Sunday, December 27, 2020

SolarFlare Affects Robotron ICS Installations

SolarFlare Affects Robotron ICS Installations

This morning the Critical Infrastructure Security Operations Center announced that it had detected a new attack mode associated with the SUNBURST vulnerabilities. According to General Buck Turgidson, Director of CI-SOC, it has been determined that a new class of malware had been detected at SUNBURST affected facilities that were using equipment from Robotron. The SolarFlare malware set up a separate backdoor in ICS servers that communicated with the attacker via a compromised server in the Robotron maintenance monitoring system.

The CI-SOC SolarFlare report notes that it appears that in all known instances of the SolarWind compromise, a search was made for Robotron control system equipment on all reachable networks. Where Robotron equipment was found SolarFlare was installed on the associated server and large amounts of data were exfiltrated from the system through the compromised Robotron server.

Turgidson told reporters this morning that it does not appear at this time that any changes had been made to any of the Robotron equipment at any of the affected installations. “At this point it looks as if the purpose of the attack was to acquire information about the status and operation of Robotron control system equipment,” Turgidson said.

Robotron President Erich Mielke confirms that the Robotron server had been compromised during the SUNBURST attack on the company. “When the SUNBURST vulnerabilities were reported earlier this month, we started our internal investigation of its potential impact on our organization since we use the affected Orion software,” Mielke said in a prepared statement; “We had just identified that this server had been impacted when the authorities from CI-SOC contacted us. We have taken the affected server off-line and are cooperating with authorities in both the EU and the United States in their investigations.”

Dade Murphy, the CTO of Dragonfire Cyber, said in a video feed from Germany where he is working with the investigation at Robotron: “We have identified the specific information exfiltrated from one of the companies that was affected by SolarFlare. It contained detailed programming information for various PLC’s at the affected facility as well as process safety files from the facility.”

When asked why there was only information on the one facility, Murphy explained: “Once the server sends the information on to its command-and-control device, all records about the information are erased from the infected Robotron server. The data we saw had not yet been forwarded to the attacker when Robotron took the server off-line.”

Turgidson closed today’s news conference by stating that:

“At this point we do not know the purpose of the SolarFlare attacks. It appears that this was just a data collection effort at this time. The scope of the information that appears to have been obtained, however, is more than a little disconcerting. The information could be used to develop sophisticated attacks on industrial control systems at a wide variety of critical infrastructure facilities. Effective attacks on facilities such as these require a great deal of information and understanding of the interactions between a variety of systems. That level of information now appears to be available to the attackers behind the SUNBURST attacks.”

CAUTIONARY NOTE: This is a future news story –

Saturday, December 12, 2020

COVID Cyber Protection Act Introduced

Yesterday Sen TJ Kong (R,GA) introduced SB 4569, the COVID Cyber Protection Act. The bill would require any company that accepts federal money for the production, distribution or dispensing of a vaccine for the SARS-COV-19 virus to allow the Critical Infrastructure Security Operations Center (CI-SOC) full access to any computer network involved in getting the vaccine to the citizens of the United States. A press release from Kong’s office notes that the bill was drafted in response to the recent ransomware attack on Mengele Pharma that resulted in millions of doses of their COVID-19 vaccine being destroyed.

According to Kong, while the original SI-SOC authorizing legislation provided for private sector companies to voluntarily place themselves under the cyber protection of the CI-SOC, this bill would mandate participation of manufacturers of COVID-19 vaccines, transportation companies, storage facilities and clinics that administer the COVID-19 vaccine to the public in the CI-SOC protective regimen.

General Buck Turgidson, Director of the CI-SOC, told reporters this morning that his staff had worked with the Senator’s staff in the crafting of the legislation. “We have staff and facilities available to start protecting the vaccine manufacturers in the United States,” Kong said; “Providing coverage to transportation and storage organizations will require a substantial expansion of staff and equipment. That is the reason that bill includes a $1.5 million spending authorization. We do not currently know how many clinics would need cybersecurity coverage.”

An unnamed source at the CI-SOC tells me that there is plenty of room in the facility for the staff expansion expected to support the demands set forth in SB 4569. There would have to be some expansion of the communications capabilities, but the initial facility design included provisions for that addition as the CI-SOC operations expanded.

Clark Stanley, spokesperson for the Federal Drug Administration, responded to email questions about the bill. He reported that the agency had been in communication with the Senator’s office about the proposed legislation. “We have also been talking with CI-SOC about the requirements for expanding cybersecurity support for vaccine manufacturers. We are very concerned about the attack on Mengele Pharma and want to ensure that no further cyberattacks interfere with getting the vaccines produced and distributed.”

An unnamed staffer at Kong’s Washington Office told me that the Senator does not expect that the Senate will actually have time to take-up the bill in the days left in the 116th Congress. “We are working to try to get added to the omnibus spending bill that will be introduced later this week,” the staffer said; “If that does not happen, we expect to get the bill introduced in the opening days of the 117th Congress. Hopefully we would be able to see quick action on the bill in the opening weeks of the session.”

Wolfgang Gerhard, President of Mengele Pharma, has said that his company does not want any cybersecurity assistance from CI-SOC. “We have no need to provide unrestricted access to CI-SOC to our computer infrastructure,” Gerhard told reporters last week; “We do not want to provide anyone with access to our proprietary research and manufacturing software systems. A large portion of our profitability and innovation capability rests on these unique, in-house developed systems. We cannot afford to have them compromised by any outside agency not under our control.”

Gerhard reported that those systems had not been involved in last month’s ransomware attack. “We have those systems completely isolated from our IT systems and they are not accessible from the Internet,” he explained; “We did not provide CI-SOC investigators access to these systems during their investigation of the attack and we will not do so in the future.”

CAUTIONARY NOTE: This is a future news story –

Sunday, December 6, 2020

RoboDozer Hacked

At a news conference last night, General Buck Turgidson, Director of the Critical Infrastructure Security Operation Center (CI-SOC) confirmed that an unidentified computer hacker was responsible for the recent attack on the office of Rep. Harvey Milk (D,CA). “We have confirmed that the attacker exploited a known vulnerability in the control system for the a RoboKonstruk R9 autonomous bulldozer to take control of the vehicle and drive it into the Congressman’s office,” Turgidson told reporters via a Zoom conference.

Johnathan Quest, spokesman for the Federal Bureau of Inquiry, told reporters that the FBI has taken jurisdiction over the investigation since it included an attack on a member of Congress. “We intend to work closely with the CI-SOC in our efforts to track down and arrest the perpetrators of this attack,” Quest told reporters.

Dade Murphy, CTO of Dragonfire Cyber reported that the known vulnerability that Turgidson was referring to involved the radio controller that was used on the bulldozer. “The attacker exploited a credential replay vulnerability in the Robotron SDR-1000i radio system,” Murphy explained; “This vulnerability was publicly reported six months ago, and updates were available to mitigate the issue.”

Dragonfire Cyber is providing the on-site team for the CI-SOC investigation of the incident.

Dillyboys Construction, the owner of the bulldozer, reported that they were not aware of the cyber vulnerability in system. “We were never told about the problem,” company spokesman James Portman told reporters; “We are a construction company, our expertise is in earth moving and site preparation, not cybersecurity.”

The cybersecurity researcher who discovered the radio system vulnerability a year ago goes by the handle cYbrg0D. He told me that it is relatively easy to exploit this vulnerability. The attacker would have to listen on the radio frequency used by the devices and copy the code that was initially sent by the operator to start the vehicle. That code then could be replayed by the attacker using a different radio controller to take control of the system at a later time.

Erich Mielke, spokesman for Robotron, supplied a statement that noted that the SDR-1000i is a very common radio control system. “It is used in hundreds of our products including all of the remotely operated equipment produced by our construction subsidiary, RoboKonstruk,” the statement explains. The system is also used by a number of other vendors of remotely operated equipment around the world. Robotron has sold over 10,000 remote controllers for the system over the last ten years, the Company reports. Used versions of the controller are available for sale on eBay®.

Quest told reporters that the FBI thinks that the person who operated the bulldozer was an experienced heavy equipment operator. “More than just cyber skills were obviously used int his attack,” Quest explained; “The tracks in the street from the construction site to the Congressman’s office demonstrated smooth operation and direct control as several obstacles were avoided during the movement.”

cYbrg0D confirmed to me that it would not have taken a skilled hacker to take control over this vehicle. “It easily could have been an equipment operator with a very modest set of hacking skills that executed this attack,” he said; “Driving the bulldozer is much more difficult than hacking that radio controller.”

Milk’s office reports that the Congressman is calling for a congressional investigation of the security of the controls over remotely operated equipment. That investigation in not expected to be started in this session of Congress, but Milk is slated to be the Chair of the new Cybersecurity Subcommittee of the House Transportation Committee in the 117th, Congress.

Building inspectors for the City confirmed that the building will have to be destroyed, there is no structural stability remaining that would allow for repairs to be made.

CAUTIONARY NOTE: This is a future news story –

Wednesday, December 2, 2020

Robo Bulldozer Attacks Congressman’s Office

Early this morning a bulldozer from a construction site near the Embarcadero Center in San Francisco, CA was sighted leaving the site without a visible operator present. It traversed 1.5 miles of city streets to the local office of Rep. Harvey Milk (D,CA) and crashed into the office. No one was hurt, but the first-floor office was destroyed and the remainder of the building was evacuated pending a building safety inspection.

James Portman, spokesman for Dillyboys Construction, confirmed that an autonomous earthmover was missing from their construction site. “The vehicle number provided to us by the police department is consistent with the vehicle missing from our site,” Portman told reporters, “But we have not had a chance to physically confirm that the machine is ours.”

The machine, still inside the congressional office, has been identified as a RoboKonstruk R9 autonomous bulldozer. RoboKonstruk is a division of the German Robotron Automation, an industrial control system giant. That division was formed three years ago to provide industrial automation systems for the construction industry.

W.E. Ulbricht, spokesman for RoboKonstruk, confirmed to this reporter that the company’s R9 bulldozer was capable of operating without an operator being on the vehicle, or even present on the work site. “Our machines are designed to be used in either a tele-operational mode where the operator directly controls the machine from a remote console,” Ulbricht said, “Or in a preprogramed mode where a series of operations and movements are designated in advance.”

General Buck Turgidson, Director of the Critical Infrastructure Security Operations Center (CI-SOC), in a brief statement released by the CI-SOC, said that the Center has no information about the cybersecurity status of the RoboKonstruk equipment. “It is not something that has been called to our attention as a potential threat,” the statement reads; “Nor are we aware of any publicly released research on the subject. We are in touch with RoboKonstruk and will be working with them to look at the situation.”

A spokesperson for Rep. Milk told reporters that no one had been in the office when the incident occurred due to the early morning hour. “The Congressman has no relationship with Dillyboys and has no reason to suspect that they might have been responsible for the damage to our office. We will be working closely with investigators to find out who is responsible for this attack.”

CAUTIONARY NOTE: This is a future news story –

Sunday, November 22, 2020

LA Sues CI-SOC for Access to Bitcoin Tracking Tool

On Friday, Harry R. Haldeman, the District Attorney for Los Angeles, filed suit in 14th US District Court against asking the Court to order General Buck Turgidson (USA, Ret), the director of the US Critical Infrastructure Security Operations Center to make available to prosecutors in the United States the tool known as “Bitcoin Tracker”. Haldeman claims that the tool used in recent attacks reported by CI-SOC would allow government to track, identify and prosecute the actors behind the recent spate of ransomware attacks.

Haldeman told reporters today that he had talked to Turgidson immediately after the ransom recovery had been announced by CI-SOC last week about obtaining access to the tool. “Buck told me that CI-SOC was not releasing the tool for National Security reasons.” Haldeman said, “I have done some additional checking and it does appear that he has gotten into some hot water with the national security establishment for even announcing that the tool existed. But at this point the cat is out of the bag and we need access to this invaluable tool to put a stop to the ransomware epidemic.”

Turgidson would not comment, citing federal rules about not commenting on ongoing litigation. An official working at CI-SOC who cannot be named confirmed that Turgidson had been reprimanded for discussing the tool. “The counterterror folks have been using this tool for over a year now to track money flow to various terrorist organizations,” the official said, “It has helped them to identify both sources of funding and the places where the moneys have been used to fund operations. The concern is now that the bad guys know that we have the tool, that they will start to use some different method of moving money around.”

According to another source in the government, Turgidson knew about these concerns when he released the information. He reportedly felt that the current ransomware threat was a more immediate and widespread threat to the safety of the country than was the current level of terrorism. The announcement of the possession of the tool, according to sources close to the Director, was made to let the ransomware community know that they were no longer protected by the expected anonymity of the Bitcoin service.

If that was the case, one source was asked, why has Turgidson refused to turn over the tool to prosecutors like Haldeman? “It is not as simple as turning over a disc for someone else to use. The process is complicated and uses resources that not currently available outside of the intelligence community.”

CAUTIONARY NOTE: This is a future news story –

Friday, November 20, 2020

COVID-19 Vaccine Hack

General Buck Turgidson, Director of the Critical Infrastructure Security Operations Center (CI-SOC), told a press conference this morning that the ransomware attack on Mengele Pharma earlier this week used a variant of the WannaControl ransomware. He also noted that investigators working for CI-SOC discovered that the as yet unidentified attackers gained access to the warehouse facility control system via storage batteries associated with the rooftop solar array.

Turgidson told reporters: “There were significant changes made to the ransomware code. We do not believe at this time that those changes were made by Stasi Ehemalige, the authors of the original ransomware.” A manager at CI-SOC told me that there are indications that Stasi Ehemalige has been selling copies of their ransomware on the Dark Web.

A briefing document provided to reporters says that changes to the ransomware include the inclusion of a data exfiltration module as well as a tool specifically designed to make modifications to the programming of the Robotron Kühlsicherheit refrigeration safety system that is used at the facility. The report also notes that the manufacturing control system at the Mengele Pharma vaccine plant adjacent to the warehouse was also infected, but that it had not yet been shut down by the ransomware.

Dade Murphy, CTO at Dragonfire Cyber, said that his team supporting the CI-SOC investigation had been able to deconstruct the ransomware package that shut down the warehouse operations. “The new code that facilitated this particular attack,” Murphy told reporters, “has significant structural and coding differences that indicate that a different team of developers worked on the new modules. There are many similarities between the coding styles used here and that used in the ĀnquánShújīn PLC ransomware used in an attack earlier this summer.” Murphy was unable to explain why those coders would have used Stasi Ehemalige malware for this attack.

Murphy told reporters that they had found one of the affected freezers had an old-style circular chart recorder for temperature still working on the freezer. “This system with its dedicated thermocouple was unaffected by the attack. While the one-week chart had not been changed in a month we can clearly see that the temperature in the freezer rose to -30˚C for extended periods,” Murphy said; “If this chart had been tracked, the problem would have been detected in time to prevent the problems with vaccine storage conditions.”

The attack on the warehouse control system was initiated via the energy storage system associated with the roof top solar array. “The known vulnerability in the direct internet connection of the battery system was used to gain access to the facility maintenance network.” Murphy told reporters, “Once that network access was gained, it was relatively easy for the attackers to pivot into the building automation system and then into the warehouse refrigeration systems.”

Wolfgang Gerhard, President of Mengele Pharma told reporters that the solar system had apparently been installed before the vulnerability was reported. “We have been in contact with the contractor we used for that installation.” Gerhard said, “They are currently working on updating the system and mitigating that particular vulnerability.”

Wolfgang was able to update reporters on the effect of the refrigeration attack on the inventory of COVID-19 vaccine stored on the premises. Each box is equipped with a chemical temperature warning decal that changes color when the temperature rises above a set point. “We have examined each of the boxes in all five of the freezers on site,” Gerhard said; “About 80% of the indicators show that the packages had been exposed to temperatures above the -50˚C limit set by the Federal Drug Administration in their approval of the vaccine.” Mengele is turning over all of those cases to the FDA for study and disposal.

Clark Stanley, spokesperson for the FDA, told reporters that the agency would be storing each of the affected boxes in the appropriate conditions. “We will be conducting efficacy testing on samples from each of the boxes to determine what effect the unfortunate temperature excursions had on the vaccine,” Stanley said; “We may be able to provide box-by-box approval for the use of some of the vaccine. We do understand the importance of having a COVID-19 vaccine available as quickly as possible, but we want to ensure that it is an effective vaccine that the public can rely on.”

CAUTIONARY NOTE: This is a future news story –

Tuesday, November 17, 2020

COVID-19 Vaccine Storage Hit by Ransomware

Mengele Pharma announced this morning that their Schenectady, NY warehouse had been hit by a ransomware attack. All facility control systems, including the ultra-refrigeration system for the storage of the initial manufacturing run of their new COVID-19 vaccine were shut down. Wolfgang Gerhard, company President, acknowledged that there are concerns about the potential effects on the efficacy of the 20 million doses of vaccine stored in the facility.

General Buck Turgidson, Director of the Critical Infrastructure Security Operations Center, confirmed that the CI-SOP was working with Mengele Pharma on rectifying the problem. “Our investigators are on the scene and working with the facility security team to determine the extent of the problem,” Turgidson told reporters; “Preliminary indicators would seem to tell us that the attackers had been active on the system for at least a week prior to the shutdown.”

The Mengele vaccine requires storage at -50˚C. It can be held briefly, for up to a day at temperatures as high as 0˚C. Higher temperatures cause the vaccine to break down and quickly loose efficacy.

Clark Stanley, spokesperson for the Federal Drug Administration (FDA), told reporters that Mengele will have to be able to demonstrate that the storage conditions, including ultra-refrigeration met the required standards set for this vaccine before any distributions will be able to be made from this warehouse. “Failure to be able to document storage temperatures will not be acceptable,” Clark said.

Clark did tell reporters that Mengele was in the final stages of receiving emergency approval of their vaccine. The FDA and the company were making plans to be able to start distribution sometime in early December.

Sources at Mengele that are not authorized to talk to the press report that the company has paid the 1-milllion bit coin ransom but has not received the code necessary to regain control of their systems.

Sen TJ Kong told reporters this morning that his Committee would be looking at requiring the CI-SOP to begin providing cyber-protection to all vaccine manufacturers whether or not they had requested protection. “Vaccine manufacturers that are planning on taking Federal money for vaccine distribution or manufacture should be required to cooperate with CI-SOP.”

Mengele has not received any federal research funding for the development of their vaccine.

CAUTIONARY NOTE: This is a future news story –

Thursday, November 12, 2020

CI-SOC Recovers Bitcoin Ransom

The Critical Infrastructure Security Operations Center (CI-SOC) announced today that it had successfully conducted operations today against a North Korean ransomware gang that was operating out of Soul, South Korea. The bitcoin ransom paid by three separate, unidentified companies in the United States was recovered, the small server farm used by the gang was seized and four North Korean agents were arrested.

General Buck Turgidson, Director of CI-SOC, told reporters that his group, working with the South Korean government and elements of US Special Operations Command, tracked the gang by following the bitcoin trail to a compound on the outskirts of Soul. “A special team of Army Special Forces that included cyber-operators worked with a team from the South Korean Army to enter the compound and seize computer equipment before any information could be destroyed,” Turgidson told reporters.

Special Operations Command confirmed that special operations forces were involved but refused to comment on the identity of the team. They explained the participation of the military by noting that the underlying cyberattacks had been performed by agents of a foreign government. There have been rumors circulating in Washington of the formation of a Cyber A-team being formed to work on this type of operation, but there has been no confirmation from Special Operations Command or the Pentagon.

The four North Koreans captured in the raid are being held in Soul pending extradition to the United States. There are rumors that the Justice Department has concerns about trying them for their alleged cyber crimes because of search and seizure implications. A national security warrant had been issued for tracking the bitcoins, but the rules of evidence for supporting that type of warrant are different from those that would be used in a criminal court case in the United States. The tools used to track the bitcoin trail were developed by the National Security Agency and that agency would not be prepared to share the technology upon which that trace was based with the defense team. It is suspected that any criminal defense attorney would move to have the identification of his clients by such undisclosed technology suppressed.

There are rumors circulating that the Justice Department is considering certifying the ransomware attacks as terrorist attacks and allowing the foreign nationals to be tried by a military tribunal.

CAUTIONARY NOTE: This is a future news story –

Saturday, September 26, 2020

Hearing at CI-SOC on Recent Ransomware Attacks in Delano

Rep. Tucker Watts (R,GA) was on site today at the Critical Infrastructure Security Operations Center (CI-SOC) to participate in a virtual hearing of the House Subcommittee on Cybersecurity Oversight looking at the recent ransomware attacks on two facilities in Delano, GA that appeared to be related. Watts is the Ranking Member of the Committee and requested the hearing.

In his opening statement, Chairman Richard Gil (D,NY) explained that todays meeting was called to look at both the root cause of the two attacks and the role that IC-SOC could have played in preventing such attacks. “Let us be clear,” Gil explained; “Neither the Intershop Meat Plant nor the Delano Waste Water Treatment Plant had signed up to be covered by the IC-SOC, so the IC-SOC team was not setup to protect those facilities. And, even if they had, since the attacks were both initiated by an onsite insertion of a USB device, as currently configured, IC-SOC would not have been able to prevent the attacks.”

General Buck Turgidson, the Director of the National Critical Infrastructure Security Operations Center, present onsite with Congressman Watts, testified that away teams from IC-SOC responded to both incidents at the request of ECS-CERT. “Our teams only had to drive a couple of minutes across town,” Turgidson said; “The ECS-CERT team would have taken a day or more to get here.”

Immanuel C. Securitage, ECS-CERT spokesperson, testified by a video link from Washington. “We asked for assistance for two reasons,” he explained as a response to a question by Watts; “First the IC-SOC away teams were already in Delano. Second, and maybe more importantly, our staffing was cut in half to provide investigative personnel to IC-SOC.”

Horst Sinderman, the facility manager at the Delano meat plant that was attacked, testified remotely from the corporate headquarters in Birmingham, AL. He explained that, when it became obvious that the investigation team was not going to be able to fix the problem, corporate management contacted the company’s cyber-insurance provider who provided the funds to pay the ransom.

Dragonfire Cyber assisted in the investigation of attack on the meat plant and was on hand when the ransom was paid. “We were able to intercept the decryption key when it was sent to the facility,” Dade Murphy testified by video remote; “Having copies of both the encryption software from the USB devices and the decryption key, we were able to put together a decryption key for the attack on the Delano Waste Water Treatment Plant.”

That plant was able to restart about two hours after it had started discharging untreated wastewater into the Flint River. That discharge resulted in a large fish-kill and two cities downstream had to slow their processing of drinking water from the River to ensure that all contaminants and bacteria from the discharge were removed. Cities further downstream noticed little additional contamination in their intake testing.

Mayor Arrington Carter provided a written statement that was read into the record of the hearing. In part she said, “We are very grateful for the assistance that IC-SOC provided to the two facilities in the city during these attacks on our essential infrastructure. A major employer and our city services would have been affected much more severely if the government team had not stepped in with their expertise.”

The Federal Bureau of Inquiry is still investigating the two attacks. Johnathan Quest, spokesperson for the FBI, answered my questions this morning in a telephone interview about the investigation. The FBI continues to investigate both incidents as part of a larger plot by TrabajoSeUnen to affect operations at meat packing plants around the country. “While they are employing typical labor jargon in their messaging,” Quest said; “We can find no evidence of collusion between the group and local labor organizations. We believe that this is a straightforward ransomware campaign executed with the intent to make money.”

Congressman Watts told this reporter that he intended to introduce legislation that would require municipal water treatment facilities and wastewater treatment facility to either join IC-SOC or some other cybersecurity monitoring service. “We just cannot afford to have these facilities shut down by either criminals or terrorists,” he said.

CAUTIONARY NOTE: This is a future news story –

 

Thursday, September 24, 2020

Water Treatment Plant Hit by Ransomware Attack

The Delano Waste Water Treatment Plant (WWTP) announced this morning that its computer systems that control the physical operation of the facility have been shutdown by a ransomware attack. The attackers, reportedly the same group that shutdown the operation of the Intershop Meat Plant last week, are demanding 1,000 bitcoin from the City of Delano to unlock the facility control systems.

George Funderburke, the director of the Delano Water Maintenance Department (DWMD) told reporters at a brief news conference that both the Federal Bureau of Inquiry and the Environmental Process Protection Agency (EPPA) about the attack. “EPPA and ECS-CERT will be sending teams to help us get our plant back in operation,” Funderburke said; “We have about six hours of storage capacity available for incoming sewage, after that we will have to start discharging untreated sewage into the Flint River.”

Jay Muir, spokesperson for the EPPA, told this reporter that the EPPA was sending an action team to Delano, but that it would probably be the ECS-CERT that would be the lead agency on the investigation. “The team we are sending are process engineering types,” Muir said; “They will be responsible for helping the WWTP operate as effectively as possible in a manual operating mode. They should arrive on site before it is necessary to start discharging untreated sewage.”

The WWTP has only limited capacity to continue operation under manual conditions. The facility will continue to be discharging treated water through manual operations. A warning will be issued before any untreated sewage is discharged. Cities downstream of Delano have been warned that a sewage discharge may be required.

The DWMD does not have funds available in their budget to pay the ransom. Mayor Arrington Carter has scheduled an emergency meeting of the Delano City Council for later this morning to see what actions the City will be taking. “The DWMD has had problems with cash flow since the COVID-19 epidemic hit last spring. They have had a much larger than normal non-payment rate on water bills for both household and commercial accounts. We have been using the City’s rainy day fund to supplement their accounts for the last two months, so we may have problems coming up with the money for the ransom.”

Kate Libby, a spokesperson for Dragonfire Cyber, said that the Company has not yet been notified about this ransomware attack, but was working with the ECS-CERT on the investigation at the Intershop Meat Plant. “We have discovered that the source of that attack was a USB drive inserted into one of the PLC’s at the facility; it was apparently an insider attack.”

Funderburke has asked residents and businesses in Delano to reduce their water use and waste generation while the City works to correct this problem. Commercial and industrial facilities with large volume discharges have been notified to stop those discharges as soon as possible. This does include the Intershop Meat Plant that just reopened yesterday.

The Critical Infrastructure Security Operations Center (CI-SOC) would not comment on this attack.

CAUTIONARY NOTE: This is a future news story –

Sunday, September 13, 2020

Meat Packing Plant Closed by Ransomware Attack

 

The Intershop Meat Plant in Delano, GA was shut down over the weekend when the control system at the plant was hit by a ransomware attack. The facility was hit with the WannaControl ransomware that specifically targets industrial control systems made by the Robotron Company.

Immanuel C. Securitage, spokesperson for ECS-CERT told reporters this morning that that the company’s control systems at the Delano facility were locked out on Saturday morning as the first shift started work. After briefly trying to operate the facility’s chicken deboning production line manually, management sent the shift home early and announced that it would let workers know when they should return to the plant.

Horst Sinderman, the facility manager, told reporters that the company would not be meeting the ransom demand. “We have been having a hard-enough time keeping the facility open during the COVID-19 pandemic,” he said: “The increased cleaning costs and other COVID prevention measures have already cut deeply into our profit margin. There is no money available to pay for the demanded 1,000-bitcoin ransom demanded by Trabajo Se Unen, a previously unidentified malware group.

A tweet by TrabajoSeUnen that was quickly taken down on TWITTER® said: “We have struck down Intershop to take care of our sick brothers and sisters and their families.”

When Sinderman was asked about the tweet he acknowledged that over three hundred employees have contacted COVID-19. “Our company has covered the medical bills for all of the sick employees,” he said; “And we continued the employees pay checks during their recovery at half-pay even though we believe that most of the infections came from exposures outside of the facility.”

Dade Murphy, CTO of Dragonfire Cyber, said that his company has long thought that the WannaControl malware was the work of Stasi Ehemalige, the German hacking collective. “They have a long history of penetration of Robotron,” he told this reporter; “There are many coding similarities between WannaControl and other malware that affects Robotron products. We also suspect that they have organizational roots that trace back to European radical groups that were financed by the East Germans during the Cold War.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, told reporters that information gleamed from the dark web indicated that the authors of WannaControl have recently started to advertise cut-rate sales of their ransomware to radical labor activists in Europe and the United States. “According to some dialogs that we have intercepted, the WannaControl ‘sales team’ is recommending that ransomware attacks be used to punish companies that fail to properly take care of their employees during the COVID-19 pandemic,” Quest explained; “They are apparently selling the use of the malware for such attacks at a reduced rate. In at least one case the use was sold for 10% of the normal price.”

Vicente Lombardo Toledano, the President of Amalgamated Meat Cutters Local 1936 (AMC 1936), said that closing the plant was not in the best interest of the employees. “Our people are not going to get paid for sitting home waiting for the company to resolve this problem,” he told reporters at the local union hall; “Any claim that our union or our members had anything to do with this ransomware attack is completely unfounded and untrue.”

CAUTIONARY NOTE: This is a future news story –

Tuesday, September 1, 2020

IC-SOC Stops Sex App Attack on Chem Facility


This morning the CSA’s Critical Infrastructure Security Operations Center (IC-SOC) announced that it had intercepted a cyberattack on a chemical facility control system this weekend in Southern California. According to General Buck Turgidson, the IC-SOC director, a worm had been uploaded to the facility network from a contractor’s telephone. The phone was apparently infected when the owner signed on to the WFN sex-sharing application.

“Our system identified the sex app when the phone logged into the facility wi-fi system,” Turgidson told reporters at this morning’s news conference; “We know that the app has been used by Chinese Meiyou Tuihuo APT group as a means of infecting targeted industrial systems. With this knowledge we were prepared to intercept the worm and sent it to a sandboxed location on the system for observation.”

Dragonfire Cyber operates that particular sandbox for IC-SOC. Dade Murphy, CTO for Dragonfire told reporters that exploited several known vulnerabilities to make its way into the control system server. “Once on the server it reported back to a command-and-control server, it started to upload copies of our decoy control system files,” Murphy told reporters; “And we were able to insert our own report-back worms into the upload. We have spent the last twelve hours remotely inspecting the C&C server and have garnered a great deal of information.”

Murphy confirmed that the sandboxed control system was subsequently hit by a ransomware attack. “This was the same ransomware that we had seen in earlier attacks. We did not pay the ransom. We had appropriate backups in place and our sandbox was operational again within a couple of hours,” Murphy reported with a grin.

When asked if this would not be considered hacking by the Chinese government, similar to what he was arrested for last June, Murphy replied: “Our company was working under contract with and under the control of the IC-SOC. This was an authorized law enforcement operation and the Chinese government has been provided with the appropriate evidence of criminal activity.”

Turgidson added that it had become obvious that Murphy’s arrest in Singapore was a purely political move on the part of the Chinese government. “Mechanisms have been put into place to deal with such tit-for-tat semi-legal actions in the future;” the General said.

When asked if there were going to be any consequences to the owner of the phone involved in the attack, Turgidson said: “That will be up to his employer as it was a company owned phone. We do not have any evidence to indicate that the individual knowingly involved in the attack.”

Turgidson was also asked about the legality of the ‘search’ of the individual’s phone that initiated the IC-SOC activity. “Signs were posted at all entrances to the facility that all electronic devices were subject to search while on the property,” he replied; “Bringing the phone onto the facility grounds constituted providing permission to search the phone by any means at our disposal.”



Monday, August 31, 2020

Closed Hearing Looks at MedDevice Incident


This weekend the House Subcommittee on Cybersecurity Oversight held a closed, virtual hearing on the recent non-hacking case investigation initiated by CSA’s Critical Infrastructure Security Operations Center (CI-SOC). According to a press release from Chairman Richard Gil (D,NY): “We tried to determine if either CI-SOC or the Federal Bureau of Inquiry (FBI) complied with the restrictions imposed on the two agencies in the authorizing language for the CI-SOC. At this point it appears that they did.”

The hearing was requested by Ranking Member Tucker Watts (R,GA) who had expressed concerns about last week’s announcement from National Association of Information Sharing and Analysis Centers (NAISACS) that their member organizations would no longer be sharing threat information with CI-SOC.

“CI-SOC can only be effective if they receive support from the entire cybersecurity community. The free-flow of information between researchers, ISACS and the Cybersecurity Agency is essential if we are to successfully defend critical infrastructure from cyberattacks.” Watts said in a press conference early this morning.

Both Watts and Sen TJ Kong (R,GA), were instrumental in getting the CI-SOC authorization bill through Congress late last year. Kong has also expressed concerns about the fallout from the first incident response from CI-SOC. “We cannot expect the CSA to construct a Great Firewall around the USA, nor do we want it to,” Kong said by telephone; “We set up CI-SOC to allow CSA to provide small and medium sized businesses with security operations centers that their larger competitors are able to establish in-house, leveling the security playing field.”

Kong told this reporter that the Senate Select Committee on Cybersecurity would be holding hearings on the MedDevice situation in late September. “The FBI investigation needs to develop a bit more supporting information before we can draw any real conclusions about the effectiveness of the CI-SOC and its cooperation with both the private sector and the FBI,” he said.

A staffer for Watts told me that the Congressman’s office is starting to look at crafting legislation that would require ISACS to share information with CI-SOC. “We are working with both NAISACs and CI-SOC on language that both can work with,” the staffer, who was not authorized to talk to the press, said.

According to Gil, the Cybersecurity Oversight Committee will be holding an open hearing in the coming weeks to hear concerns from NAISACS and companies being supported by CI-SOC.


Sunday, August 23, 2020

ISACS to Stop Sharing with CI-SOC


This afternoon the National Association of Information Sharing and Analysis Centers (NAISACS) announced that its member Centers will no longer share cyber-threat intelligence information with the CSA’s Critical Infrastructure Security Operations Center (CI-SOC). NAISACS is taking this action due to the announcement of the Federal Bureau of Inquiry’s investigation of MedDevice.

Dr. John McKittrick, NAISACs’ President, told reporters during a virtual press conference; “Our member Center’s effectiveness is based upon voluntary information sharing by organizations. With the FBI’s investigation being based upon information obtained from MedDevice via a voluntary association with CI-SOC, the Centers have heard concerns from their supporters that information shared would end up in the hands of the FBI or regulators. We are taking this action today to ensure that individual organizations will continue to share valuable cyber-threat information with our Centers.”

General Buck Turgidson (Ret), Director of CI-SOC, said that he had talked with McKittrick and a number of individual Center Directors over the weekend while this action was being discussed. “We knew that this was coming,” the General said; “I tried to convince them that we would do our best to protect the information provided by the ISACs, but we are constrained by Federal law that requires us to notify the FBI when a cybercrime is committed.”

Immanuel C. Securitage, spokesperson for the ECS-CERT, confirmed that the ECS-CERT was also constrained by the same legal requirements as CI-SOC. “We have been very careful to tell folks approaching us for assistance that we will have to share some information with the FBI and some federal regulators,” Securitage explained; “We work closely with NAISACs and their Centers. We have never received any information from them that we would have been required to report to the FBI.”

McKittrick confirmed that the Centers were careful about what information that they shared with ECS-CERT to avoid putting them in the position of having to report the shared information. “I would suspect that the Centers would do the same with CI-SOC. But with the public announcement that CI-SOC had shared information with the FBI that resulted in a criminal investigation, many of our supported organizations have raised concerns about the CI-SOC.”

A staffer at NAISACs that is not authorized to talk to the press told me that there had been no discussion about the information sharing activities with ECS-CERT over the weekend. She said: “There has never been a problem with the information shared with that organization, so it did not come up. If information shared with ECS-CERT ever ends up in an FBI investigation, I expect that NAISACs would take the same action with them.”


Wednesday, August 19, 2020

Feds Open Espionage Case Against MedDevice


Today the Federal Bureau of Inquiry announced that they were opening a formal espionage inquiry into activities at the medical device manufacturer, MedDevice. The FBI’s investigation was apparently started due to the recent non-hacking case investigation initiated by the CSA’s Critical Infrastructure Security Operations Center (CI-SOC).

Johnathan Quest, FBI spokesperson, told reporters that the Agency had been initially brought into the investigation because of the ‘data exfiltration’ investigation initiated by CI-SOC. “At that point we were looking into an apparent cyberattack on the company,” Quest said; “But when MedDevice announced that the ‘data exfiltration’ was part of a routine data transmission to their manufacturing partner, MedZS, we became concerned because of known associations of that company with the Chinese PLA.”

The investigation is apparently being based upon recent changes to the espionage statutes making it a crime to provide information obtained in federally sponsored research on COVID-19 related matters to foreign governments or military without the express approval of the federal government. MedDevice obtained a grant to support their development of the COVID-19 rapid test device. The Peoples Liberation Army is not on the short list of foreign governments or militaries that are exempt from the data sharing limitations.

General Buck Turgidson (Ret), Director of CI-SOC, assured reporters that his organization did not share a copy of the original data exfiltration with the FBI. “Our mandate is clear,” the General said; “We are prohibited from sharing data obtained during our monitoring of partner facilities without their permission. We brought the FBI in because we had information of a potential crime, an apparent attack on the information systems at MedDevice.”

Quest confirmed that the FBI has not yet seen a copy of the data sent to China. “Our investigation was initiated based upon the statements from T. John McIntyre, President of MedDevice,” he said; “Once we confirmed that MedZS was a wholly owned subsidiary of the PLA we started a formal investigation. We will be formally requesting a copy of the data sent to MedZS from the CI-SOC later today.”

Turgidson confirmed that the law authorizing the establishment of the CI-SOC would require his organization to supply the Justice Department with a copy of the intercepted files when they provided him with a subpoena based upon an ongoing Federal investigation. “We are required to maintain copies of our intercepts for seven days for just this reason.” Turgidson explained.

Rep. Milk (D,CA) noted that privacy issues like this was one of the problems that some legislators had with the bill authorizing the CI-SOC. “We wanted to ensure that facilities signing up for the security monitoring did not need to be concerned with CSA sharing any information being shared by the facility would be able to be used in regulatory actions,” Milk said in a press release; “We may need to review this incident to see if CI-SOC and the FBI overstepped their bounds in this incident.”


Friday, August 14, 2020

We Were Not Hacked


At a press conference early this morning, T. John McIntyre, President of MedDevice, told reporters that his company was the alleged target of the cybersecurity attack reported yesterday by the Cybersecurity Agency’s (CSA) Critical Infrastructure Security Operations Center (CI-SOC). He told reporters that the cyberattack was a routine communication with our manufacturing partner in China, not an attack on the company.

“I spent a number of hours yesterday meeting with the CI-SOC away team and we finally concluded that the ‘data exfiltration’ that their system detected was actually a routine communication with MedZS, our manufacturing partner in Guangdong, China.” McIntyre told reporters; “This whole ‘cyberattack’ fiasco was caused by some miscommunications between MedDevice and CI-SOC.”

An email from General Buck Turgidson (ret), Director of CI-SOC indicated that the IP address that the information was sent to by MedDevice was not on the current list of approved communications whitelist prepared by the Company. Walter O’Reilly, spokes person for MedDevice, confirmed that the data was sent to a new cloud-based account used by MedZS that had not yet been communicated to CI-SOC.

O-Reilly told reporters that the data dump was a detailed description of the company’s new rapid-test device for COVID-19 detection that the company expects to be placed in company’s and schools for daily screening of employees and students arriving at a facility. The device relies on a non-invasive swab being taken from the inside of the facemask being worn the person to be tested with a specially treated cotton swab. The COVIDSWAB® would then be placed in a scanner and a positive/negative determination would be made within seconds.

“This will be a game changer for facilities that want to safely open during the COVID-19 pandemic,” O’Reilly said.

A source that declined to be named because they were not authorized to talk to the press told me that the leadership at the CI-SOC was somewhat abashed about the apparently premature announcement of the non-attack, but still felt that the right decision had been made. There were concerns that recent reports about the current understaffing of the facility were leaving the impression that the facility was not an effective response to cyberattacks on critical infrastructure.

According to Johnathan Quest, spokes person for the Federal Bureau of Inquiry, that agency’s investigation of the incident has not yet been closed. “There are still some questions about the sharing of information with a Chinese company with ties to the PLA, specially with the potential national security implications of this product,” Quest told reporters this morning.

Sen TJ Kong (R,GA) told reporters today that he agreed with the decision by Turgidson to release the information on the reported cyberattack even though it turned out to be a miscommunication problem instead of an attack. “It is important that the country knows that the US government is being proactive in defending the nation from foreign cyber adversaries,” he said; “Minor hiccups like this are to be expected as the CI-SOC and its private sector partners learn how to work together.”


Thursday, August 13, 2020

CI-SOC Detects Its First Cyber Attack – Too Late


The Cybersecurity Agency’s (CSA) Critical Infrastructure Security Operations Center reported its first detection of a cybersecurity attack on one of the covered private sector entities that it was protecting. The CI-SOC reported detecting a large data exfiltration from an unnamed medical device manufacturer in the Illinois. They were not able to stop the information from leaving the country.

General Buck Turgidson (ret), Director of CI-SOC, told reporters at a morning news conference that the CI-SOC was monitoring incoming and outgoing digital traffic from the research facility and noted the large (20 giga-bites) data transmission from the site to a server in Guangdong, China. “Our agreement with the affected company allows us to monitor, but not control, the flow of information to and from the facility,” Turgidson said; “By the time we were able to contact someone at the facility, the information was long gone.”

When asked if the CI-SOC knew what information had been exfiltrated, Turgidson reported that they had a copy of the affected files, but were not able to discuss what information was included due to the memorandum of understanding between CSA and the affected facility. A source at CI-SOC that was not authorized to talk to the press said that the information included design details about a new COVID-19 virus testing device the company was working on.

Asked whether the current understaffing at the new cybersecurity facility was responsible for the data exfiltration not being stopped, Turgidson replied with an emphatic no. “Most of the data monitoring is done by automated systems,” he explained; “There was a staffer here brought into the loop within minutes of the start of the exfiltration, but the data was already in China by that point. Even if we had a person in the loop sooner, we would not have been able to contact the client by the time the data was gone.”

Turgidson replied to a question about the usefulness of the CI-SOC in this instance by noting that an away team was already enroute to the facility to help the client determine how the attack had started and to prevent any further information from being removed from the facility. “The earlier a forensic examination of the systems can be started, the more we can limit the damage,” he explained: “If this was the result of a new type of attack, the gathering of information on the mode of the attack may allow us to stop future attacks at other facilities.”

Johnathan Quest, spokes person for the Federal Bureau of Inquiry told this reporter that the FBI was aware of the incident and had a forensic investigation team enroute to the facility to work with the CI-SOC team.

Rep. Tucker Watts, Jr. (R,GA) said that he was concerned with the inability of the CI-SOC to prevent the valuable data from leaving the country. “What good is all of the money that we are spending on that facility if it can only tell us that a cybercrime has happened? I expect that the appropriate committees will be investigating this incident when we return to session in September.”


Monday, August 10, 2020

Staffing Problems at CI-SOC


While the news was all positive Saturday at the official opening of the Cybersecurity Agency’s (CSA) new Critical Infrastructure Security Operations Center (CI-SOC), there are indications that the new facility is experiencing start-up problems.

At mid-morning today there were only twenty cars parked in front of the old Sears building in Delano Crossing, the new home of CI-SOC. This is a far cry from the 1,5000 employees that are supposed to be working at the facility, or even the quarter of that that would be expected to on hand for any given shift of a 24-7 operation. According to an unnamed source at the CI-SOC, the facility has been having problems hiring people with the requisite skills.

Gen Buck Turgidson (Ret), the Director of CI-SOC, confirms that there are 100 new employees in training at the Army’s Cyber Command’s headquarters in nearby Augusta, AG. “The next class of SOC operators graduates from Augusta next week,” Turgidson said; “We expect all 100 of them to be standing watch by Christmas.”

Turgidson refused to answer questions about when full staffing of the CI-SOC is expected.

Immanuel C. Securitage, spokes person for ECS-CERT, confirmed today that half of the Agency’s investigative personnel have been reassigned to CI-SOC. “There are only so many cyber operators on the operational security side available in the current market place,” Securitage said, “Part of our security tasking has been moved to CI-SOC and we were required to support that change with a transfer of personnel.”

The Army Cyber Command has confirmed that personnel with military cybersecurity training were being actively recruited by CI-SOC as they approached their estimated termination of service date. Personnel were being offered recruiting bonuses and counting military service time for Federal employment seniority. All grades, officer and enlisted, are being recruited.

Personnel issues are not the only problems at CI-SOC. There was also a short line of 18-wheelers waiting to backup to the facilities two loading docks most of the day. Our insider tells us that large numbers of equipment boxes are stacked in the old warehouse section of the building. Service technicians from various technology companies could be seen coming and going throughout the day, parking in the old automotive service bays along side the building. Equipment is obviously still being installed at the supposedly operational facility, two new satellite dishes went up on the roof of the building today.

Ida Long, Director of the CSA, admitted to reporters in Washington today that the CI-SOC was not yet up to full operational capabilities. “It takes a while to stand up a new security organization like this,” Long said; “We do have operational capabilities working today and we expect to bring on additional capabilities every day. The important thing to take away from this is that we new capabilities to monitor and respond to cyber attacks on critical infrastructure. This is something we did not have last week.”


Saturday, August 8, 2020

Court Orders ECS-CERT to Withdraw Alert


Today the 14th US District Court ordered ECS-CERT to withdraw their CyMoTrol alert from their web site pending the final decision of the Court on the suit filed by the company. The company claims that ECS-CERT is unfairly characterizing features of their motor control systems as cybersecurity vulnerabilities and thus damaging their reputation and affecting sales of the reportedly affected devices.

Judge Phantly R. Bean wrote in the restraining order that CyMoTrol had provided prima facia evidence of damage by government claims in the alert and that justified ordering the removal of the alert from the ECS-CERT web site pending full resolution of the law suit.

Wilhelm Pieck, spokesperson for CyMoTrol, told reporters that the action taken today by the Court will ensure that ECS-CERT stops their campaign to stop the company from providing necessary services and support to their customers. “ECS-CERT has never attempted to prove the claims made by the criminal hacker cYbrg0D and does not even possess one of the devices that they reported to be defective.” Pieck said.

Reporters have not been able to identify cYbrg0D, the researcher who reported the vulnerability claims to ECS-CERT. In a TWEET® issued after the court order was released, cYbrg0D said: “Judge Bean does not understand the purpose of ECS-CERT alerts and advisories – They are designed to protect owner operators from cybersecurity vulnerabilities that were undetected when bought.”

A second TWEET from cYbrg0D contained what may have been a threat, stating: “Perhaps what Bean and his cronies need is a demonstration of the dangers of the CyMoTrol ‘feature’.”

Immanuel C. Securitage, spokesperson for ECS-CERT, reported that the alert in question had been removed from the ECS-CERT web site in accordance with the Judge’s order. In a statement released by the agency, Securitage said: “We have no comment on the ongoing litigation.”

Junior Butts, a lawyer who has successfully represented hackers before Judge Bean, told this reporter that he suspects CyMoTrol will argue that ECS-CERT has not been given specific authority by Congress to publish negative information about control system software and equipment. “Lacking specific authorization, it would be argued, that ECS-CERT will have to show that it is not protected from libel and slander suits.” Butts explained; “ECS-CERT will have to show that it took reasonable care to validate the claims by cYbrg0D and other researchers and performed their due diligence responsibilities before publishing derogatory information about CyMoTrol or its products.”

Rep Rebecca Pinter (D,MA), a Congress person with an interest in cybersecurity legislation responded to Butts comments. She said: “Junior may have a point. When we gave ECS-CERT the responsibility for coordinating disclosures of control system vulnerabilities, Congress did not provide any specific authority to publish alerts or advisories about those vulnerabilities, especially when the vendor involved did not agree that the reported vulnerabilities actually existed. Perhaps we need to look at what requirements should be applied to such situations.”


CI-SOC Opened


Today the DHS Cybersecurity Agency (CSA) announced the opening of the National Critical Infrastructure Security Operations Center (CI-SOC) in Delano, GA. The facility is tasked with monitoring the cybersecurity of 600 critical infrastructure facilities across the United States.

Ida Long, Director of the CSA, said: “The Agency is proud to announce this important step in protecting the cyber operations of this great country. Working in partnership with the owners of these 600 facilities, we will be able to monitor operations, detect and isolate cyberattacks, and identify the attackers at any of these facilities.”

According to the CSA information packet on the CI-SOC there will be a total of 1,500 employees working out of the converted Sears store in Delano. They include 400 cybersecurity specialists who will be monitoring incoming and outgoing electronic communications at each of the 600 facilities on a continuous basis, looking for indicators of compromise.

Gen Buck Turgidson (Ret), the Director of CI-SOC, told reporters that this facility is unique in its capability for monitoring not just the information technology infrastructure at these facilities, but also the operational control systems, building control systems, and physical security control systems at each facility.

“We have 25 process experts available on the floor of the CI-SOC at all times to help the cyber-operators understand the physical system implications of attacks on the various control systems being monitored,” Turgidson told reporters: “They also help the CI response coordinators understand what outside assets may need to be sent to affected facilities to help them recover from various aspects of the attacks identified.”

The Mayor of Delano, Arrington Carter, was on hand for the opening ceremony for the new CI-SOC. She told reporters: “We are very happy to have the CI-SOC take over the old Sears store that closed a couple of years ago. The influx of new technical personnel into the city and the increase in jobs supporting their operations will be a big plus for the City of Delano for years to come.”

Sen TJ Kong (R,GA), who was responsible for the CI-SOC being located in Delano, told reporters that the new facility will bring an infusion of money, people and technology into the city and the region. “Delano has already seen a resurgence since construction and remodeling started on the facility early last year,” Kong said; “And we expect to see additional expansion as more facilities are brought under the CI-SOC umbrella.”


Monday, August 3, 2020

US Cybersecurity Executive and Chinese CFO Both Released

Today simultaneous announcements were made by the governments of Singapore and Canada that the extradition cases against Dade Murphy of Dragonfire Cyber and Sabrina Meng of Huawei Technologies had been dismissed. Officials in both countries denied that there was any connection between the two cases. Both governments maintained that each of the cases had been dropped as a matter of local statutory requirements.

 

Meng had been arrested in December of 2018 on a US extradition warrant. Murphy was arrested in June of this year on a Chinese warrant for computer hacking.

 

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, said that there is still an active warrant out for the arrest of Meng. He refused to comment on the Canadian denial of extradition.

 

A spokesman for the Chinese Ministry of Justice refused to comment on the case against Murphy.

 

Nelson T. Johnson, spokesperson for the US State Department told reporters in today’s daily briefing that there had been no negotiations with the Chinese about the two cases.

 

Kate Libby at Dragonfire Cyber issued a corporate statement that said: “We are happy to hear that the extradition proceedings in Singapore have ended and look forward to having Dade return home. We expect for him to arrive here on a private jet from Singapore tomorrow or the next day.”

 

CAUTIONARY NOTE: This is a future news story –