Closed Hearing Looks at MedDevice Incident

This weekend the House Subcommittee on Cybersecurity Oversight held a closed, virtual hearing on the recent non-hacking case investigation initiated by CSA’s Critical Infrastructure Security Operations Center (CI-SOC). According to a press release from Chairman Richard Gil (D,NY): “We tried to determine if either CI-SOC or the Federal Bureau of Inquiry (FBI) complied with the restrictions imposed on the two agencies in the authorizing language for the CI-SOC. At this point it appears that they did.”

The hearing was requested by Ranking Member Tucker Watts (R,GA) who had expressed concerns about last week’s announcement from National Association of Information Sharing and Analysis Centers (NAISACS) that their member organizations would no longer be sharing threat information with CI-SOC.

“CI-SOC can only be effective if they receive support from the entire cybersecurity community. The free-flow of information between researchers, ISACS and the Cybersecurity Agency is essential if we are to successfully defend critical infrastructure from cyberattacks.” Watts said in a press conference early this morning.

Both Watts and Sen TJ Kong (R,GA), were instrumental in getting the CI-SOC authorization bill through Congress late last year. Kong has also expressed concerns about the fallout from the first incident response from CI-SOC. “We cannot expect the CSA to construct a Great Firewall around the USA, nor do we want it to,” Kong said by telephone; “We set up CI-SOC to allow CSA to provide small and medium sized businesses with security operations centers that their larger competitors are able to establish in-house, leveling the security playing field.”

Kong told this reporter that the Senate Select Committee on Cybersecurity would be holding hearings on the MedDevice situation in late September. “The FBI investigation needs to develop a bit more supporting information before we can draw any real conclusions about the effectiveness of the CI-SOC and its cooperation with both the private sector and the FBI,” he said.

A staffer for Watts told me that the Congressman’s office is starting to look at crafting legislation that would require ISACS to share information with CI-SOC. “We are working with both NAISACs and CI-SOC on language that both can work with,” the staffer, who was not authorized to talk to the press, said.

According to Gil, the Cybersecurity Oversight Committee will be holding an open hearing in the coming weeks to hear concerns from NAISACS and companies being supported by CI-SOC.

CAUTIONARY NOTE: This is a future news story –

ISACS to Stop Sharing with CI-SOC

This afternoon the National Association of Information Sharing and Analysis Centers (NAISACS) announced that its member Centers will no longer share cyber-threat intelligence information with the CSA’s Critical Infrastructure Security Operations Center (CI-SOC). NAISACS is taking this action due to the announcement of the Federal Bureau of Inquiry’s investigation of MedDevice.

Dr. John McKittrick, NAISACs’ President, told reporters during a virtual press conference; “Our member Center’s effectiveness is based upon voluntary information sharing by organizations. With the FBI’s investigation being based upon information obtained from MedDevice via a voluntary association with CI-SOC, the Centers have heard concerns from their supporters that information shared would end up in the hands of the FBI or regulators. We are taking this action today to ensure that individual organizations will continue to share valuable cyber-threat information with our Centers.”

General Buck Turgidson (Ret), Director of CI-SOC, said that he had talked with McKittrick and a number of individual Center Directors over the weekend while this action was being discussed. “We knew that this was coming,” the General said; “I tried to convince them that we would do our best to protect the information provided by the ISACs, but we are constrained by Federal law that requires us to notify the FBI when a cybercrime is committed.”

Immanuel C. Securitage, spokesperson for the ECS-CERT, confirmed that the ECS-CERT was also constrained by the same legal requirements as CI-SOC. “We have been very careful to tell folks approaching us for assistance that we will have to share some information with the FBI and some federal regulators,” Securitage explained; “We work closely with NAISACs and their Centers. We have never received any information from them that we would have been required to report to the FBI.”

McKittrick confirmed that the Centers were careful about what information that they shared with ECS-CERT to avoid putting them in the position of having to report the shared information. “I would suspect that the Centers would do the same with CI-SOC. But with the public announcement that CI-SOC had shared information with the FBI that resulted in a criminal investigation, many of our supported organizations have raised concerns about the CI-SOC.”

A staffer at NAISACs that is not authorized to talk to the press told me that there had been no discussion about the information sharing activities with ECS-CERT over the weekend. She said: “There has never been a problem with the information shared with that organization, so it did not come up. If information shared with ECS-CERT ever ends up in an FBI investigation, I expect that NAISACs would take the same action with them.”

CAUTIONARY NOTE: This is a future news story –

Feds Open Espionage Case Against MedDevice

Today the Federal Bureau of Inquiry announced that they were opening a formal espionage inquiry into activities at the medical device manufacturer, MedDevice. The FBI’s investigation was apparently started due to the recent non-hacking case investigation initiated by the CSA’s Critical Infrastructure Security Operations Center (CI-SOC).

Johnathan Quest, FBI spokesperson, told reporters that the Agency had been initially brought into the investigation because of the ‘data exfiltration’ investigation initiated by CI-SOC. “At that point we were looking into an apparent cyberattack on the company,” Quest said; “But when MedDevice announced that the ‘data exfiltration’ was part of a routine data transmission to their manufacturing partner, MedZS, we became concerned because of known associations of that company with the Chinese PLA.”

The investigation is apparently being based upon recent changes to the espionage statutes making it a crime to provide information obtained in federally sponsored research on COVID-19 related matters to foreign governments or military without the express approval of the federal government. MedDevice obtained a grant to support their development of the COVID-19 rapid test device. The Peoples Liberation Army is not on the short list of foreign governments or militaries that are exempt from the data sharing limitations.

General Buck Turgidson (Ret), Director of CI-SOC, assured reporters that his organization did not share a copy of the original data exfiltration with the FBI. “Our mandate is clear,” the General said; “We are prohibited from sharing data obtained during our monitoring of partner facilities without their permission. We brought the FBI in because we had information of a potential crime, an apparent attack on the information systems at MedDevice.”

Quest confirmed that the FBI has not yet seen a copy of the data sent to China. “Our investigation was initiated based upon the statements from T. John McIntyre, President of MedDevice,” he said; “Once we confirmed that MedZS was a wholly owned subsidiary of the PLA we started a formal investigation. We will be formally requesting a copy of the data sent to MedZS from the CI-SOC later today.”

Turgidson confirmed that the law authorizing the establishment of the CI-SOC would require his organization to supply the Justice Department with a copy of the intercepted files when they provided him with a subpoena based upon an ongoing Federal investigation. “We are required to maintain copies of our intercepts for seven days for just this reason.” Turgidson explained.

Rep. Milk (D,CA) noted that privacy issues like this was one of the problems that some legislators had with the bill authorizing the CI-SOC. “We wanted to ensure that facilities signing up for the security monitoring did not need to be concerned with CSA sharing any information being shared by the facility would be able to be used in regulatory actions,” Milk said in a press release; “We may need to review this incident to see if CI-SOC and the FBI overstepped their bounds in this incident.”

CAUTIONARY NOTE: This is a future news story –

We Were Not Hacked

At a press conference early this morning, T. John McIntyre, President of MedDevice, told reporters that his company was the alleged target of the cybersecurity attack reported yesterday by the Cybersecurity Agency’s (CSA) Critical Infrastructure Security Operations Center (CI-SOC). He told reporters that the cyberattack was a routine communication with our manufacturing partner in China, not an attack on the company.

“I spent a number of hours yesterday meeting with the CI-SOC away team and we finally concluded that the ‘data exfiltration’ that their system detected was actually a routine communication with MedZS, our manufacturing partner in Guangdong, China.” McIntyre told reporters; “This whole ‘cyberattack’ fiasco was caused by some miscommunications between MedDevice and CI-SOC.”

An email from General Buck Turgidson (ret), Director of CI-SOC indicated that the IP address that the information was sent to by MedDevice was not on the current list of approved communications whitelist prepared by the Company. Walter O’Reilly, spokes person for MedDevice, confirmed that the data was sent to a new cloud-based account used by MedZS that had not yet been communicated to CI-SOC.

O-Reilly told reporters that the data dump was a detailed description of the company’s new rapid-test device for COVID-19 detection that the company expects to be placed in company’s and schools for daily screening of employees and students arriving at a facility. The device relies on a non-invasive swab being taken from the inside of the facemask being worn the person to be tested with a specially treated cotton swab. The COVIDSWAB® would then be placed in a scanner and a positive/negative determination would be made within seconds.

“This will be a game changer for facilities that want to safely open during the COVID-19 pandemic,” O’Reilly said.

A source that declined to be named because they were not authorized to talk to the press told me that the leadership at the CI-SOC was somewhat abashed about the apparently premature announcement of the non-attack, but still felt that the right decision had been made. There were concerns that recent reports about the current understaffing of the facility were leaving the impression that the facility was not an effective response to cyberattacks on critical infrastructure.

According to Johnathan Quest, spokes person for the Federal Bureau of Inquiry, that agency’s investigation of the incident has not yet been closed. “There are still some questions about the sharing of information with a Chinese company with ties to the PLA, specially with the potential national security implications of this product,” Quest told reporters this morning.

Sen TJ Kong (R,GA) told reporters today that he agreed with the decision by Turgidson to release the information on the reported cyberattack even though it turned out to be a miscommunication problem instead of an attack. “It is important that the country knows that the US government is being proactive in defending the nation from foreign cyber adversaries,” he said; “Minor hiccups like this are to be expected as the CI-SOC and its private sector partners learn how to work together.”

CAUTIONARY NOTE: This is a future news story –

CI-SOC Detects Its First Cyber Attack – Too Late

The Cybersecurity Agency’s (CSA) Critical Infrastructure Security Operations Center reported its first detection of a cybersecurity attack on one of the covered private sector entities that it was protecting. The CI-SOC reported detecting a large data exfiltration from an unnamed medical device manufacturer in the Illinois. They were not able to stop the information from leaving the country.

General Buck Turgidson (ret), Director of CI-SOC, told reporters at a morning news conference that the CI-SOC was monitoring incoming and outgoing digital traffic from the research facility and noted the large (20 giga-bites) data transmission from the site to a server in Guangdong, China. “Our agreement with the affected company allows us to monitor, but not control, the flow of information to and from the facility,” Turgidson said; “By the time we were able to contact someone at the facility, the information was long gone.”

When asked if the CI-SOC knew what information had been exfiltrated, Turgidson reported that they had a copy of the affected files, but were not able to discuss what information was included due to the memorandum of understanding between CSA and the affected facility. A source at CI-SOC that was not authorized to talk to the press said that the information included design details about a new COVID-19 virus testing device the company was working on.

Asked whether the current understaffing at the new cybersecurity facility was responsible for the data exfiltration not being stopped, Turgidson replied with an emphatic no. “Most of the data monitoring is done by automated systems,” he explained; “There was a staffer here brought into the loop within minutes of the start of the exfiltration, but the data was already in China by that point. Even if we had a person in the loop sooner, we would not have been able to contact the client by the time the data was gone.”

Turgidson replied to a question about the usefulness of the CI-SOC in this instance by noting that an away team was already enroute to the facility to help the client determine how the attack had started and to prevent any further information from being removed from the facility. “The earlier a forensic examination of the systems can be started, the more we can limit the damage,” he explained: “If this was the result of a new type of attack, the gathering of information on the mode of the attack may allow us to stop future attacks at other facilities.”

Johnathan Quest, spokes person for the Federal Bureau of Inquiry told this reporter that the FBI was aware of the incident and had a forensic investigation team enroute to the facility to work with the CI-SOC team.

Rep. Tucker Watts, Jr. (R,GA) said that he was concerned with the inability of the CI-SOC to prevent the valuable data from leaving the country. “What good is all of the money that we are spending on that facility if it can only tell us that a cybercrime has happened? I expect that the appropriate committees will be investigating this incident when we return to session in September.”

CAUTIONARY NOTE: This is a future news story –

Staffing Problems at CI-SOC

While the news was all positive Saturday at the official opening of the Cybersecurity Agency’s (CSA) new Critical Infrastructure Security Operations Center (CI-SOC), there are indications that the new facility is experiencing start-up problems.

At mid-morning today there were only twenty cars parked in front of the old Sears building in Delano Crossing, the new home of CI-SOC. This is a far cry from the 1,5000 employees that are supposed to be working at the facility, or even the quarter of that that would be expected to on hand for any given shift of a 24-7 operation. According to an unnamed source at the CI-SOC, the facility has been having problems hiring people with the requisite skills.

Gen Buck Turgidson (Ret), the Director of CI-SOC, confirms that there are 100 new employees in training at the Army’s Cyber Command’s headquarters in nearby Augusta, AG. “The next class of SOC operators graduates from Augusta next week,” Turgidson said; “We expect all 100 of them to be standing watch by Christmas.”

Turgidson refused to answer questions about when full staffing of the CI-SOC is expected.

Immanuel C. Securitage, spokes person for ECS-CERT, confirmed today that half of the Agency’s investigative personnel have been reassigned to CI-SOC. “There are only so many cyber operators on the operational security side available in the current market place,” Securitage said, “Part of our security tasking has been moved to CI-SOC and we were required to support that change with a transfer of personnel.”

The Army Cyber Command has confirmed that personnel with military cybersecurity training were being actively recruited by CI-SOC as they approached their estimated termination of service date. Personnel were being offered recruiting bonuses and counting military service time for Federal employment seniority. All grades, officer and enlisted, are being recruited.

Personnel issues are not the only problems at CI-SOC. There was also a short line of 18-wheelers waiting to backup to the facilities two loading docks most of the day. Our insider tells us that large numbers of equipment boxes are stacked in the old warehouse section of the building. Service technicians from various technology companies could be seen coming and going throughout the day, parking in the old automotive service bays along side the building. Equipment is obviously still being installed at the supposedly operational facility, two new satellite dishes went up on the roof of the building today.

Ida Long, Director of the CSA, admitted to reporters in Washington today that the CI-SOC was not yet up to full operational capabilities. “It takes a while to stand up a new security organization like this,” Long said; “We do have operational capabilities working today and we expect to bring on additional capabilities every day. The important thing to take away from this is that we new capabilities to monitor and respond to cyber attacks on critical infrastructure. This is something we did not have last week.”

CAUTIONARY NOTE: This is a future news story –

Court Orders ECS-CERT to Withdraw Alert

Today the 14^th US District Court ordered ECS-CERT to withdraw their CyMoTrol alert from their web site pending the final decision of the Court on the suit filed by the company. The company claims that ECS-CERT is unfairly characterizing features of their motor control systems as cybersecurity vulnerabilities and thus damaging their reputation and affecting sales of the reportedly affected devices.

Judge Phantly R. Bean wrote in the restraining order that CyMoTrol had provided prima facia evidence of damage by government claims in the alert and that justified ordering the removal of the alert from the ECS-CERT web site pending full resolution of the law suit.

Wilhelm Pieck, spokesperson for CyMoTrol, told reporters that the action taken today by the Court will ensure that ECS-CERT stops their campaign to stop the company from providing necessary services and support to their customers. “ECS-CERT has never attempted to prove the claims made by the criminal hacker cYbrg0D and does not even possess one of the devices that they reported to be defective.” Pieck said.

Reporters have not been able to identify cYbrg0D, the researcher who reported the vulnerability claims to ECS-CERT. In a TWEET® issued after the court order was released, cYbrg0D said: “Judge Bean does not understand the purpose of ECS-CERT alerts and advisories – They are designed to protect owner operators from cybersecurity vulnerabilities that were undetected when bought.”

A second TWEET from cYbrg0D contained what may have been a threat, stating: “Perhaps what Bean and his cronies need is a demonstration of the dangers of the CyMoTrol ‘feature’.”

Immanuel C. Securitage, spokesperson for ECS-CERT, reported that the alert in question had been removed from the ECS-CERT web site in accordance with the Judge’s order. In a statement released by the agency, Securitage said: “We have no comment on the ongoing litigation.”

Junior Butts, a lawyer who has successfully represented hackers before Judge Bean, told this reporter that he suspects CyMoTrol will argue that ECS-CERT has not been given specific authority by Congress to publish negative information about control system software and equipment. “Lacking specific authorization, it would be argued, that ECS-CERT will have to show that it is not protected from libel and slander suits.” Butts explained; “ECS-CERT will have to show that it took reasonable care to validate the claims by cYbrg0D and other researchers and performed their due diligence responsibilities before publishing derogatory information about CyMoTrol or its products.”

Rep Rebecca Pinter (D,MA), a Congress person with an interest in cybersecurity legislation responded to Butts comments. She said: “Junior may have a point. When we gave ECS-CERT the responsibility for coordinating disclosures of control system vulnerabilities, Congress did not provide any specific authority to publish alerts or advisories about those vulnerabilities, especially when the vendor involved did not agree that the reported vulnerabilities actually existed. Perhaps we need to look at what requirements should be applied to such situations.”

CAUTIONARY NOTE: This is a future news story –

CI-SOC Opened

Today the DHS Cybersecurity Agency (CSA) announced the opening of the National Critical Infrastructure Security Operations Center (CI-SOC) in Delano, GA. The facility is tasked with monitoring the cybersecurity of 600 critical infrastructure facilities across the United States.

Ida Long, Director of the CSA, said: “The Agency is proud to announce this important step in protecting the cyber operations of this great country. Working in partnership with the owners of these 600 facilities, we will be able to monitor operations, detect and isolate cyberattacks, and identify the attackers at any of these facilities.”

According to the CSA information packet on the CI-SOC there will be a total of 1,500 employees working out of the converted Sears store in Delano. They include 400 cybersecurity specialists who will be monitoring incoming and outgoing electronic communications at each of the 600 facilities on a continuous basis, looking for indicators of compromise.

Gen Buck Turgidson (Ret), the Director of CI-SOC, told reporters that this facility is unique in its capability for monitoring not just the information technology infrastructure at these facilities, but also the operational control systems, building control systems, and physical security control systems at each facility.

“We have 25 process experts available on the floor of the CI-SOC at all times to help the cyber-operators understand the physical system implications of attacks on the various control systems being monitored,” Turgidson told reporters: “They also help the CI response coordinators understand what outside assets may need to be sent to affected facilities to help them recover from various aspects of the attacks identified.”

The Mayor of Delano, Arrington Carter, was on hand for the opening ceremony for the new CI-SOC. She told reporters: “We are very happy to have the CI-SOC take over the old Sears store that closed a couple of years ago. The influx of new technical personnel into the city and the increase in jobs supporting their operations will be a big plus for the City of Delano for years to come.”

Sen TJ Kong (R,GA), who was responsible for the CI-SOC being located in Delano, told reporters that the new facility will bring an infusion of money, people and technology into the city and the region. “Delano has already seen a resurgence since construction and remodeling started on the facility early last year,” Kong said; “And we expect to see additional expansion as more facilities are brought under the CI-SOC umbrella.”

CAUTIONARY NOTE: This is a future news story –

US Cybersecurity Executive and Chinese CFO Both Released

Today simultaneous announcements were made by the governments of Singapore and Canada that the extradition cases against Dade Murphy of Dragonfire Cyber and Sabrina Meng of Huawei Technologies had been dismissed. Officials in both countries denied that there was any connection between the two cases. Both governments maintained that each of the cases had been dropped as a matter of local statutory requirements.

 

Meng had been arrested in December of 2018 on a US extradition warrant. Murphy was arrested in June of this year on a Chinese warrant for computer hacking.

 

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, said that there is still an active warrant out for the arrest of Meng. He refused to comment on the Canadian denial of extradition.

 

A spokesman for the Chinese Ministry of Justice refused to comment on the case against Murphy.

 

Nelson T. Johnson, spokesperson for the US State Department told reporters in today’s daily briefing that there had been no negotiations with the Chinese about the two cases.

 

Kate Libby at Dragonfire Cyber issued a corporate statement that said: “We are happy to hear that the extradition proceedings in Singapore have ended and look forward to having Dade return home. We expect for him to arrive here on a private jet from Singapore tomorrow or the next day.”

 

CAUTIONARY NOTE: This is a future news story –

Ransomware Re-infected from Sensor

Dragonfire Cyber published a report today on a recent ransomware attack on a PLC being used in a safety system at a Louisiana chemical manufacturing plant. There were two unique things about this ransomware attack, the report states. First the ransomware did not encrypt system files, it simply shutdown the safety system and demanded a 100-bitcoin ransom. The second item of interest is that the system was re-infected as soon as the affected PLC was released.

 

The active portion of the ransomware reset the Robotron SicherheitsKontrolle PLC to factory default settings, erasing the programming designed to ensure that the styrene storage tank remained in an inherently safe state. It also erased the control screen on the HMI used by the safety system, replacing the virtual system diagram with the ransomware message.

 

Since the affected system was a safety system, the facility had a preprogramed replacement on hand for both the PLC and the HMI. As soon as the ransomware message was reported, maintenance personnel were contacted and the two devices were replaced within an hour.

 

“The attackers understood how easy it was to replace the affected devices without resorting to paying the ransom,” Kate Libby, spokesperson for Dragonfire, told this reporter; “So they designed their ransomware system so that it would immediately infect the replaced equipment.”

 

The local control system maintenance personnel were not able to find the initial source of the infection or the re-infection. In order to ensure the safety of the facility, the company paid the ransomware and the system was immediately returned to its pre-infection state.

 

Dragonfire was retained to discover the source of the infection, determine how the system was re-infected, and ensure that there were no other problems with the system. The source of the initial infection was the USB that was used to apply the annual system updates for the safety system. The USB, sent from Robotron offices in Germany, was apparently intercepted at the local delivery company office and the infected with the ĀnquánShújīn worm.

 

The USB device was erased when it was removed from the laptop used to update the PLC, but the technician who performed the update copied the update to a backup drive for record keeping purposes. The drive erase program was not transferred as it was hidden USB firmware. The malware programming on the laptop was automatically erased and overwritten with the original update after the safety system was updated.

 

“With a copy of the actual ransomware code on hand, it was easy enough to track down the source of the re-infection,” Libby told me; “A copy of the worm was moved to one of the smart sensors attached to the safety system, in this case a Robotron DSensor”.

 

When the new PLC made initial contact with the infected sensor, the worm reinstalled the malware on the PLC, restarting the whole process.

 

Immanuel C. Securitage, spokesperson for ECS-CERT, said that the malware seen in this attack was much more sophisticated that the GUMMI BAREN ransomware that was seen in earlier attacks on Robotron PLC’s. “Two years allows for a lot of malware advancement,” IC Securitage told this reporter; “We also suspect that there may be a State actor involved which also allows for an entirely different level of sophistication.”

 

The Federal Bureau of Inquiry is reportedly investigating if this incident is the work of the NoReturn group that has been causing problems at a number of chemical companies in the United States. Johnathan Quest refused to comment on that portion of the ongoing investigation, saying: “We are continuing to work with the facility owner, ECS-CERT and Dragonfire on the incident investigation. We currently have no suspects, but we are talking with persons of interest at the GHB Air facility in Shreveport about the Robotron USB delivery.

 

CAUTIONARY NOTE: This is a future news story –