Tuesday, February 25, 2020

Refinery Still Down from Ransomware Attack


Cesar Chavez of the Rafael Ravard Refinery in Baton Rouge, LA announced this morning that the refinery was still shut down from last month’s ransomware attack. “We initially decided not to pay the ransom since we had off sit backups for our major control system components, but after determining that the ransomware had encrypted device level software for which we had no backups, we decided that we had to pay the ransom” Chavez told reporters.

Chavez explained that the owners of the WannaControl malware added additional penalties for the delay in paying the ransomware and were now releasing the control system devices on a unit-by-unit basis with a separate, smaller ransom being required for each unit. So far, the refinery has reportedly paid out $1.9 million in bitcoin ransom payments.

Johnathan Quest, spokesman for the Federal Bureau of Inquiry, told reporters that the Bureau was still investigating the attack, but were unable to trace the ransom ware payments. “Bitcoin transactions are very difficult to trace, but we are working with a number of international law enforcement agencies and various intelligence agencies to crack the Bitcoin network.

Immanuel C. Securitage, spokesman for the ECS-CERT, told reporters that his agency was working closely with the refinery and Robotron on the security issues related to this attack. “The agency has not been notified of other facilities that may have experienced a WannaControl attack, but we suspect that some attacks have taken place and that the owners quickly paid the ransom to avoid the results that the refinery has experienced,” he explained.

ECS-CERT strongly recommends that anyone facility that had purchased Robotron pumps in the last half of 2019 immediately take them out of service until a Robotron representative can reload the motor control software. Facilities with such pumps in service should have their control system immediately checked for possible compromise. “ECS-CERT has noted that the refinery attackers apparently had access to the control system for at least a month before the attack was initiated,” Securitage reported.

In response to a reporter’s question about ECS-CERT support for finding apparently affected systems, Securitage said: “ECS-CERT does not have enough investigators to help everyone affected by the Robotron vulnerability, nor apparently does Robotron.” ECS-CERT is not allowed to recommend private sector companies that could do this work, but Securitage noted that: “Any major ICS security organization could probably do the assessment.”

Erich Mielke from Robotron released a statement that said the company was deploying as many of their security engineers as it had available to look at potentially affected Robotron control systems, but facilities that used Robotron pumps with other vendor control systems should probably reach out to the system vendor for assistance. Robotron has published a report on the malware that was loaded on their pump controllers that includes indicators of possible compromise that could be looked for on other products.

Rep. Harvey Milk (D,CA) announced that his subcommittee will be holding a hearing this week looking at the refinery attack. “We need to ensure that these types of ransomware attacks on critical infrastructure cannot happen,” he told reporters. He went on to criticize ECS-CERT’s inability to effectively support critical infrastructure owners in preventing further occurrences of this particular attack, saying: “Congress expects ECS-CERT to be proactive in responding to attacks like this; we want answers now.”


Tuesday, February 4, 2020

Federal Judge Releases LNG Hackers


Today Judge Phantly R. Bean of the 14th US District Court released the two hackers that were arrested in the case of the liquified natural gas railcar that was hacked last month. Bean ruled that the two could not be charged with federal computer fraud charges. The two were subsequently arrested on State charges as they left Federal custody.

Bean ruled that Federal prosecutors erred in charging the two under 18 USC 1030, the Federal criminal code chapter dealing with computer fraud. This is the chapter under which most computer hackers are charged. “While this computer fraud chapter is broadly written, none of the elements of crime described in the chapter pertain to the actions alleged to have been conducted by these two individuals;” Bean wrote in his decision; “With that firmly in mind, I hereby grant the defense motion to dismiss the charges.”

Junio Butts, the lawyer defending the two in Federal Court declared that: “This is a good day for the American judicial system. Bean recognized that the actions of my clients was a modern-day issue of civil disobedience not fraud. We are currently discussing with Pennsylvania State prosecutors an appropriate charge to which my clients can legitimately plead guilty.”

Bean has testified before Congress on the inadequacies of the §1030 language with respect to attacks on computers that are part of a control system of some sort. He testified last summer that “Industrial control systems do not fit well into the description of fraud related offenses listed in §1030(a) and Congress needs to address this issue before the Courts are forced to deal with the situation.”

Rep Harvey Milk (D,CA) is reportedly working on legislation that would add a new paragraph to §1030 that would specifically address the issue of attacks on industrial control systems. “My staff has been working with tech industry lawyers to craft language that would address attacks on these increasingly important information systems.”

CAUTIONARY NOTE: This is a future news story –