The FBI announced today that Sohio Chemical of Columbus, OH reported
a ransomware attack that was conducted by the NoReturn APT group. “We had been
watching the progress of the previously identified attack as part of our ongoing
investigation of the NoReturn group;” Johnathan Quest, a spokesman for the
Federal Bureau of Inquiry; “The adversary then initiated a ransomware attack
using a protocol we had not seen before, knocking out most of the corporate
network”.
Sohio operates an acrylonitrile manufacturing facility in
Wuhan, China. According to the company president, Franklin Veatch, because of
the problems running a manufacturing facility in the epicenter of the COVID-19
outbreak in China and a recent push by the Trump Administration to move critical
manufacturing back to the United States, Sohio was actively exploring moving their
acrylonitrile manufacturing back to Ohio.
Dade Murphy, the CTO for Dragonfire Cyber, told reporters
today that Dragonfire was working with Sohio because his company had detected
the initial attack on the company while monitoring a server in China associated
with the NoReturn group. “We had assured the company and the FBI that we could
detect and block the ransomware attack,” Dade told reporters, “But the NoReturn
group used a new attack methodology that we were not prepared to block. We will
be ready the next time.”
Dade did note that the initial phishing email was disguised
to appear to have come from a Sohio email account in their Wuhan, China
manufacturing facility. “We have confirmed that it actually originated in the
NoReturn group server in Guangzhou, China. The people who received the email in
the headquarters engineering department would have had no way of knowing that.”
Veatch told reporters that; “Against the advice of both the
FBI and Dragonfire, we decided to pay the 1,000-bitcoin ransom to get our system
released.” The company had made every other day backups of most of their
operational files, but while the attackers were operating within their systems,
they had gained access to those backups and erased the last three backups just
before the ransomware locked up the company systems. “We had critical financial
files saved in those three missing backups, so we were forced to pay the ransom,”
Franklin told reporters.
Murphy told reporters that Dragonfire was working with Sohio
Chemical to determine if any critical engineering files were missing, something
that they had seen in earlier attacks. “That does not seem to be the case in
this attack, but we are seeing some indications that some of the engineering
data may have been changed,” Murphy said.
Rep. Martin L. Davey (D,OH) is calling on the Cybersecurity
Agency (CSA) and the Agency for Chemical and Environmental Security (ACES) to
take a more active role in helping to prevent these types of attacks on critical
infrastructure. Davey is planning on introducing new legislation requiring
those agencies to protect critical chemical manufacturers for cyberattacks
before next week’s House hearing on the NoReturn group.
No comments:
Post a Comment