Saturday, December 29, 2018

Gas Line Hack Caused Fire at Local Business


Tucker Watts, Delano Chief of Police, announced today that the Christmas day fire at the Delano Bakery and Sandwich Company store was the result of a cybersecurity attack on the controls for the gas line leading to the store. Hugh Holmes, the owner of the store has been arrested in connection with the fire.

Watts announced that when the Delano Fire Department’s investigation of the fire determined that the explosion and resulting fire was due to a gas leak associated with the pressure relief device on the line leading into the store, investigators started working with the Delano Gas Company to determine the cause of the over pressurization of the line.

Investigators discovered a break in at a local gas-pumping station and evidence of a cyber-intrusion via a USB port on one of the control devices at the station. A local high-school student, whose name has not yet been released, was identified by security videos as being in the pumping station at the time of the intrusion. The student implicated Holmes as the one who paid him to conduct the attack. Watts reported that Holmes was having financial difficulties and apparently was looking for the insurance payout from the incident to resolve those problems.

Delano Gas Company has reported that it is working with an Atlanta, GA cybersecurity firm to identify the specific weaknesses that allowed the successful cyber-intrusion. An individual with the company that was not authorized to talk to the press noted that the company had tried to get assistance from ECS-CERT to investigate the incident, but that assistance was not available due to the current shutdown of portions of the Federal Government. No ECS-CERT spokesman was available to comment on the claim.

Watts noted that the fire did not injure anyone and there was only minor damage to nearby businesses due to the initial explosion. The incident occurred on Christmas morning and there were very few people in the downtown area at the time.

Cautionary Note: This is a future ICS news story.

Tuesday, December 25, 2018

Court Orders Release of Refinery Hacker


Today, in an unusual Christmas ruling, Judge Phantly R. Bean of the 14th US District Court ordered the release of Dietrich Sorensson who had been arrested this summer by the Federal Bureau of Inquiry for the HighTempOverride attack on the Rafael Ravard Refinery last year. Bean’s ruling came on a defense motion to throw out all evidence that was related to the computer records of the attack.

Bean’s ruling noted that:

“The defense has rightly noted that there is no computer record available of the attack that has not been altered by company employees trying to correct the problem, private investigators hired by the company to determine the source of the problem and finally FBI technicians trying to reverse engineer the changes made by those personnel. Thus, the computer record of the attack is so tainted that it has no evidentiary value.”

Defense lawyers had claimed that the prosecution’s identification of Sorensson’s involvement was based solely on that tainted evidence. This means that the FBI search warrant that allowed for the seizure of Dietrich’s computer was illegal and the evidence from that computer could not be used in trying the case. Bean agreed with that argument and ordered the release of Sorensson.

Johnathan Quest, the FBI spokesman, had no comment about Bean’s ruling. A source in the FBI technical services who was not authorized to speak to reporters, noted that the FBI internal procedures had long called for maintaining original, unaltered copies of malware, but that those standards had not been applied to the altered copies of control system device programs that had been recovered after the attack. It was information in that programing that had led to the identification of Sorensson as the attack author.

Cesar Chavez, President of the Rafael Ravard Refinery, told reporters that he was disappointed by Bean’s decision today. He said that the company would look at other options for dealing with the alleged attacker, including possible civil actions.

Immanuel C. Securitage, spokesman for ECS-CERT, told reporters today that the organization was working on a guidance document that would outline procedures for recording the attack-state of a control system, before work was begun on recovering the system from an attack. This forensic record process would pre-empt rulings like the one today. He did acknowledge, however, that the problem would lie in determining whether or not a cyber-attack was responsible for a manufacturing process upset, and thus trigger the recording of the attack-state, or if the upset were due to some other type of cyber event.

Cautionary Note: This is a Future News Story

Tuesday, December 18, 2018

Insurance Company Withholding Payments in Chlorine Attack


Today GPI, Inc announced that it was withholding payments on its Gerbil Pediatric Insurance for any deaths or long-term disabilities related to the chlorine attack on a Palo Alto elementary school earlier this month. Shari Lewis, a spokesperson for the company, explained that the legal status of the attack had yet to be determined and that determination would establish whether or not payments would be required under the policies.

A representative of the school’s parent support group who did not wish to be identified explained that the group had worked with GPI on fundraising campaigns for the last ten years selling Gerbil Pediatric Insurance to parents and families of students at the school to raise money to support the music and arts programs at the school. Participation in the annual fundraising drives has been nearly universal, but the parent support group did not know how many of the affected students currently were covered by the GPI policies. To date, fifty students have died from injuries sustained in the attack and hundreds more are expected to have life-long complications for the chlorine exposure.

Lewis explained that the United States Treasury Department had not formally declared that the chlorine attack on the school was a terrorist attack, so the terrorism provisions of the policy have yet to be triggered. Additionally, the recent arrest of an Iranian national raised the prospects that this was an act of aggression by a foreign power, so that the ‘act of war’ exemption in the policy might prohibit any payments. Until these two legal issues were resolved, Lewis reported that GPI would not be making any payments under the policies.

The Treasury Department has declined to comment on the terrorism status of the attack, pending completion of the investigation by the Federal Bureau of Inquiry. Jeffery P. Morgan, a spokesman for the Department, said that while the attack certainly had terrorist characteristics, a legal declaration required a full and complete investigation of the attack.

Johnathan Quest, an FBI spokesman, confirmed that an Iranian national had been arrested in connection with an attempted similar attack last week, but that the FBI has not formally connected him to the Palo Alto school attack. Whether or not the unnamed individual has ties to the government of Iran has not yet been established.

Rep. Harvey Milk (D,CA) issued a statement criticizing GPI. He complained that “GPI’s failure to provide financial support to the parents and families affected in this attack is just another example of corporate greed. Families were told that they could count on these policies to aid them in paying for funeral expenses and long-term medical care. Failure of GPI to make good on these promises just expands and deepens the horrendous experience these families are having to deal with.”

CAUTIONARY NOTE: This is a future news story – 

Tuesday, December 11, 2018

Second Truck GPS Attack Intercepted


Today the Federal Bureau of Inquiry announced that it had arrested three people in conjunction with a second attempted attack on a truck carrying hazardous chemicals. During the arrest there was a short shootout and one of the terrorists, a known member of Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), was injured. No chemicals were released during the incident.

Johnathan Quest, an FBI spokesman, said that after last week’s attack, all hazardous materials shipments by Avondale Trucking were being tracked by FBI and California Highway Police teams. When the GPS system on one of the trucks indicated that a GPS attack was taking place, Quest reported that sophisticated radio direction finding equipment was used to track down the source vehicle near the Avondale truck. The van was then stopped, and the terrorists arrested.

When asked why the Avondale Trucks had been targeted for FBI monitoring, Quest noted that the FBI had information that indicated that multiple attacks had been planned by SFINCTER on Avondale trucks because of the scheduling and routing information obtained from hacks of the company computer systems.

Francis L. Poncherello, a spokesman for the CHP, told reporters at a second news conference, that the third person arrested from the hacking vehicle was an Iranian national who was apparently providing GPS hacking technical support. Quest would not confirm that report, noting that the FBI was still working on identifying the third individual.

Willie C. Shealey from Avondale Trucking told reporters that the truck that was the target of the latest GPS hack was carrying acrylonitrile to a manufacturing location outside of San Jose, CA. He did not know what the apparent target of the attack was. Quest noted that that information was not yet available; technical experts from the FBI were still examining the GPS equipment found in the van.

Vera Arbeiten from the Chemical Safety Bureau told reporters that while acrylonitrile was not as toxic as chlorine gas, it could pose a serious health risk to personnel exposed to the chemical in an attack. She noted that medical treatment of the affected individuals would prove difficult in a mass casualty event because hospital emergency rooms would only have a limited number of the Cyanokits on hand to treat exposed personnel. Those kits are seldom used in normal ER operations, have a limited shelf-life and are relatively expensive.

Rep. Harvey Milk (D,CA) in a speech on the Senate floor today called for the resignation of the head of the Trucking Security Agency, noting that the TSA had taken no action on multiple congressional mandates to increase the security of hazardous material moved by truck across the country. Milk went on to say that: “The TSA approach of calling for voluntary compliance with vague security guidelines had resulted in the deaths of thirty-two elementary age students and a future of long-term disability for many more as a result of the Palo Alto attack. The fact that today’s attempted attack was only prevented by close FBI monitoring of all of the hazmat shipments of a single trucking company is just another indication of the need for strong security controls and close federal monitoring was needed.”

Milk is crafting legislation that would change the TSA mandate to include a detailed security program modeled on the one being used to monitor critical chemical manufacturing facilities.

CAUTIONARY NOTE: This is a future news story –

Saturday, December 8, 2018

Chlorine Hackers Given GPS Tools


The Federal Bureau of Inquiry confirmed today that the hackers responsible for the redirection of the Avondale Trucking Company delivery of chlorine cylinders used in this week’s attack on a Palo Alto elementary school were apparently provided to the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) by an outside agency. The FBI’s investigation of that possible source is continuing.

Johnathan Quest, the FBI spokesman, noted that while blocking GPS signals is a relatively simple technology, the level of sophistication seen in Monday’s attack is much higher and well beyond the known level of sophistication of SFINCTER. That attack was made possible by spoofing GPS signals in the area of the truck to change the trucks route to take it to the fence outside of the elementary school

A suspect arrested in an earlier attempted attack by SFINCTER told the FBI yesterday that he had seen an unknown person training two SFINCTER associates on the GPS equipment. This according to an FBI source that asked to remain unidentified because she was not authorized to talk to the press. The suspect’s description of the trainer would seem to indicate that it was a Middle Eastern national with relatively good command of the English language.

A communique from SFINCTER provided to multiple news organizations this morning reported that it was receiving international assistance in expanding its attacks against ‘heartless corporate interests that were responsible for thousands of people of color being harmed collateral chemical attacks”. The message went on to say that the only crime these victims of corporate greed and neglect was being poor and living near chemical facilities. SFINCTER promised to continue attacks like that seen Monday to “allow the privileged community to share in the pain that the under privileged have experienced for years”.

ECS-CERT is continuing to provide assistance to the FBI in the investigation of this incident. Immanuel C. Securitage, ECS-CERT spokesman, told reporters this morning that his organization had found indications that unknown hackers had gained access to the Avondale Trucking company servers and accessed scheduling information to determine the which vehicle would be involved in Monday’s delivery and the planned route that vehicle was supposed to take to the water treatment facility. Having this information would have been necessary to execute the GPS attack on the vehicle.

Rep. Harvey Milk (D,CA) introduced legislation today that would require all trucks carrying toxic chemicals to use military-grade encrypted GPS systems to avoid spoofing attacks. The bill would also require trucking companies to inform police and emergency response personnel of the planned routes and timing of all toxic chemical shipments. Toxic chemical delivery routes would have to avoid public and private schools by at least one-half mile. The Chair of the House Transportation Committee promised a hearing on the bill this week.

Milk also announced that he has asked the Justice Department to investigate why the Trucking Security Agency has not published security regulations that were mandated by Congress six years ago.

CAUTIONARY NOTE: This is a future news story –

Tuesday, December 4, 2018

GPS Hack Guided Truck to School


Today the FBI confirmed that it was a spoof of the signal from the Global Positioning Satellite that was used to direct the Avondale Trucking Company truck to the site of the fatal chlorine attack on an elementary school yesterday. The release of chlorine gas from the one-ton cylinders carried on that truck resulted in twenty deaths and hundreds of students, teachers and nearby residents being hospitalized.

Johnathan Quest, an FBI spokesman told reporters that there were confirmed reports from an Uber driver and a UPS driver in the area yesterday of problems with the locations provided by their UPS systems. Additionally, he noted that Christopher Seeling, the Avondale Trucking driver killed in the attack, was in the process of texting his dispatcher about GPS problems when he was shot. He was not able to call his dispatcher because cell phone signals in the area were being blocked.

Quest told reports that the text message said: “At GPS location for treatment plant. No plant here, just school.”

The Federal Emergency Grant Administration (FEGA) is trying to assist local hospitals with the treatment of the large number of people, mostly elementary school students, injured in the attack. The number of ventilators available at emergency rooms and hospitals is not sufficient for the number of people involved. Isham M. Gelt, the FEGA spokesman that about five of the deaths that have occurred overnight would have been prevented if additional ventilators had been available. The military, Gelt said, is airlifting in equipment from bases around the world to aid in the treatment of the injured.

A local doctor who declined to be identified for this piece explained on background that ventilators were an expensive piece of medical treatment equipment that helped people breath when their lungs were damaged. This type of equipment is not needed that often in an area like Palo Alto, so the high number of lung injuries involved in this incident quickly overwhelmed the number of machines available locally.

Rep. Harvey Milk (D,CA) who is visiting the scene of the attack today said that he is calling for hearings next week about the lack of ventilators. He wanted to know why local hospitals did not have an adequate number of these vital pieces of equipment to treat all of the affected patients. He said: “This is another example of the poor state of healthcare in this country. Hospitals are more interested in saving money than saving lives.”

Monday, December 3, 2018

Chlorine Terror Attack Kills 10 Injures Hundreds


This morning four chlorine tanks being carried to a water treatment facility were attacked with explosives outside of an elementary school in Palo Alto, CA. The truck was stopped at a stop sign when the driver was shot in the head and the devices were placed on the tanks. Children were at recess when the explosives were detonated and the ten students closest to the truck were quickly overcome with chlorine fumes. Over two hundred other students have been transported to local hospitals for treatment.

Willie C. Shealey of Avondale Trucking announced that it was their driver, Christopher Seeling, that was killed in the attack. Shealey noted that: “This was the first time that Chris has delivered to this facility, but we do not know why he was anywhere near that school. Our routes are planned out in advance to avoid things of this sort and the trucks are tracked by GPS. We are still investigating the incident.”

The Federal Bureau of Inquiry’s spokesman, Johnathan Quest, has confirmed that the eco-terrorist group Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) has claimed responsibility for the attack.

According to a communique received by local news organizations at about the same time as the attack SFINCTER announced: “For too long it was only people of color who have been affected by chemical accidents. We have delivered the chemical threat to the entitled. No one is safe.”

Quest reported that the investigation is in the early stages. The FBI and other agencies of the Federal Government are working closely with local law enforcement to determine what happened.

Local hospitals are reporting problems treating all of the injured. There is a shortage of ventilators to treat the breathing problems in the affected children. That coupled with the lack of medical personnel trained for, or with experience in treating chlorine exposure patients.


We will not be publishing the names of the dead or injured students out of respect for the families.

Saturday, December 1, 2018

Airline Ransomware Hacker Arrested


Early this morning German authorities in Berlin, working in conjunction with the Federal Bureau of Inquiry arrested Kate Libby, a notorious member of Stasi Ehemalige known by her hacker handle as GeschütztesDF, for her part in last week’s ransomware attack on an airliner sitting on the ground at Boston’s Logan Airport. Johnathan Quest, and FBI spokesperson, noted that the two governments were still working out where she would be tried for the attacks.

Quest refused to confirm that an American government agent had managed to infiltrate Stasi Ehemalige. “US technical means and good, solid police work by the Germans led to locating and arresting this notorious hacker” Quest responded when asked about infiltration of the hacker collective.

Immanuel C. Securitage, spokesman for ECS-CERT the cybersecurity agency that worked closely with the FBI on this case, reported that the TOR site for the hacker collective had bragged about GeschütztesDF skills, both in crafting the ransomware and inserting it into the airline crew scheduling web page where it infected the phones for the crew of Flight 175.

Within hours of Libby’s arrest, announcements were made on a large number of social media site providing links to the source code for the WannaFly malware. The announcements, signed by GeschütztesDF, provided credentials to access the source code on web sites for Robotron, Fieseler, and a number of airlines. Publishing the code on these sites made it clear that Stasi Ehemalige had compromised the security of the sites in question, raising questions about what other attacks on those sites had accomplished.

An unnamed analyst from Dragonfire claims that, along with the source code, the web site postings include instructions on how to modify the ransomware to take effect when aircraft are in flight, as well as details on two previously undetected vulnerabilities in the Robotron Reichenberg avionics control system. Those zero-day vulnerabilities would allow inflight access to the control system according to the analyst.

Securitage refused to comment on those claims, stating that ECS-CERT was still looking at the malware.

Within minutes of the release of the GeschütztesDF messages, the TOR site for Stasi Ehemalige published demands for the release of Kate Libby. The web site claimed that unless Libby was released within 24 hours the hacker group would also release copies of the WannaFly ransomware tailored to attacks on avionics control systems from other manufacturers along with zero-day vulnerabilities that would allow access to install that malware.

The Federal Airline Administration spokesman Oscar Holmes reported that the FAA was closely monitoring the situation. The Fieseler aircraft that are the only current users of the Robotron control system remain grounded until airlines can certify that appropriate mitigation measures are put into place on each potentially affected aircraft. Holmes noted that the FAA was prepared to ground any aircraft affected by the threatened malware releases.

When asked about the potential effect on holiday travel, Holmes confirmed that even the limited Fieseler groundings had already caused the cancelation of hundreds of flights. Any further groundings could cause serious problems for travelers in coming weeks that are expected to see record numbers of flyers. Travel plans could have to be canceled and people could be stranded away from home searching for alternative modes of travel.

Robotron and Fieseler stocks fell sharply past previous record lows on European exchanges before trading was stopped. US airline stocks dropped sharply after the Stasi Ehemalige announcement as airlines reported an increase in flight cancellations.

Friday, November 23, 2018

Airline Ransomware Caused by Cell Phone


Wednesday’s ransomware attack on Flight 175 was caused by malware introduced into the plane’s avionics system via the first officer’s cell phone, this according to Immanuel C. Securitage spokesman for ECS-CERT which is assisting the Federal Bureau of Inquiry in investigating the incident. The malware was introduced to the aircraft systems when the phone’s charging cable was plugged into a USB port on the flight deck.

ECS-CERT and FBI agents were able to access the Fieseler Fi133 yesterday evening when airline maintenance personnel were finally able to shut down the aircrafts engines while the aircraft was sitting just feet from the terminal’s gateway at Boston’s Logan Airport. The FBI is still interviewing the flight’s crew and passengers who were offloaded after almost 24 hours on the aircraft.

The FBI has discovered that every member of the flight crew and cabin crew had the malware on their phones. It appears, according to Johnathan Quest, FBI spokesman, that the airline’s crew-scheduling website had been hacked, apparently just before this crew boarded their aircraft Wednesday and uploaded the malware to any device logged into the site.

Dade Murphy from Dragonfire reported that that organization, working with both ECS-CERT and the FBI has found the malware on other Fieseler aircraft operated by the airline. Murphy reported that the malware was designed to trigger the shutdown of the Robotron Reichenberg control system when commands were initiated to move the aircraft backwards from the terminal gate. Dade commented that this would seem to indicate that the financial motive seen in most malware attacks was in play here. Murphy did admit that it would only require some minor changes in the software to cause the shutdown while the aircraft was in flight.

Securitage announced that ECS-CERT has confirmed that the malware has been successfully removed from the airline web site. The agency was working with the Federal Airline Administration to remove the malware from the avionics systems on affected aircraft. ECS-CERT and the FAA have issued an alert to other airlines and aircraft manufacturers about the attack providing indicators of compromise and a detailed description of the attack methods to help prevent similar attacks on other aircraft avionics systems. Oscar Holmes from the FAA said that they were working on crafting additional safety and security regulations to prevent such attacks in the future.

The FBI said that they still have no information on who may have been behind the attacks.

Congressional hearings are scheduled for next week. No legislation is expected in the remaining weeks of the lame duck session. There are indications that multiple bills will be introduced in January in the 116th Congress to address aviation cybersecurity issues.

Wednesday, November 21, 2018

Airliners Grounded by Ransomware


At the very start of the holiday air travel season the Federal Airline Administration (FAA) today announced that it was grounding all Fieseler Fi-333 aircraft in airline service due to Flight 175 still sitting at the gate at Boston’s Logan Airport, the victim of a ransomware attack. Oscar Holmes, an FAA spokesman said that no other aircraft are affected at this time.

At noon today, the avionics system onboard Flight 175, a Robotron Reichenberg control system, stopped working as the plane prepared to move from the boarding gate. The control screen on the system showed a ransomware message announcing that the system had been locked out and encrypted by the WannaFly worm. The message demanded 1,000 BC to unlock the system.

Gerhard Katzenstein, President of Fieseler Aircraft, told reporters that the ransomware took effect when the pilot initiated the movement away from the gate. No other Fieseler aircraft have been affected and all flights in the air at the time of the attack on Flight 175 have safely landed, except for two trans-Pacific flights that are due to land within the hour in Singapore.

Officials at Logan Airport report that the passengers are still aboard the aircraft as they have not yet been able to shut-down the aircraft’s engines and the terminal area around the gate has been evacuated. Local officials are working with airline maintenance personnel as well as representatives from both Fieseler and Robotron Avionics to gain enough control of the Reichenberg system to kill the engines.

R. (Ace) Bannon, who handles aviation security operations for the Federal Bureau of Inquiry, notes that the agency is working closely with the ECS-CERT and the FAA in its investigation of this ransomware attack. This is the first attack on live aircraft systems that the FBI has seen and it is very concerned about what might have happened if the attack had happened while the aircraft was in flight.

Immanuel C. Securitage from ECS-CERT notes that the Robotron Reichenberg control system is a state-of-the-art fly-by-wire system with at least fifteen independent computer systems tied into the control system network. Robotron protects that system with an advanced firewall to isolate the control system from most external access. In-flight satellite connections and ground-side wireless access allow maintenance personnel to optimize engine performance and track maintenance issues in real time. Securitage reports that it is entirely too early to begin to determine who is behind the attack, but he did note that Stasi Ehemalige was involved in many attacks against Robotron systems.

Holmes told reporters that the FAA was reviewing the security and safety of all other electronic avionics control systems currently in use to see if they were susceptible to similar attacks. Fieseler aircraft are the only ones currently using Reichenberg control systems, that is why they are the only ones currently grounded.

Industry experts expect that the grounding will not be lifted until after the holidays, but Holmes refused to speculate about how long it would remain in effect. These grounding will obviously complicate a busy travel season with over 500 flights directly affected over this weekend alone.

Friday, November 9, 2018

FBI Make Arrest Outside Lando Bleichen Plant


Eyewitnesses report that three carloads of agents from the Federal Bureau of Inquiry converged this morning at a power pole outside of the fence at the Bleichen Chemical Company facility near Lando, CA. They took into custody one person who was on the pole when the agents arrived. No confirmation of the arrest has been made by the local FBI office.

One witness said that the individual had been on the pole for about five minutes and appeared to be installing a box on the pole. FBI agents have removed the box and took it from the scene.

A local wrecking company was later seen taking a white van from the scene of the incident. A company spokesman refused to comment on where the van had been taken. Lando police are on the scene but are refusing to answer questions.

The Lando facility is nearly identical to the Bleichen Chemical Company facility in Delano, GA that was attacked by hackers a week ago. Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) has claimed responsibility for that attack that killed 12 people and put a number of others in the hospital.

Johnathan Quest was asked about this arrest at the joint House-Senate Homeland Security hearing this morning, but he had no information about the incident. He did confirm that the FBI was taking the possibility seriously of further attacks by SFINCTER on Bleichen facilities. He noted that the Bleichen facilities were nearly identical, and all of them used the same safety system that was attacked last week.

Robotron’s Erich Mielke confirmed this morning at the hearing that his company had not yet come up with a fix for the vulnerability in the Wi-Fi system that made last week’s attack possible. Robotron is still working with their Chinese supplier, Ä€nquán Xìngchà, to mitigate the vulnerability.

Immanuel C. Securitage from ECS-CERT testified that an official from the CN-CERT had confirmed that Wi-Fi systems sold within China were required to have a system that would allow legitimate law enforcement personnel surreptitious access to those system for authorized investigative purposes. No such government requirement existed for Wi-Fi equipment sold out-side of the country.

House Committee staffers confirmed that there would be no vote today on Rep. Watts’ bill to regulate electronic lockout-tagout (eLOTO) systems at today’s hearing. They noted that in addition to disagreements about encryption provisions in the bill, other committees may have primary oversight responsibilities because of the health and safety aspects of the bill. The House leadership was still deciding on how those issues would be resolved. This is being further complicated by the change in leadership that will take place in January.

Thursday, November 8, 2018

Robotron Claims Chinese Government Mandated Backdoor


Written testimony from Robotron’s Erich Mielke for tomorrow’s joint Homeland Security Committee hearing claims that the Chinese manufacturer of the Wi-Fi module in the Robotron SicherheitsKontrolle reported that the backdoor account in that module that was described as a 0-day vulnerability by ECS-CERT was actually mandated by the security services of the Chinese government for all Wi-Fi devices manufactured in that country.

That 0-day vulnerability has been identified as one of the keys to the cyberattack on Bleichen Chemical Company last week that resulted in a major chlorine release and twelve deaths.

Dragonfire’s Dade Murphy confirmed that his company has seen similar backdoors in a number of Wi-Fi systems, but could not confirm that this was a requirement by any government organization. He did admit that backdoors in such systems would make it easier for the government to maintain surveillance on dissidents that are routinely labeled as ‘criminal elements’ in that country. He did report that most Wi-Fi backdoors reported to ECS-CERT have been reported as being removed by vendors and this has been confirmed by the company’s researchers in most instances.

Ä€nquán Xìngchà, the Chinese equipment supplier used by Robotron for all of their Wi-Fi devices, would not publicly comment on Robotron’s claims. They did explain that they are prohibited by Chinese regulations from discussing any cybersecurity requirements mandated by the government or even describing what those requirements were.

Johnathan Quest, a Federal Bureau of Inquiry spokesman, reported that the FBI does not have any new information on the vulnerability, but they are investigating possible links between the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) who claimed responsibility for the attack last week and Chinese environmental dissident organizations. It is possible, Quest said, that the 0-day information could have been transmitted through that link to Stasi Ehemalige, the German hacking collective that was apparently responsible for the technical aspects of the cyberattack.

Immanuel C. Securitage from ECS-CERT confirmed that that organization was continuing to coordinate with Robotron and their affected suppliers to resolve the vulnerabilities that have been identified in the Bleichen investigation. He assured reporters today that ECS-CERT was not having any problems with any of the vendors involved beyond some unexpected language issues.

William Henry Lee III, the Mayor of Delano, GA, announced today two additional deaths from chlorine exposure from last week’s attack. He was also able to announce a decline in the number of people still hospitalized from injuries related to the incident and that doctors were reportedly optimistic that there would be not more near-term deaths to report.

There are unconfirmed reports from at least one committee staffer that there are issues with the electronic lockout-tagout (eLOTO) legislation crafted by Rep. Watts (R,GA) that may interfere with its consideration at tomorrow’s hearing. Apparently, the language in the bill requiring encryption of all communications to and within the eLOTO systems included requirements for encryption backdoors to allow for law enforcement and regulatory agency reviews of the data within the systems in the event of incidents such as the Bleichen attack. This is getting embroiled in the ongoing congressional discussion about encryption backdoors and may derail quick consideration of the bill.

Tuesday, November 6, 2018

Dragonfire Outlines Bleichen Attack


Today Dade Murphy, a spokesman for Dragonfire, a control-system cybersecurity research firm, provided reporters with a broad outline for the cyber attack on Bleichen Chemical Company last week that resulted in ten deaths from chlorine exposure and other related injuries. Dragonfire has been working with ECS-CERT, the Chemical Safety Bureau and the Federal Bureau of Inquiry to examine the cyber-forensic data related to the attack.

Murphy noted that it appears that attackers had been in the corporate IT networks for as long as a year. A series of phishing emails were sent to a large number of company employees in October 2017, but it is not clear which employee (or employees) clicked on malicious links in those emails that ultimately provided attackers access to the networks. Those malicious links were to IP addresses known to be associated with Stasi Ehemalige, a notorious German hacking collective.

Since the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) have pretty conclusively claimed responsibility for the attack, this link to Stasi Ehemalige and other technical indicators would seem to mean that SFINCTER was receiving technical support from the German hackers, Murphy reported.

Dade explained that many of the network logs had been altered or destroyed, so it is not clear exactly what information had been exfiltrated from the Bleichen networks during the lengthy period that it has been pwned by the attackers. What is known is that the attackers did obtain complete copies of the technical data Bleichen submitted to the Work Environment Safety Administration (WESA) to obtain WESA approval of their electronic lockout-tagout system for the chlorine storage tank. This data, along with the Wi-Fi 0-day vulnerability allowed the attack last week.

Murphy described the operation of the eLOTO system used at the facility. There was a standalone human-machine interface (HMI) located at the base the tank. The shift supervisor and the maintenance person working on the tank both logged into the HMI by scanning their badges and providing their password. They selected the general tank lockout from the screen. This closed automated valves on the tank fill line, the tank discharge line and the transfer-line to plant operations associated with the tank. It also shut-off power to the pump used to move material from the tank to plant operations. A manual LOTO system would have required that those valves (manual valves in a classic LOTO situation) be closed by hand and each of those employees to apply a lock to the handles. The eLOTO also sent text messages to the plant manager, the maintenance manager, the plant safety officer, the shift supervisor and each of the operators on duty that the safety system (the pressure relief valve located between the tank discharge valve and the transfer-line valve) was off-line as part of the facility management of change process. That text message was sent via the Wi-Fi connection of the Robotron SicherheitsKontrolle.

Dade refused to go into any details of the hack other than to note that the hackers accessed the safety system via the Wi-Fi connection and opened the discharge valve on the tank. Details of the hack are being tightly held pending further investigation and the hoped for arrest and prosecution of the attackers.

He did confirm that the video that was released by SFINCTER last night was a video of the incident. It was taken from a camera on a power pole outside of the facility. That camera was co-located with the Wi-Fi transmitter that was used in the attack.

William Henry Lee III, the Mayor of Delano, GA, announced today that three additional people have died as a result of chlorine exposures from the Bleichen incident. This brings the death toll to ten. There has also been a slight increase in the number of people hospitalized due to chlorine exposure from the attack. That total now stands at sixty-five.

Rep. Tucker Watts, Jr. (R,GA) announced that he is authoring the draft eLOTO legislation that will be considered Friday by a joint meeting of the House and Senate Homeland Security Committee. He said that the bill would require that all eLOTO systems include two-factor authentication, end-to-end encryption of data, shielded cables for all connections, and a 48-hour deadline to install software and/or firmware updates for all components. Companies providing eLOTO systems would be required to provide copies of all software/firmware (including updates and documentation) to a cybersecurity office (to be established) in WESA for approval before they could be used in the field. Existing eLOTO systems would have 90-days to receive that approval after the office is established or they would have to be removed from operation.

Monday, November 5, 2018

WESA Announces Restrictions on Electronic Lockout-Tagout Systems


The Work Environment Safety Administration (WESA) today announced an emergency order placing restrictions on currently approved electronic lockout-tagout (eLOTO) systems. It also noted that it was temporarily suspending the approval process from such systems pending further investigations of the Bleichen Chemical Company chlorine release. Industry observers expect further delays in the release of the expected eLOTO rulemaking.

The WESA emergency order give facilities utilizing the Robotron SicherheitsKontrolle system for their approved eLOTO processes 10 days to certify that they have put into place software updates to fix the Wi-Fi vulnerability identified as being involved in the Bleichen incident. Facilities that are not able to meet the 10-day certification requirement will be immediately required to implement physical LOTO processes that comply with current WESA regulations. WESA inspectors will be sent to all facilities with approved eLOTO systems utilizing Robotron systems in two weeks to verify that these actions have been accomplished.

Immanuel C. Securitage of the ECS-CERT confirms that they are continuing to work with Robotron and the German government to ensure that such an update is made available as soon as possible.

The emergency order also requires all facilities using eLOTO systems to provide WESA with a full description of their cybersecurity processes protecting such systems. At a minimum, WESA expects the description to include:

• A listing of all electronic components associated with the system to include Human Machine Interfaces (HMI), programmable logic controllers, sensors, and communications modules;
• A listing of all connections to networks not directly associated with the eLOTO system;
• A listing of processes and equipment used to limit communications between those networks ant the eLOTO system;
• A description of the software/firmware update processes used to ensure that the most recent versions are applied to the eLOTO equipment; and
A description of the physical and cyber security processes in place to ensure that only authorized personnel have access to the eLOTO processes.

Facilities with approved eLOTO systems have 30-days to provide this information to WESA or certify to WESA that they have replaced their eLOTO system with a physical LOTO process that conforms to WESA regulations.

The WESA announcement also indicated that it expects to have a formal eLOTO team in place before the end of the month. The team will include ten new eLOTO inspectors with cybersecurity experience. WESA and ECS-CERT have signed a memorandum of understanding that ECS-CERT will provide cybersecurity training for ten existing WESA inspectors to provide initial staffing for the eLOTO Office. A hiring announcement for ten cybersecurity experts is pending congressional approval.

The Senate and House Homeland Security Committees have announced a rare joint hearing into the Bleichen chemical incident on Friday. After hearing testimony, the two Committees are expected to discuss draft legislation for cybersecurity requirements for eLOTO systems. Copies of that draft are not yet available.

William Henry Lee III, the Mayor of Delano, GA, announced today that two additional people have died as a result of chlorine exposures from the Bleichen incident. Sixty people are still in hospitals in and around Delano, recovering from exposure related issues. The Georgia legislature is expected to meet in emergency session later this month to look into the response to the incident and consider long-term health issues in those people exposed during the incident. Members of the Georgia congressional delegation have jointly announced that they will have staffers available at the session to discuss coordination of State and federal activities.

Lawyers representing Delano, GA and a number of the dead and injured have announced a class action lawsuit against Bleichen Chemical Company and Robotron for cybersecurity negligence. Junior Butts, a well-known environmental lawyer, is expected to be the lead attorney in the case. The level of damages being sought has not yet been announced, but it is expected to include both actual and punitive damages.

Sunday, November 4, 2018

Terrorist Group Claims Responsibility for Fatal Chlorine Release


This morning the Federal Bureau of Inquiry confirmed that the technical details in yesterday’s message from Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) matched the computer attack that lead to the fatal release of chlorine gas from Bleichen Chemical in Delano, GA earlier this week. The message had been sent from the Bleichen email server to major television news services.

Johnathan Quest, an FBI spokesman, noted that the agency did not think that the message indicated an insider attack as there was ample evidence available on the Bleichen Chemical networks of a widespread hack and long-term presence on that system.

The email provided details on the WiFi-vulnerability that SFINCTER exploited in its attack. The SicherheitsKontrolle safety system from Robotron does include a Wi-Fi module, explained Erich Mielke, a Robotron spokesman, but it is only used for sending alarm messages. Robotron is looking into the vulnerability. Mielke explained that the WiFi system was used so that there was no direct connection between the safety system and any other control systems, preventing simultaneous attacks on both systems.

Immanuel C. Securitage confirmed that while there were indications of compromise on the Robotron control system used at the facility, it was not used in the fatal attack.

Vera Arbeiten from the Chemical Safety Bureau explained that the release occurred during a routine maintenance operation on the pressure relief valve on the 80,000-gallon chlorine storage tank, one of three at the facility. Bleichen used an automated valve, locally controlled by the Robotron safety system to close and lockout the manual valve between the tank and the pressure relief valve. The automated system was used instead of a manual valve to provide safety interlocks with other devices associated with that tank to help prevent accidental over-pressurization during the maintenance operation. The WiFi system was used to provide SMS messages to operators and management as part of the facility’s management of change process. The automated lockout process had been approved by the Federal Work Environment Safety Administration (WESA) and is in use at all of the Bleichen sites.

The release occurred when the lockout valve was remotely opened while the pressure relief valve was disconnected from the tank. It appeared, Arbeiten explained, that the maintenance worker, Jessie Owens, was killed when the 100-psi release hit her in the face. While she was wearing all required personal protective equipment, the force of the chlorine gas stream knocked her off the top of the tank. It is not clear whether her broken neck was the result of the fall or the impact of the gas stream. Two other employees were killed by chlorine gas exposure and two Delano police officers were killed by the gas while notifying local businesses and residents about the release. One hundred people were treated at local hospitals for exposure, ten remain in hospitals in critical condition.

Bleichen chemicals was started in 2006 to provide water treatment facilities with a local source of bleach to substitute for the use of chlorine in drinking water disinfection. Bleichen facilities receive chlorine in railcars, chemically convert it to bleach and then ship the industrial strength bleach to water treatment facilities by truck. Last year Bleichen reported corporate profits of $1.2 billion dollars.

Sunday, October 28, 2018

Court Says Hacking Not Force Majeure


The 14th US District Court today ruled that hacking was not “an unforeseeable event” that would trigger the force majeure clause in the contracts of a local chemical manufacturer here in Lake Charles, LA. The Blew Bayou Chemical Company had sued Parish Chemicals for breach of contract for its failure to deliver acrylonitrile in accordance with the terms of their contract. Parish Chemical argued that the disruption of their manufacturing processes by hackers should trigger the force majeure clause in the contract.

Parish Chemical has been in the news this year for a number of cyber related incidents at it’s Lake Charles Acrylonitrile Plant:

In January the ECS-CERT announced that a number of process upsets at the plant were the result of a number of random changes that had been made to the programming of process control devices at the facility by the VentilSteuerung worm.

In March Dragonfire, an industrial cybersecurity company, was hired to investigate a number of process control related quality issues and discovered multiple penetrations of security of the WindowsXP® computers used to run the Robotron Control System at the plant.

In June the Chemical Safety Bureau announced that their investigation of the acrylonitrile release that killed three employees and injured a number of local residents was due to multiple failures in the plant safety system due to the UNSICHER worm.

In July the facility was shut down for two weeks due to a ransomware attack on the facility control system by GUMMI BAREN.

That last event was responsible for the failure to deliver four railcar loads of acrylonitrile to the Blew Bayou Chemical Company that resulted in the current law suit against Parish Chemical. Bernard Fife, the lawyer for Parish, argued that the GUMMI BAREN attack was an unforeseen circumstance that should trigger the force majeure clause in the delivery contract. Blew Bayou’s Charlene Matlock argued in preliminary hearings that the pattern of cyber events at the facility showed a reckless disregard of basic cybersecurity hygiene at the facility and that the failure to adequately protect computer systems at the facility resulted in the contract breach.

Today’s ruling means that the breach of contract suit will continue next week.

In an apparently related press release, Dragonfire announced that it had determined that the cyber attacks on the Parish Chemicals computers had all come from IP addresses associated with Tianjin Chemical, a Chinese supplier of acrylonitrile.

Wednesday, October 24, 2018

Did Wireless Hack Cause Massive Chlorine Release?


The Federal Bureau of Inquiry confirms that it has joined the Chemical Safety Bureau in the investigation of the 40,000-lb chlorine release at Blew Bayou Chemical Company chemical terminal outside of Baton Rouge, Louisiana. This news comes after the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) announced that its computer team had hacked the wireless controls used to transfer chlorine from a barge to tank trucks at the facility.

Johnathan Quest, an FBI spokesman, told reporters today that the statement by SFINCTER was the reason that the FBI had joined the investigation, but reiterated that the preliminary investigation by the CSB had not yet determined the cause of the release.

Issac B Kaghun, the Blew Bayou owner, confirmed that the company had recently installed Robotron radio-controlled valves on the lines used to transfer chemicals from barges to trucks and railcars at the facility. He noted that those valves had been added when the Company had upgraded the control room at the facility to allow for a fully automated transfer system.

Vera Arbeiten, Director of the CSB, confirmed that the preliminary investigation had identified the source of the leak as a transfer line that was not hooked up to a vehicle. The leak was stopped when the lone site operator suited up in chemical protective clothing and shut off a manual valve on the barge. One of the casualties in the accident was a truck driver who was backing his tank truck into the chlorine transfer station where the leak occurred.

Immanuel C. Securitage, spokes man for ECS-CERT, reported that the Robotron FGVentil-25 valves used by Blew Bayou were the subject of a recent security advisory for a capture and replay vulnerability that would allow an attacker to intercept radio control signals and re-use them to spoof control of the valves. Erich Mielke, President of Robotron, issued a statement that Robotron had coordinated with ECS-CERT in identifying and providing mitigation measures for that vulnerability, noting that the Company had no way of knowing if Blew Bayou had downloaded the firmware upgrade.

Eaton Kaghun, Operations Manager at Blew Bayou, responded when asked about the vulnerability, that he would have to contact the company’s control system contractor about the issue. He did state that the Company had not had any communications from Robotron about the vulnerability.

Three people at or near the site at the time of the accident were killed by the release. Twenty-five people remain hospitalized in critical condition after the incident earlier this week.

Monday, October 15, 2018

City Loses Chlorine Notification Law Suit


This afternoon, Judge James (Skeeter) Willis announced that the Delano Water Maintenance Department was liable for $1.2 million in actual and punitive damages for failure of their Chlorine Release Notification System (CRNS) to notify the residents of the Greenway Apartments of a pattern of chlorine leaks during January of this year. That notification system was required to be installed by Judge Willis after the 2016 chlorine release at the WMD facility injured sixteen people in that same apartment complex adjacent to the drinking water treatment facility.

Junior Butts, the lawyer for the complex, filed the law suit after hackers from the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) published data from the CRNS showing a series of chlorine releases from the water disinfection system in January that were not reported to the residents of Greenway. Butts, a resident of the complex, is well known for his legal support of environmental activists including members of SFINCTER.

George Funderburke, the Director of the Delano WMD, argued at trial that the same hackers who accessed the wireless sensor network to obtain the data reported by SFINCTER could have planted that data during their illegal access to the system.

The SFINCTER hackers were not heard from at trial because of their potential for being arrested on federal computer hacking charges. Instead, Butts convinced Willis to request an investigation of the CRNS by the ECS-CERT. Immanuel C. Securitage, the Director of ECS-CERT, agreed to conduct the investigation only after receiving a formal request by Funderburke.

At trial, Securitage confirmed that the CRNS sensor logs showed the data that had been published on-line by SFINCTER. During cross examination he confirmed that known security issues with both the WiFi network equipment and the sensor system made it impossible to tell when the data was entered into the logs. Butts argued that those same security issues could be used to explain why there were inconsistencies in the pattern of readings from the sensor network that the defense argued demonstrated that the reported readings could not have come from any release during the weather conditions present on the days of the reputed releases.
                                             
In his comments before pronouncing judgement today, Willis noted that Delano WMD was responsible for the security of the CRNS network and could not use that inadequate security as a defense in this case. In any case, he noted, the settlement agreement in the previous case required that the CRNS provide immediate alerts whenever sensors reported chlorine readings in excess of 5 ppm and CRNS records showed no such reports from any of the releases recorded by the system.

William H. Lee, III, the Mayor of Delano, noted that the Delano WMD is owned by the City and the City self-insures. The payment of the fine will be discussed at the City Council meeting next week.

Wednesday, October 10, 2018

Last Week’s Sulfuric Acid Release Was Chemical Hack


Augusta, GA

At a press conference today, Special Agent Johnathan Quest of the Federal Bureau of Inquiry (FBI) confirmed that the FBI was investigating the accident last week at the Mayberry Chemical manufacturing facility in nearby Mayberry, GA as a cyberattack on the facility.

That incident involved the release of sulfuric acid from a storage tank that resulted in the injury of seven people including six elementary school students that were working on a class environmental project in a stream adjacent to the facility at the time of the release. Three of the students are still in the hospital in critical condition as is one employee of Mayberry Chemical.

The FBI was brought into the investigation after a preliminary investigation by the Chemical Safety Bureau (CSB) uncovered control system anomalies that apparently precipitated the incident.

Vera Arbeiten, spokesperson for the CSB, reported that sensor data during a reaction vessel filling operation had been doctored to allow the vessel to be overfilled during cleaning operations which resulted in a backflow of water and caustic soda into the sulfuric acid tank. The resulting chemical reaction resulted in the pressurization of the tank and the subsequent release of sulfuric acid fumes and droplets. Those droplets caused the worst injuries to the affected personnel including chemical burns to the faces of three of the students.

Andrew Gryfin, the President of Mayberry Chemical, explained that the company was a specialty chemical manufacturing company and that it was currently working on a project with university researchers for production of a specialty phenolic resin to be used in a DOD study of a potential radar adsorbing coating for aircraft.

Gryfin noted that the company has been suffering from a number of minor process and quality issues since beginning work on the DOD related project. A preliminary cybersecurity review by the ECS-CERT requested by CSB has indicated that the earlier anomalies and the recent incident were related to a previously unreported malware discovered on the control system computer systems. Immanuel C. Securitage from ECS-CERT noted that company control logs documented many of the malware actions that contributed to past incidents as well as the current release incident.

Unfortunately, no one at the company had reviewed those logs, according to Gryfin. The company has no on-site cybersecurity personnel and the logs were set up by a contractor fulfilling a DOD cybersecurity requirement.

Arbeiten noted that the company had put manual safeguards into place to prevent such overfilling, cross-contamination incidents. This incident would have been prevented if a manual valve on the sulfuric acid fill line on the reaction vessel had been closed prior to the start of the process. Closing this valve is part of the written instructions for this process, but the valve was open when investigators arrived on site.

Gryfin noted that the facility had been short staffed lately due to personnel cutbacks. The company had been experiencing some loss of business due to the quality and production problems being experienced.

Quest reported that the FBI investigation was on going and they were getting some technical assistance from units at the nearby military base.

Friday, May 11, 2018

Feds Investigate Mysterious Deaths at Leary Clinic


Today at a news conference in the Delano, GA city hall federal spokesmen explained why they were involved in the investigation of four recent suicides committed by patients of the world-famous Timothy Leary Memorial Clinic for Depression. All four of the patients, whose names are being withheld for medical privacy reasons, were undergoing treatment for depression using repetitive transcranial magnetic stimulation (rTMS).

“The Federal Bureau of Inquiry became involved,” spokesman Jonathan Quest said; “when anonymous tips indicated that all four patients were known drug abusers who were reportedly using the treatment to get extreme endorphin highs.”

Dr. Timotheus Misstrauisch, Clinic Director said: “We were devastated to learn that seemingly legitimate patients referred to this clinic were using our treatment as a method for obtaining illicit if perfectly natural drugs.”

Immanuel C. Securitage from ECS-CERT explained that the FBI requested their help when it became obvious that the controls for the rTMS machine from Robotron Medical had been hacked to provide unauthorized excessive stimulation. Securitage said that a previously undiscovered hacker collective in Atlanta appears to have been responsible for producing a smart phone application called OurTMSDrugs that spoofs an actual app developed by Robotron for clinical use. It is not clear if the patients or some third-party was actually responsible for using the app to initiate the stimulation that would result in the recreational drug dose of endorphins.

When asked if there were adequate cybersecurity controls on the rTMS machine, Misstrauisch replied that: “We have complied with all Federal Drug Administration regulations on medical device cybersecurity. We do not currently have a cybersecurity person working at the clinic, we have been looking for a rockstar applicant with experience in medical device cybersecurity for four years now. The only applications that we have received to date are people with experience in hacking medical devices, not securing them.”

Erich Mielke, a spokesman for Robotron, reported that: “Our rTMSApp provides a secure linkage to our machines with hardcoded credentials that are matched to a specific machine at the time of purchase. We do not use transmission encryption to protect the data in-transit since only the App on an approved device can communicate with that machine.”

When asked how rTMS use could lead to suicide when the FDA has approved the devices, Misstrauisch explained: “The level of stimulation seen in the records for these individuals appears to be so high that the endorphin producing components inside the brain were probably irreparably damaged with little or no natural endorphin production. This is a classic recipe for severe depression.”