Gas Line Hack Caused Fire at Local Business

Tucker Watts, Delano Chief of Police, announced today that the Christmas day fire at the Delano Bakery and Sandwich Company store was the result of a cybersecurity attack on the controls for the gas line leading to the store. Hugh Holmes, the owner of the store has been arrested in connection with the fire.

Watts announced that when the Delano Fire Department’s investigation of the fire determined that the explosion and resulting fire was due to a gas leak associated with the pressure relief device on the line leading into the store, investigators started working with the Delano Gas Company to determine the cause of the over pressurization of the line.

Investigators discovered a break in at a local gas-pumping station and evidence of a cyber-intrusion via a USB port on one of the control devices at the station. A local high-school student, whose name has not yet been released, was identified by security videos as being in the pumping station at the time of the intrusion. The student implicated Holmes as the one who paid him to conduct the attack. Watts reported that Holmes was having financial difficulties and apparently was looking for the insurance payout from the incident to resolve those problems.

Delano Gas Company has reported that it is working with an Atlanta, GA cybersecurity firm to identify the specific weaknesses that allowed the successful cyber-intrusion. An individual with the company that was not authorized to talk to the press noted that the company had tried to get assistance from ECS-CERT to investigate the incident, but that assistance was not available due to the current shutdown of portions of the Federal Government. No ECS-CERT spokesman was available to comment on the claim.

Watts noted that the fire did not injure anyone and there was only minor damage to nearby businesses due to the initial explosion. The incident occurred on Christmas morning and there were very few people in the downtown area at the time.

Cautionary Note: This is a future ICS news story.

Court Orders Release of Refinery Hacker

Today, in an unusual Christmas ruling, Judge Phantly R. Bean of the 14^th US District Court ordered the release of Dietrich Sorensson who had been arrested this summer by the Federal Bureau of Inquiry for the HighTempOverride attack on the Rafael Ravard Refinery last year. Bean’s ruling came on a defense motion to throw out all evidence that was related to the computer records of the attack.

Bean’s ruling noted that:

“The defense has rightly noted that there is no computer record available of the attack that has not been altered by company employees trying to correct the problem, private investigators hired by the company to determine the source of the problem and finally FBI technicians trying to reverse engineer the changes made by those personnel. Thus, the computer record of the attack is so tainted that it has no evidentiary value.”

Defense lawyers had claimed that the prosecution’s identification of Sorensson’s involvement was based solely on that tainted evidence. This means that the FBI search warrant that allowed for the seizure of Dietrich’s computer was illegal and the evidence from that computer could not be used in trying the case. Bean agreed with that argument and ordered the release of Sorensson.

Johnathan Quest, the FBI spokesman, had no comment about Bean’s ruling. A source in the FBI technical services who was not authorized to speak to reporters, noted that the FBI internal procedures had long called for maintaining original, unaltered copies of malware, but that those standards had not been applied to the altered copies of control system device programs that had been recovered after the attack. It was information in that programing that had led to the identification of Sorensson as the attack author.

Cesar Chavez, President of the Rafael Ravard Refinery, told reporters that he was disappointed by Bean’s decision today. He said that the company would look at other options for dealing with the alleged attacker, including possible civil actions.

Immanuel C. Securitage, spokesman for ECS-CERT, told reporters today that the organization was working on a guidance document that would outline procedures for recording the attack-state of a control system, before work was begun on recovering the system from an attack. This forensic record process would pre-empt rulings like the one today. He did acknowledge, however, that the problem would lie in determining whether or not a cyber-attack was responsible for a manufacturing process upset, and thus trigger the recording of the attack-state, or if the upset were due to some other type of cyber event.

Cautionary Note: This is a Future News Story

Insurance Company Withholding Payments in Chlorine Attack

Today GPI, Inc announced that it was withholding payments on its Gerbil Pediatric Insurance for any deaths or long-term disabilities related to the chlorine attack on a Palo Alto elementary school earlier this month. Shari Lewis, a spokesperson for the company, explained that the legal status of the attack had yet to be determined and that determination would establish whether or not payments would be required under the policies.

A representative of the school’s parent support group who did not wish to be identified explained that the group had worked with GPI on fundraising campaigns for the last ten years selling Gerbil Pediatric Insurance to parents and families of students at the school to raise money to support the music and arts programs at the school. Participation in the annual fundraising drives has been nearly universal, but the parent support group did not know how many of the affected students currently were covered by the GPI policies. To date, fifty students have died from injuries sustained in the attack and hundreds more are expected to have life-long complications for the chlorine exposure.

Lewis explained that the United States Treasury Department had not formally declared that the chlorine attack on the school was a terrorist attack, so the terrorism provisions of the policy have yet to be triggered. Additionally, the recent arrest of an Iranian national raised the prospects that this was an act of aggression by a foreign power, so that the ‘act of war’ exemption in the policy might prohibit any payments. Until these two legal issues were resolved, Lewis reported that GPI would not be making any payments under the policies.

The Treasury Department has declined to comment on the terrorism status of the attack, pending completion of the investigation by the Federal Bureau of Inquiry. Jeffery P. Morgan, a spokesman for the Department, said that while the attack certainly had terrorist characteristics, a legal declaration required a full and complete investigation of the attack.

Johnathan Quest, an FBI spokesman, confirmed that an Iranian national had been arrested in connection with an attempted similar attack last week, but that the FBI has not formally connected him to the Palo Alto school attack. Whether or not the unnamed individual has ties to the government of Iran has not yet been established.

Rep. Harvey Milk (D,CA) issued a statement criticizing GPI. He complained that “GPI’s failure to provide financial support to the parents and families affected in this attack is just another example of corporate greed. Families were told that they could count on these policies to aid them in paying for funeral expenses and long-term medical care. Failure of GPI to make good on these promises just expands and deepens the horrendous experience these families are having to deal with.”

CAUTIONARY NOTE: This is a future news story – 

Second Truck GPS Attack Intercepted

Today the Federal Bureau of Inquiry announced that it had arrested three people in conjunction with a second attempted attack on a truck carrying hazardous chemicals. During the arrest there was a short shootout and one of the terrorists, a known member of Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), was injured. No chemicals were released during the incident.

Johnathan Quest, an FBI spokesman, said that after last week’s attack, all hazardous materials shipments by Avondale Trucking were being tracked by FBI and California Highway Police teams. When the GPS system on one of the trucks indicated that a GPS attack was taking place, Quest reported that sophisticated radio direction finding equipment was used to track down the source vehicle near the Avondale truck. The van was then stopped, and the terrorists arrested.

When asked why the Avondale Trucks had been targeted for FBI monitoring, Quest noted that the FBI had information that indicated that multiple attacks had been planned by SFINCTER on Avondale trucks because of the scheduling and routing information obtained from hacks of the company computer systems.

Francis L. Poncherello, a spokesman for the CHP, told reporters at a second news conference, that the third person arrested from the hacking vehicle was an Iranian national who was apparently providing GPS hacking technical support. Quest would not confirm that report, noting that the FBI was still working on identifying the third individual.

Willie C. Shealey from Avondale Trucking told reporters that the truck that was the target of the latest GPS hack was carrying acrylonitrile to a manufacturing location outside of San Jose, CA. He did not know what the apparent target of the attack was. Quest noted that that information was not yet available; technical experts from the FBI were still examining the GPS equipment found in the van.

Vera Arbeiten from the Chemical Safety Bureau told reporters that while acrylonitrile was not as toxic as chlorine gas, it could pose a serious health risk to personnel exposed to the chemical in an attack. She noted that medical treatment of the affected individuals would prove difficult in a mass casualty event because hospital emergency rooms would only have a limited number of the Cyanokits on hand to treat exposed personnel. Those kits are seldom used in normal ER operations, have a limited shelf-life and are relatively expensive.

Rep. Harvey Milk (D,CA) in a speech on the Senate floor today called for the resignation of the head of the Trucking Security Agency, noting that the TSA had taken no action on multiple congressional mandates to increase the security of hazardous material moved by truck across the country. Milk went on to say that: “The TSA approach of calling for voluntary compliance with vague security guidelines had resulted in the deaths of thirty-two elementary age students and a future of long-term disability for many more as a result of the Palo Alto attack. The fact that today’s attempted attack was only prevented by close FBI monitoring of all of the hazmat shipments of a single trucking company is just another indication of the need for strong security controls and close federal monitoring was needed.”

Milk is crafting legislation that would change the TSA mandate to include a detailed security program modeled on the one being used to monitor critical chemical manufacturing facilities.

CAUTIONARY NOTE: This is a future news story –

Chlorine Hackers Given GPS Tools

The Federal Bureau of Inquiry confirmed today that the hackers responsible for the redirection of the Avondale Trucking Company delivery of chlorine cylinders used in this week’s attack on a Palo Alto elementary school were apparently provided to the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) by an outside agency. The FBI’s investigation of that possible source is continuing.

Johnathan Quest, the FBI spokesman, noted that while blocking GPS signals is a relatively simple technology, the level of sophistication seen in Monday’s attack is much higher and well beyond the known level of sophistication of SFINCTER. That attack was made possible by spoofing GPS signals in the area of the truck to change the trucks route to take it to the fence outside of the elementary school

A suspect arrested in an earlier attempted attack by SFINCTER told the FBI yesterday that he had seen an unknown person training two SFINCTER associates on the GPS equipment. This according to an FBI source that asked to remain unidentified because she was not authorized to talk to the press. The suspect’s description of the trainer would seem to indicate that it was a Middle Eastern national with relatively good command of the English language.

A communique from SFINCTER provided to multiple news organizations this morning reported that it was receiving international assistance in expanding its attacks against ‘heartless corporate interests that were responsible for thousands of people of color being harmed collateral chemical attacks”. The message went on to say that the only crime these victims of corporate greed and neglect was being poor and living near chemical facilities. SFINCTER promised to continue attacks like that seen Monday to “allow the privileged community to share in the pain that the under privileged have experienced for years”.

ECS-CERT is continuing to provide assistance to the FBI in the investigation of this incident. Immanuel C. Securitage, ECS-CERT spokesman, told reporters this morning that his organization had found indications that unknown hackers had gained access to the Avondale Trucking company servers and accessed scheduling information to determine the which vehicle would be involved in Monday’s delivery and the planned route that vehicle was supposed to take to the water treatment facility. Having this information would have been necessary to execute the GPS attack on the vehicle.

Rep. Harvey Milk (D,CA) introduced legislation today that would require all trucks carrying toxic chemicals to use military-grade encrypted GPS systems to avoid spoofing attacks. The bill would also require trucking companies to inform police and emergency response personnel of the planned routes and timing of all toxic chemical shipments. Toxic chemical delivery routes would have to avoid public and private schools by at least one-half mile. The Chair of the House Transportation Committee promised a hearing on the bill this week.

Milk also announced that he has asked the Justice Department to investigate why the Trucking Security Agency has not published security regulations that were mandated by Congress six years ago.

CAUTIONARY NOTE: This is a future news story –

GPS Hack Guided Truck to School

Today the FBI confirmed that it was a spoof of the signal from the Global Positioning Satellite that was used to direct the Avondale Trucking Company truck to the site of the fatal chlorine attack on an elementary school yesterday. The release of chlorine gas from the one-ton cylinders carried on that truck resulted in twenty deaths and hundreds of students, teachers and nearby residents being hospitalized.

Johnathan Quest, an FBI spokesman told reporters that there were confirmed reports from an Uber driver and a UPS driver in the area yesterday of problems with the locations provided by their UPS systems. Additionally, he noted that Christopher Seeling, the Avondale Trucking driver killed in the attack, was in the process of texting his dispatcher about GPS problems when he was shot. He was not able to call his dispatcher because cell phone signals in the area were being blocked.

Quest told reports that the text message said: “At GPS location for treatment plant. No plant here, just school.”

The Federal Emergency Grant Administration (FEGA) is trying to assist local hospitals with the treatment of the large number of people, mostly elementary school students, injured in the attack. The number of ventilators available at emergency rooms and hospitals is not sufficient for the number of people involved. Isham M. Gelt, the FEGA spokesman that about five of the deaths that have occurred overnight would have been prevented if additional ventilators had been available. The military, Gelt said, is airlifting in equipment from bases around the world to aid in the treatment of the injured.

A local doctor who declined to be identified for this piece explained on background that ventilators were an expensive piece of medical treatment equipment that helped people breath when their lungs were damaged. This type of equipment is not needed that often in an area like Palo Alto, so the high number of lung injuries involved in this incident quickly overwhelmed the number of machines available locally.

Rep. Harvey Milk (D,CA) who is visiting the scene of the attack today said that he is calling for hearings next week about the lack of ventilators. He wanted to know why local hospitals did not have an adequate number of these vital pieces of equipment to treat all of the affected patients. He said: “This is another example of the poor state of healthcare in this country. Hospitals are more interested in saving money than saving lives.”

Chlorine Terror Attack Kills 10 Injures Hundreds

This morning four chlorine tanks being carried to a water treatment facility were attacked with explosives outside of an elementary school in Palo Alto, CA. The truck was stopped at a stop sign when the driver was shot in the head and the devices were placed on the tanks. Children were at recess when the explosives were detonated and the ten students closest to the truck were quickly overcome with chlorine fumes. Over two hundred other students have been transported to local hospitals for treatment.

Willie C. Shealey of Avondale Trucking announced that it was their driver, Christopher Seeling, that was killed in the attack. Shealey noted that: “This was the first time that Chris has delivered to this facility, but we do not know why he was anywhere near that school. Our routes are planned out in advance to avoid things of this sort and the trucks are tracked by GPS. We are still investigating the incident.”

The Federal Bureau of Inquiry’s spokesman, Johnathan Quest, has confirmed that the eco-terrorist group Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) has claimed responsibility for the attack.

According to a communique received by local news organizations at about the same time as the attack SFINCTER announced: “For too long it was only people of color who have been affected by chemical accidents. We have delivered the chemical threat to the entitled. No one is safe.”

Quest reported that the investigation is in the early stages. The FBI and other agencies of the Federal Government are working closely with local law enforcement to determine what happened.

Local hospitals are reporting problems treating all of the injured. There is a shortage of ventilators to treat the breathing problems in the affected children. That coupled with the lack of medical personnel trained for, or with experience in treating chlorine exposure patients.

We will not be publishing the names of the dead or injured students out of respect for the families.

Airline Ransomware Hacker Arrested

Early this morning German authorities in Berlin, working in conjunction with the Federal Bureau of Inquiry arrested Kate Libby, a notorious member of Stasi Ehemalige known by her hacker handle as GeschütztesDF, for her part in last week’s ransomware attack on an airliner sitting on the ground at Boston’s Logan Airport. Johnathan Quest, and FBI spokesperson, noted that the two governments were still working out where she would be tried for the attacks.

Quest refused to confirm that an American government agent had managed to infiltrate Stasi Ehemalige. “US technical means and good, solid police work by the Germans led to locating and arresting this notorious hacker” Quest responded when asked about infiltration of the hacker collective.

Immanuel C. Securitage, spokesman for ECS-CERT the cybersecurity agency that worked closely with the FBI on this case, reported that the TOR site for the hacker collective had bragged about GeschütztesDF skills, both in crafting the ransomware and inserting it into the airline crew scheduling web page where it infected the phones for the crew of Flight 175.

Within hours of Libby’s arrest, announcements were made on a large number of social media site providing links to the source code for the WannaFly malware. The announcements, signed by GeschütztesDF, provided credentials to access the source code on web sites for Robotron, Fieseler, and a number of airlines. Publishing the code on these sites made it clear that Stasi Ehemalige had compromised the security of the sites in question, raising questions about what other attacks on those sites had accomplished.

An unnamed analyst from Dragonfire claims that, along with the source code, the web site postings include instructions on how to modify the ransomware to take effect when aircraft are in flight, as well as details on two previously undetected vulnerabilities in the Robotron Reichenberg avionics control system. Those zero-day vulnerabilities would allow inflight access to the control system according to the analyst.

Securitage refused to comment on those claims, stating that ECS-CERT was still looking at the malware.

Within minutes of the release of the GeschütztesDF messages, the TOR site for Stasi Ehemalige published demands for the release of Kate Libby. The web site claimed that unless Libby was released within 24 hours the hacker group would also release copies of the WannaFly ransomware tailored to attacks on avionics control systems from other manufacturers along with zero-day vulnerabilities that would allow access to install that malware.

The Federal Airline Administration spokesman Oscar Holmes reported that the FAA was closely monitoring the situation. The Fieseler aircraft that are the only current users of the Robotron control system remain grounded until airlines can certify that appropriate mitigation measures are put into place on each potentially affected aircraft. Holmes noted that the FAA was prepared to ground any aircraft affected by the threatened malware releases.

When asked about the potential effect on holiday travel, Holmes confirmed that even the limited Fieseler groundings had already caused the cancelation of hundreds of flights. Any further groundings could cause serious problems for travelers in coming weeks that are expected to see record numbers of flyers. Travel plans could have to be canceled and people could be stranded away from home searching for alternative modes of travel.

Robotron and Fieseler stocks fell sharply past previous record lows on European exchanges before trading was stopped. US airline stocks dropped sharply after the Stasi Ehemalige announcement as airlines reported an increase in flight cancellations.