Today ECS-CERT and the Federal Bureau of Inquiry held a news
conference in New Orleans to discuss the results of their recent investigation
into a series of chemical releases at the Blew Bayou Chemical Company. They
announced that the source of the problem was an unexpected vulnerability in the
remote access application for the Robotron industrial control system used at
the facility.
The FBI spokesman, Johnathan Quest, told reporters that the
investigation was initiated when Blew Bayou reported an unusual series of
chlorine releases to the Agency for Chemical and Environmental Security (ACES).
ACES contacted the FBI to start a criminal investigation of Blew Bayou for
violations of a number of environmental and safety regulations related to those
releases.
The FBI in turn contacted ECS-CERT for forensic investigation
support when it quickly became apparent that the control system at the facility
was going to be an integral part of their investigation. ECS-CERT spokesman, Immanuel
C. Securitage, told reporters that their initial review of the control system
historical records showed that each of the reported releases had been
immediately preceded by access to the control system by the facility control
system manager, Eaton Kaghun, the son of the company founder and President Issac
B Kaghun.
While the FBI continued their investigation of the younger
Kaghun, the team from ECS-CERT continued to delve deeper into the historical
record at the facility. They discovered that every time that Eaton accessed the
facility control system from his smart phone, the controllers for the three
release valves sent a message via the opened VPN communications link to web
site associated with Students for Immediate Neutralization of Chlorine
Technology and Energy Reversion (SFINCTER), a radical environmental terrorist
organization. Each of the reported releases coincided with the receipt back of
a message from that site via the same VPN link.
While the FBI tried to track down the people associated with
the operation of the SFINCTER web site, the focus of the ECS-CERT investigation
switched to Robotron, the supplier of the remote access application. Erich
Mielke, spokesman for Robotron, told reporters via a video link, that his
company quickly and completely cooperated with the investigation.
It turned out that the web site for the Fernzugriff®
software had been hacked and the VentilSteuerung worm was included in each
download of the Fernzugriff software. The worm allowed an outsider to upload
commands to the phone of the app user that would be piggybacked during any VPN
session between the app user and the Robotron control system.
Quest noted that it appeared that the hack of the Robotron
web site had been undertaken by the German hacking collective, Stasi Ehemalige.
The FBI is still investigating ties between Stasi Ehemalige and SFINCTER.
Mielke reported that the worm had been removed from the
Robotron web site and that an updated version of the app was available that
would remove the worm from the users phone if it was present. Robotron is still
working on upgrades to the various control system programs that would deal with
the portions of the worm that had been transferred by the app to the actual
Robotron control software.
Securitage told reporters that he encouraged all Robotron
control system users to discontinue use of the remote application app until the
worm had been removed from all software components, both on the phone and in
the manufacturing facilities. Indicator of compromise information is available
on the ECS-CERT web site.