Friday, November 23, 2018

Airline Ransomware Caused by Cell Phone


Wednesday’s ransomware attack on Flight 175 was caused by malware introduced into the plane’s avionics system via the first officer’s cell phone, this according to Immanuel C. Securitage spokesman for ECS-CERT which is assisting the Federal Bureau of Inquiry in investigating the incident. The malware was introduced to the aircraft systems when the phone’s charging cable was plugged into a USB port on the flight deck.

ECS-CERT and FBI agents were able to access the Fieseler Fi133 yesterday evening when airline maintenance personnel were finally able to shut down the aircrafts engines while the aircraft was sitting just feet from the terminal’s gateway at Boston’s Logan Airport. The FBI is still interviewing the flight’s crew and passengers who were offloaded after almost 24 hours on the aircraft.

The FBI has discovered that every member of the flight crew and cabin crew had the malware on their phones. It appears, according to Johnathan Quest, FBI spokesman, that the airline’s crew-scheduling website had been hacked, apparently just before this crew boarded their aircraft Wednesday and uploaded the malware to any device logged into the site.

Dade Murphy from Dragonfire reported that that organization, working with both ECS-CERT and the FBI has found the malware on other Fieseler aircraft operated by the airline. Murphy reported that the malware was designed to trigger the shutdown of the Robotron Reichenberg control system when commands were initiated to move the aircraft backwards from the terminal gate. Dade commented that this would seem to indicate that the financial motive seen in most malware attacks was in play here. Murphy did admit that it would only require some minor changes in the software to cause the shutdown while the aircraft was in flight.

Securitage announced that ECS-CERT has confirmed that the malware has been successfully removed from the airline web site. The agency was working with the Federal Airline Administration to remove the malware from the avionics systems on affected aircraft. ECS-CERT and the FAA have issued an alert to other airlines and aircraft manufacturers about the attack providing indicators of compromise and a detailed description of the attack methods to help prevent similar attacks on other aircraft avionics systems. Oscar Holmes from the FAA said that they were working on crafting additional safety and security regulations to prevent such attacks in the future.

The FBI said that they still have no information on who may have been behind the attacks.

Congressional hearings are scheduled for next week. No legislation is expected in the remaining weeks of the lame duck session. There are indications that multiple bills will be introduced in January in the 116th Congress to address aviation cybersecurity issues.

Wednesday, November 21, 2018

Airliners Grounded by Ransomware


At the very start of the holiday air travel season the Federal Airline Administration (FAA) today announced that it was grounding all Fieseler Fi-333 aircraft in airline service due to Flight 175 still sitting at the gate at Boston’s Logan Airport, the victim of a ransomware attack. Oscar Holmes, an FAA spokesman said that no other aircraft are affected at this time.

At noon today, the avionics system onboard Flight 175, a Robotron Reichenberg control system, stopped working as the plane prepared to move from the boarding gate. The control screen on the system showed a ransomware message announcing that the system had been locked out and encrypted by the WannaFly worm. The message demanded 1,000 BC to unlock the system.

Gerhard Katzenstein, President of Fieseler Aircraft, told reporters that the ransomware took effect when the pilot initiated the movement away from the gate. No other Fieseler aircraft have been affected and all flights in the air at the time of the attack on Flight 175 have safely landed, except for two trans-Pacific flights that are due to land within the hour in Singapore.

Officials at Logan Airport report that the passengers are still aboard the aircraft as they have not yet been able to shut-down the aircraft’s engines and the terminal area around the gate has been evacuated. Local officials are working with airline maintenance personnel as well as representatives from both Fieseler and Robotron Avionics to gain enough control of the Reichenberg system to kill the engines.

R. (Ace) Bannon, who handles aviation security operations for the Federal Bureau of Inquiry, notes that the agency is working closely with the ECS-CERT and the FAA in its investigation of this ransomware attack. This is the first attack on live aircraft systems that the FBI has seen and it is very concerned about what might have happened if the attack had happened while the aircraft was in flight.

Immanuel C. Securitage from ECS-CERT notes that the Robotron Reichenberg control system is a state-of-the-art fly-by-wire system with at least fifteen independent computer systems tied into the control system network. Robotron protects that system with an advanced firewall to isolate the control system from most external access. In-flight satellite connections and ground-side wireless access allow maintenance personnel to optimize engine performance and track maintenance issues in real time. Securitage reports that it is entirely too early to begin to determine who is behind the attack, but he did note that Stasi Ehemalige was involved in many attacks against Robotron systems.

Holmes told reporters that the FAA was reviewing the security and safety of all other electronic avionics control systems currently in use to see if they were susceptible to similar attacks. Fieseler aircraft are the only ones currently using Reichenberg control systems, that is why they are the only ones currently grounded.

Industry experts expect that the grounding will not be lifted until after the holidays, but Holmes refused to speculate about how long it would remain in effect. These grounding will obviously complicate a busy travel season with over 500 flights directly affected over this weekend alone.

Friday, November 9, 2018

FBI Make Arrest Outside Lando Bleichen Plant


Eyewitnesses report that three carloads of agents from the Federal Bureau of Inquiry converged this morning at a power pole outside of the fence at the Bleichen Chemical Company facility near Lando, CA. They took into custody one person who was on the pole when the agents arrived. No confirmation of the arrest has been made by the local FBI office.

One witness said that the individual had been on the pole for about five minutes and appeared to be installing a box on the pole. FBI agents have removed the box and took it from the scene.

A local wrecking company was later seen taking a white van from the scene of the incident. A company spokesman refused to comment on where the van had been taken. Lando police are on the scene but are refusing to answer questions.

The Lando facility is nearly identical to the Bleichen Chemical Company facility in Delano, GA that was attacked by hackers a week ago. Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) has claimed responsibility for that attack that killed 12 people and put a number of others in the hospital.

Johnathan Quest was asked about this arrest at the joint House-Senate Homeland Security hearing this morning, but he had no information about the incident. He did confirm that the FBI was taking the possibility seriously of further attacks by SFINCTER on Bleichen facilities. He noted that the Bleichen facilities were nearly identical, and all of them used the same safety system that was attacked last week.

Robotron’s Erich Mielke confirmed this morning at the hearing that his company had not yet come up with a fix for the vulnerability in the Wi-Fi system that made last week’s attack possible. Robotron is still working with their Chinese supplier, Ānquán Xìngchà, to mitigate the vulnerability.

Immanuel C. Securitage from ECS-CERT testified that an official from the CN-CERT had confirmed that Wi-Fi systems sold within China were required to have a system that would allow legitimate law enforcement personnel surreptitious access to those system for authorized investigative purposes. No such government requirement existed for Wi-Fi equipment sold out-side of the country.

House Committee staffers confirmed that there would be no vote today on Rep. Watts’ bill to regulate electronic lockout-tagout (eLOTO) systems at today’s hearing. They noted that in addition to disagreements about encryption provisions in the bill, other committees may have primary oversight responsibilities because of the health and safety aspects of the bill. The House leadership was still deciding on how those issues would be resolved. This is being further complicated by the change in leadership that will take place in January.

Thursday, November 8, 2018

Robotron Claims Chinese Government Mandated Backdoor


Written testimony from Robotron’s Erich Mielke for tomorrow’s joint Homeland Security Committee hearing claims that the Chinese manufacturer of the Wi-Fi module in the Robotron SicherheitsKontrolle reported that the backdoor account in that module that was described as a 0-day vulnerability by ECS-CERT was actually mandated by the security services of the Chinese government for all Wi-Fi devices manufactured in that country.

That 0-day vulnerability has been identified as one of the keys to the cyberattack on Bleichen Chemical Company last week that resulted in a major chlorine release and twelve deaths.

Dragonfire’s Dade Murphy confirmed that his company has seen similar backdoors in a number of Wi-Fi systems, but could not confirm that this was a requirement by any government organization. He did admit that backdoors in such systems would make it easier for the government to maintain surveillance on dissidents that are routinely labeled as ‘criminal elements’ in that country. He did report that most Wi-Fi backdoors reported to ECS-CERT have been reported as being removed by vendors and this has been confirmed by the company’s researchers in most instances.

Ānquán Xìngchà, the Chinese equipment supplier used by Robotron for all of their Wi-Fi devices, would not publicly comment on Robotron’s claims. They did explain that they are prohibited by Chinese regulations from discussing any cybersecurity requirements mandated by the government or even describing what those requirements were.

Johnathan Quest, a Federal Bureau of Inquiry spokesman, reported that the FBI does not have any new information on the vulnerability, but they are investigating possible links between the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) who claimed responsibility for the attack last week and Chinese environmental dissident organizations. It is possible, Quest said, that the 0-day information could have been transmitted through that link to Stasi Ehemalige, the German hacking collective that was apparently responsible for the technical aspects of the cyberattack.

Immanuel C. Securitage from ECS-CERT confirmed that that organization was continuing to coordinate with Robotron and their affected suppliers to resolve the vulnerabilities that have been identified in the Bleichen investigation. He assured reporters today that ECS-CERT was not having any problems with any of the vendors involved beyond some unexpected language issues.

William Henry Lee III, the Mayor of Delano, GA, announced today two additional deaths from chlorine exposure from last week’s attack. He was also able to announce a decline in the number of people still hospitalized from injuries related to the incident and that doctors were reportedly optimistic that there would be not more near-term deaths to report.

There are unconfirmed reports from at least one committee staffer that there are issues with the electronic lockout-tagout (eLOTO) legislation crafted by Rep. Watts (R,GA) that may interfere with its consideration at tomorrow’s hearing. Apparently, the language in the bill requiring encryption of all communications to and within the eLOTO systems included requirements for encryption backdoors to allow for law enforcement and regulatory agency reviews of the data within the systems in the event of incidents such as the Bleichen attack. This is getting embroiled in the ongoing congressional discussion about encryption backdoors and may derail quick consideration of the bill.

Tuesday, November 6, 2018

Dragonfire Outlines Bleichen Attack


Today Dade Murphy, a spokesman for Dragonfire, a control-system cybersecurity research firm, provided reporters with a broad outline for the cyber attack on Bleichen Chemical Company last week that resulted in ten deaths from chlorine exposure and other related injuries. Dragonfire has been working with ECS-CERT, the Chemical Safety Bureau and the Federal Bureau of Inquiry to examine the cyber-forensic data related to the attack.

Murphy noted that it appears that attackers had been in the corporate IT networks for as long as a year. A series of phishing emails were sent to a large number of company employees in October 2017, but it is not clear which employee (or employees) clicked on malicious links in those emails that ultimately provided attackers access to the networks. Those malicious links were to IP addresses known to be associated with Stasi Ehemalige, a notorious German hacking collective.

Since the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) have pretty conclusively claimed responsibility for the attack, this link to Stasi Ehemalige and other technical indicators would seem to mean that SFINCTER was receiving technical support from the German hackers, Murphy reported.

Dade explained that many of the network logs had been altered or destroyed, so it is not clear exactly what information had been exfiltrated from the Bleichen networks during the lengthy period that it has been pwned by the attackers. What is known is that the attackers did obtain complete copies of the technical data Bleichen submitted to the Work Environment Safety Administration (WESA) to obtain WESA approval of their electronic lockout-tagout system for the chlorine storage tank. This data, along with the Wi-Fi 0-day vulnerability allowed the attack last week.

Murphy described the operation of the eLOTO system used at the facility. There was a standalone human-machine interface (HMI) located at the base the tank. The shift supervisor and the maintenance person working on the tank both logged into the HMI by scanning their badges and providing their password. They selected the general tank lockout from the screen. This closed automated valves on the tank fill line, the tank discharge line and the transfer-line to plant operations associated with the tank. It also shut-off power to the pump used to move material from the tank to plant operations. A manual LOTO system would have required that those valves (manual valves in a classic LOTO situation) be closed by hand and each of those employees to apply a lock to the handles. The eLOTO also sent text messages to the plant manager, the maintenance manager, the plant safety officer, the shift supervisor and each of the operators on duty that the safety system (the pressure relief valve located between the tank discharge valve and the transfer-line valve) was off-line as part of the facility management of change process. That text message was sent via the Wi-Fi connection of the Robotron SicherheitsKontrolle.

Dade refused to go into any details of the hack other than to note that the hackers accessed the safety system via the Wi-Fi connection and opened the discharge valve on the tank. Details of the hack are being tightly held pending further investigation and the hoped for arrest and prosecution of the attackers.

He did confirm that the video that was released by SFINCTER last night was a video of the incident. It was taken from a camera on a power pole outside of the facility. That camera was co-located with the Wi-Fi transmitter that was used in the attack.

William Henry Lee III, the Mayor of Delano, GA, announced today that three additional people have died as a result of chlorine exposures from the Bleichen incident. This brings the death toll to ten. There has also been a slight increase in the number of people hospitalized due to chlorine exposure from the attack. That total now stands at sixty-five.

Rep. Tucker Watts, Jr. (R,GA) announced that he is authoring the draft eLOTO legislation that will be considered Friday by a joint meeting of the House and Senate Homeland Security Committee. He said that the bill would require that all eLOTO systems include two-factor authentication, end-to-end encryption of data, shielded cables for all connections, and a 48-hour deadline to install software and/or firmware updates for all components. Companies providing eLOTO systems would be required to provide copies of all software/firmware (including updates and documentation) to a cybersecurity office (to be established) in WESA for approval before they could be used in the field. Existing eLOTO systems would have 90-days to receive that approval after the office is established or they would have to be removed from operation.

Monday, November 5, 2018

WESA Announces Restrictions on Electronic Lockout-Tagout Systems


The Work Environment Safety Administration (WESA) today announced an emergency order placing restrictions on currently approved electronic lockout-tagout (eLOTO) systems. It also noted that it was temporarily suspending the approval process from such systems pending further investigations of the Bleichen Chemical Company chlorine release. Industry observers expect further delays in the release of the expected eLOTO rulemaking.

The WESA emergency order give facilities utilizing the Robotron SicherheitsKontrolle system for their approved eLOTO processes 10 days to certify that they have put into place software updates to fix the Wi-Fi vulnerability identified as being involved in the Bleichen incident. Facilities that are not able to meet the 10-day certification requirement will be immediately required to implement physical LOTO processes that comply with current WESA regulations. WESA inspectors will be sent to all facilities with approved eLOTO systems utilizing Robotron systems in two weeks to verify that these actions have been accomplished.

Immanuel C. Securitage of the ECS-CERT confirms that they are continuing to work with Robotron and the German government to ensure that such an update is made available as soon as possible.

The emergency order also requires all facilities using eLOTO systems to provide WESA with a full description of their cybersecurity processes protecting such systems. At a minimum, WESA expects the description to include:

• A listing of all electronic components associated with the system to include Human Machine Interfaces (HMI), programmable logic controllers, sensors, and communications modules;
• A listing of all connections to networks not directly associated with the eLOTO system;
• A listing of processes and equipment used to limit communications between those networks ant the eLOTO system;
• A description of the software/firmware update processes used to ensure that the most recent versions are applied to the eLOTO equipment; and
A description of the physical and cyber security processes in place to ensure that only authorized personnel have access to the eLOTO processes.

Facilities with approved eLOTO systems have 30-days to provide this information to WESA or certify to WESA that they have replaced their eLOTO system with a physical LOTO process that conforms to WESA regulations.

The WESA announcement also indicated that it expects to have a formal eLOTO team in place before the end of the month. The team will include ten new eLOTO inspectors with cybersecurity experience. WESA and ECS-CERT have signed a memorandum of understanding that ECS-CERT will provide cybersecurity training for ten existing WESA inspectors to provide initial staffing for the eLOTO Office. A hiring announcement for ten cybersecurity experts is pending congressional approval.

The Senate and House Homeland Security Committees have announced a rare joint hearing into the Bleichen chemical incident on Friday. After hearing testimony, the two Committees are expected to discuss draft legislation for cybersecurity requirements for eLOTO systems. Copies of that draft are not yet available.

William Henry Lee III, the Mayor of Delano, GA, announced today that two additional people have died as a result of chlorine exposures from the Bleichen incident. Sixty people are still in hospitals in and around Delano, recovering from exposure related issues. The Georgia legislature is expected to meet in emergency session later this month to look into the response to the incident and consider long-term health issues in those people exposed during the incident. Members of the Georgia congressional delegation have jointly announced that they will have staffers available at the session to discuss coordination of State and federal activities.

Lawyers representing Delano, GA and a number of the dead and injured have announced a class action lawsuit against Bleichen Chemical Company and Robotron for cybersecurity negligence. Junior Butts, a well-known environmental lawyer, is expected to be the lead attorney in the case. The level of damages being sought has not yet been announced, but it is expected to include both actual and punitive damages.

Sunday, November 4, 2018

Terrorist Group Claims Responsibility for Fatal Chlorine Release


This morning the Federal Bureau of Inquiry confirmed that the technical details in yesterday’s message from Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) matched the computer attack that lead to the fatal release of chlorine gas from Bleichen Chemical in Delano, GA earlier this week. The message had been sent from the Bleichen email server to major television news services.

Johnathan Quest, an FBI spokesman, noted that the agency did not think that the message indicated an insider attack as there was ample evidence available on the Bleichen Chemical networks of a widespread hack and long-term presence on that system.

The email provided details on the WiFi-vulnerability that SFINCTER exploited in its attack. The SicherheitsKontrolle safety system from Robotron does include a Wi-Fi module, explained Erich Mielke, a Robotron spokesman, but it is only used for sending alarm messages. Robotron is looking into the vulnerability. Mielke explained that the WiFi system was used so that there was no direct connection between the safety system and any other control systems, preventing simultaneous attacks on both systems.

Immanuel C. Securitage confirmed that while there were indications of compromise on the Robotron control system used at the facility, it was not used in the fatal attack.

Vera Arbeiten from the Chemical Safety Bureau explained that the release occurred during a routine maintenance operation on the pressure relief valve on the 80,000-gallon chlorine storage tank, one of three at the facility. Bleichen used an automated valve, locally controlled by the Robotron safety system to close and lockout the manual valve between the tank and the pressure relief valve. The automated system was used instead of a manual valve to provide safety interlocks with other devices associated with that tank to help prevent accidental over-pressurization during the maintenance operation. The WiFi system was used to provide SMS messages to operators and management as part of the facility’s management of change process. The automated lockout process had been approved by the Federal Work Environment Safety Administration (WESA) and is in use at all of the Bleichen sites.

The release occurred when the lockout valve was remotely opened while the pressure relief valve was disconnected from the tank. It appeared, Arbeiten explained, that the maintenance worker, Jessie Owens, was killed when the 100-psi release hit her in the face. While she was wearing all required personal protective equipment, the force of the chlorine gas stream knocked her off the top of the tank. It is not clear whether her broken neck was the result of the fall or the impact of the gas stream. Two other employees were killed by chlorine gas exposure and two Delano police officers were killed by the gas while notifying local businesses and residents about the release. One hundred people were treated at local hospitals for exposure, ten remain in hospitals in critical condition.

Bleichen chemicals was started in 2006 to provide water treatment facilities with a local source of bleach to substitute for the use of chlorine in drinking water disinfection. Bleichen facilities receive chlorine in railcars, chemically convert it to bleach and then ship the industrial strength bleach to water treatment facilities by truck. Last year Bleichen reported corporate profits of $1.2 billion dollars.