The Chemical Safety Bored (CSB) and the Electronic Control
System CERT (ECS-CERT) issue a joint statement today confirming that the recent
spate of fires at the Rafael Ravard Refinery south of Baton Rouge were a result
of a ransomware attack on the electronic control systems at the refinery.
According to the statement, the attack was caused by a new variant of the GUMMI
BAREN worm associated with the Stasi Ehemalige, a German criminal syndicate.
Immanuel C. Securitage, the ECS-CERT lead for the refinery
investigation, stated that the new variant of GUMMI BAREN has been modified
specifically to attack electronic control systems that use the programmable
logic controllers manufactured by Robotron, a German electronics company. The
Robotron update system has apparently been hacked by Stasi Ehemalige and the
GUMMI BAREN launcher included in their latest PLC updates.
Robotron has issued a statement that they are working
closely with ECS-CERT to identify the source of the problem with their updater
and currently recommend that their customers do not apply the most recent
update to their PLC firmware.
Securitage explained that the GUMMI BARREN variant was
specifically designed to infect multiple PLCs at a facility through infection
via an engineering lap top. The worm includes a delay mechanism so that the encryption
of the PLC firmware takes simultaneously across an organization.
Cesar Chavez, a spokesman for the Rafael Ravard Refinery,
confirms that a ransom of 1000 bitcoin was demanded by Stasi Ehemalige. They
have refused to pay the ransom. Chavez notes that the facility has backups for
all firmware for their electronic control system. As soon as the facility has
recovered from the uncontrolled shutdown caused by this ransomware attack, they
expect that only a short turnaround will be needed to get the facility back
into production.
No comments:
Post a Comment