Monday, May 25, 2020

More Chemical Company Attacks by NoReturn Group


The FBI announced today that Sohio Chemical of Columbus, OH reported a ransomware attack that was conducted by the NoReturn APT group. “We had been watching the progress of the previously identified attack as part of our ongoing investigation of the NoReturn group;” Johnathan Quest, a spokesman for the Federal Bureau of Inquiry; “The adversary then initiated a ransomware attack using a protocol we had not seen before, knocking out most of the corporate network”.

Sohio operates an acrylonitrile manufacturing facility in Wuhan, China. According to the company president, Franklin Veatch, because of the problems running a manufacturing facility in the epicenter of the COVID-19 outbreak in China and a recent push by the Trump Administration to move critical manufacturing back to the United States, Sohio was actively exploring moving their acrylonitrile manufacturing back to Ohio.

Dade Murphy, the CTO for Dragonfire Cyber, told reporters today that Dragonfire was working with Sohio because his company had detected the initial attack on the company while monitoring a server in China associated with the NoReturn group. “We had assured the company and the FBI that we could detect and block the ransomware attack,” Dade told reporters, “But the NoReturn group used a new attack methodology that we were not prepared to block. We will be ready the next time.”

Dade did note that the initial phishing email was disguised to appear to have come from a Sohio email account in their Wuhan, China manufacturing facility. “We have confirmed that it actually originated in the NoReturn group server in Guangzhou, China. The people who received the email in the headquarters engineering department would have had no way of knowing that.”

Veatch told reporters that; “Against the advice of both the FBI and Dragonfire, we decided to pay the 1,000-bitcoin ransom to get our system released.” The company had made every other day backups of most of their operational files, but while the attackers were operating within their systems, they had gained access to those backups and erased the last three backups just before the ransomware locked up the company systems. “We had critical financial files saved in those three missing backups, so we were forced to pay the ransom,” Franklin told reporters.

Murphy told reporters that Dragonfire was working with Sohio Chemical to determine if any critical engineering files were missing, something that they had seen in earlier attacks. “That does not seem to be the case in this attack, but we are seeing some indications that some of the engineering data may have been changed,” Murphy said.

Rep. Martin L. Davey (D,OH) is calling on the Cybersecurity Agency (CSA) and the Agency for Chemical and Environmental Security (ACES) to take a more active role in helping to prevent these types of attacks on critical infrastructure. Davey is planning on introducing new legislation requiring those agencies to protect critical chemical manufacturers for cyberattacks before next week’s House hearing on the NoReturn group.


Sunday, May 24, 2020

NoReturn Group Attacking Other Chemical Companies


Dade Murphy, CTO of the cybersecurity firm Dragonfire, told reporters today that his firm had found indicators of compromise in other chemical company clients that indicate that the NoReturn APT group was actively involved in compromising companies that were looking at returning chemical production to the United States. This is the same group that was apparently responsible for a recent ransomware attack on an unnamed medical supply company.

“We are actively working with the FBI on these attacks,” Murphy told reporters; “Where we have found active indicators of compromise, we have advised our clients to notify the federal investigators before taking any actions to mitigate the compromise.”

Johnathan Quest, spokesman for the Federal Bureau of Inquiry, confirmed that the FBI was working with Dragonfire on a number of potential cyberattacks. He was unable to provide any information on those investigations at this time.

No ransomware attacks have taken place at any of these companies. “We have apparently found these incursions in an earlier stage of the attack,” Dade said; “Fortunately, we know what the ransomware attack looks like from our earlier work and we have put mitigation measures in place to sandbox any such attack.”

Rep. Tucker Watts, JR (R,GA) announced today that he was calling for Congressional hearings on these apparent attacks by the Chinese government. He was joined by Rep. Harvey Milk (D,CA). Hearings may take place when the House returns to Washington after the Memorial Day recess.




Thursday, May 21, 2020

Chinese APT Using Ransomware


Dragonfire Cyber announced today that it had discovered an apparently new Chinese cyber threat group, Meiyou Tuihuo – NoReturn. Dade Murphy, President and CTO for Dragonfire, told reporters: “We have found unique software tools and attack methods associated with a recent attack on a medical supply company here in the US. The ransomware screen associated with the attack was signed by “Méiyǒu Tuìhuò” which translates as ‘no returns’, an apparent reference to the company’s plans to move their manufacturing base back to the United States.

According to Murphy, the attack was initiated by one or more phishing attacks. The NoReturn group was active on the company network for more than a month before the ransomware attack was initiated across nearly every US based computer in the company. The company paid the 1,000 bitcoin ransom and most of the company files were released.

As Dragonfire searched company files as part of their investigation, it found that many files were essentially empty folders; the contents had been erased. All of the missing document were related to plans to move the company’s manufacturing of medical supplies back to the United States. This included all engineering files for restarting their closed facilities in Delano, GA.

“This is a new phase of ransomware attacks,” Murphy told reporters, “We have seen attackers stealing data in association with ransomware attacks, but never this sort of targeted data destruction. It seems clear that the NoReturn group is operating at a new level of economic warfare.”

The Federal Bureau of Inquiry is investigating this attack as are a variety of intelligence agencies, according to FBI spokesman Johnathan Quest.



Monday, May 18, 2020

5G Towers Killing Refinery Control Systems


Ravard Refinery spokesman told reporters this morning that contractors hired to investigate their restart problems have determined the problem with their control system is that nearby radio transmissions were blocking the GPS signal necessary to coordinate the timing of the various components of the control system.

Dade Murphy, President of Dragonfire Cyber, told reporters that the L-Band signal used by the 5G cell phone network recently established by Geschwindlicht AG, a German cell phone company, in the Baton Rouge, LA area was close enough to the GPS signal used by the control system at the refinery that it overcame the timing signal. This meant that none of the control systems were able to properly coordinate their actions. Safety controls in place have stopped the start-up of the refinery.

James Franck, the spokesman for Geschwindlicht, admitted that in Germany, his company was not allowed to place their L-band cell towers within a mile of any facility using Robotron control system components because their 5G signal interfered with the operation of those devices. We did not know that the Ravard Refinery was using Robotron equipment.

“We have an agreement with the Federal Electronics Commission that we will replace any government devices affected by our new 5G signal” Franck explained; “That agreement does not extend to industrial equipment.”

David Weeb, of the FEC, issued a statement that explained that the Ravard Refinery did not respond at the hearing where the Geschwindlicht license was approved. Weeb explained; “Complaining after the fact does not serve anyone’s interest. Geschwindlicht has proceeded with their installations in good faith, we have no plans to tell them to stop.”


Sunday, May 17, 2020

Refinery Restart Delayed Due to System Timing Issues


The restart of the Rafael Ravard Refinery in Baton Rouge, LA is being delayed by technical issues according to Cesar Chavez, the facility manager. “We have been having some control system problems during the start up and until we resolve them, we will not be able to restart the refinery” Chavez told reporters.

The Ravard Refinery had been closed for their annual turnaround when the bottom fell out of the crude oil prices earlier this spring. “With the decreasing domestic demand for gasoline due to COVID-19 pandemic, we took some additional time on our turnaround to update systems and install some new technology to increase our efficiency” Chavez explained.

Sources at the refinery who are not authorized to talk to the press have said that the delays in restarting are not due to the new technology. “We are having problems with the timing services with our control system” a company engineer explained.

The company uses GPS timing signals to ensure that all components of the control system at the 500-acre facility are using the exact same time so that operations across the facility are safely coordinated. “For some reason we are not consistently receiving the GPS signals for that timing system across the facility” another source explained.

While some refinery employees are working at the facility during the post-turnaround testing phase, the full workforce will not be recalled until the facility is fully prepared to restart production.

Sunday, May 3, 2020

Ammonia Hack Example of COVID-19 Cyber Threat


Stasi Ehemalige, the German hacking collective, published a statement yesterday taking credit for the recent ammonia safety system attacks at Delano, Ga’s Intershop Meat Plant. This confirms the earlier report by Dragonfire.

The hacker’s statement explained that: “The Collective supports the actions taken by workers to protect their health and safety. Intershop’s failure to protect their workers from the COVID-19 pandemic while requiring them to continue working made them vulnerable to the attack.”

Dade Murphy from Dragonfire told reporters today that the AmmoniakSaugt, a safety-system worm exploited a known vulnerability in the Robotron Kühlsicherheit refrigeration safety system. “Since the vulnerability requires physical access to the system to exploit, most owners do not install the available patch to mitigate the vulnerability since it also reduces somewhat the flexibility of the safety system.

Johnathan Quest of the Federal Bureau of Inquiry told reporters that: “The Bureau is investigating other incidents at meat packing and vegetable processing plants where the same vulnerability was being exploited to interfere with facility operations. The goal of the attack seems to be to interfere with the food supply during the COVID-19 pandemic.”

The FBI has still not been able to determine how Willie Cole, the maintenance worker at the Intershop Meat Plant who has been accused of inserting the worm laden USB drive into the safety-system computer, got possession of the thumb drive from Stasi Ehemalige. “We have not found any link between any of the known associates of Cole and the German collective” Quest told reporters.

Junior Butts, the lawyer representing Cole is not encouraging his client to cooperate with the FBI’s investigation. “Willie is guilty of nothing more than calling attention to the dangerous working conditions at the facility. The COVID-19 pandemic is currently affecting the plant with 50 employees reporting symptoms and one death linked to the virus.”

Horst Sinderman, the facility manager for Intershop, confirmed the infections and reported that the local health department had conducted COVID-19 tests on all employees. “The company is waiting for results of those tests” Sinderman explained. The company is reportedly complying with all CDC recommended precautions in the production area of the plant.

Butts told reporters that an epidemiologist from the University of Georgia had looked at the plant operations and agreed that the company was taking reasonable precautions in production areas. Unfortunately, that investigator found that conditions in the facility breakroom and the common smoking area were too crowded and workers were not wearing masks. Butts explained that “It is reasonable to suggest that those conditions, all under company control, were ideal conditions for the spread of COVID-19.

Sinderman responded that workers were responsible for their own actions; the company was providing the appropriate protective equipment and allowing workers to take home gloves and masks for their additional protection. An agreement with the Union limits our ability to enforce safety suggestions in the breakroom and smoking areas.