERT Confirms Ransomware Attack

The Chemical Safety Bored (CSB) and the Electronic Control System CERT (ECS-CERT) issue a joint statement today confirming that the recent spate of fires at the Rafael Ravard Refinery south of Baton Rouge were a result of a ransomware attack on the electronic control systems at the refinery. According to the statement, the attack was caused by a new variant of the GUMMI BAREN worm associated with the Stasi Ehemalige, a German criminal syndicate.

Immanuel C. Securitage, the ECS-CERT lead for the refinery investigation, stated that the new variant of GUMMI BAREN has been modified specifically to attack electronic control systems that use the programmable logic controllers manufactured by Robotron, a German electronics company. The Robotron update system has apparently been hacked by Stasi Ehemalige and the GUMMI BAREN launcher included in their latest PLC updates.

Robotron has issued a statement that they are working closely with ECS-CERT to identify the source of the problem with their updater and currently recommend that their customers do not apply the most recent update to their PLC firmware.

Securitage explained that the GUMMI BARREN variant was specifically designed to infect multiple PLCs at a facility through infection via an engineering lap top. The worm includes a delay mechanism so that the encryption of the PLC firmware takes simultaneously across an organization.

Cesar Chavez, a spokesman for the Rafael Ravard Refinery, confirms that a ransom of 1000 bitcoin was demanded by Stasi Ehemalige. They have refused to pay the ransom. Chavez notes that the facility has backups for all firmware for their electronic control system. As soon as the facility has recovered from the uncontrolled shutdown caused by this ransomware attack, they expect that only a short turnaround will be needed to get the facility back into production.