Summer School Closed by Cyber Attack

Roosevelt High School in Delano, GA has announced that summer school classes will not be held this coming week because of problems with the building control systems. Linda Schrenko, Principal at the school, confirmed that the school has not been able to fix the problems that caused students to be sent home early on Friday. Students were sent home when the air conditioning systems stopped working Friday morning and the classroom temperatures quickly became unbearable.

“We used to hold classes without air conditioning all the time,” a teacher that did not want to be identified told this reporter, “But when the AC was installed and then people started getting worried about school shootings, the windows were redesigned so that they could not open. Without the AC there is just no circulation in those classrooms.”

Schrenko said the school was not hit by a ransomware attack. “We are having problems with the air conditioning,” she explained today in a phone interview, “These things happen with those systems, we will get them fixed and the students will be able to come back into the classrooms.”

A team from Dragonfire Cyber was seen at the school yesterday and an agent from the Federal Bureau of Inquiry was on site for about an hour last night. Johnathan Quest, a spokesperson for the FBI, confirmed that the agency was investigating a cyberattack at the school. “This is part of an ongoing investigation that is looking at a series of attacks on building control systems at an increasing number of schools across the country,” Quest said.

A technician from Dragonfire, who was not authorized to talk to the press, told me that the problem is broader than just the air conditioning system. “The complete building control system software has been wiped out,” she said.

The school uses the BauSystem building control system from Robotron. It controls the HVAC system, the access control system, and the fire alarm system within the buildings at the High School. A quick search of the name on Google® shows that there is a hard-coded account in the system that provides remote access to the system and the password for that account has been circulating on social media for a couple of weeks now.

“Looking at the social media surrounding the systems,” the technician told me, “It is apparent that students are probably responsible for most of the attacks on school systems over the last couple of weeks. There have always been kids that did not want to go to summer school but were required to do so for various reasons. Shutting schools down has to be attractive to those students.”

Erich Mielke, spokesperson for Robotron, confirmed that the company was working with the FBI and local authorities on fixing the school control system problems. “We expect to have an update available to correct this vulnerability in a couple of weeks,” Mielke said.

General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC) confirmed that his organization was working with social media organizations to try to takedown the instructions for wiping out the building control systems. “We are seeing the information being shared as posts on blogs and personal pages, pictures on photo sharing sites and, of course, how-to videos, and that is not even looking at the Dark Web,” Turgidson explained, “If Robotron does not get a fix in place before the schools reopen in the fall, this is going to create chaos across the country.”

CAUTIONARY NOTE: This is a future news story –

Robotron Ransomware Hits ICS Phones

Robotron announced today that the latest ransomware attack on their corporate networks has apparently spread to it Betriebstelefon product. Erich Mielke, CTO of Robotron, told reporters this morning that they have received numerous reports from customers that their phones began showing ransomware messages at midnight GMT. “We are negotiating with the attackers to get our systems, and our customer’s phones released,” Mielke announced, “It appears to be the same organization that was behind the BlockKopieren attack on Robotron earlier this year.”

Kate Libby, Senior Researcher with Dragonfire Cyber, explained that the Robotron Betriebstelefon was introduced two years ago to provide cellphone service in chemical facilities and other production areas where there was need for intrinsically safe devices. “The Robotron phone is rated for service in Class 1, Div 1 areas where a spark could ignite flammable atmospheres. They added industrial services to the phone that allowed secure communications with Rockwell control systems.”

Robotron’s web site explains that owners of their industrial phones can receive control system alarms and access data from the company’s data historian. The phones are keyed to specific installations to allow for encrypted communications.

That earlier attack cost Robotron €6 million in ransom and caused a 30% drop in share price. The companies stock price had just about returned to the pre-attack price last Friday before trading was stopped at 4:00 GMT when Robotron announced the most recent attack.

General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), told reporters this morning that they have received notifications from a number of their covered facilities about the problems with the Robotron phones. “The data diodes used in the phone system ensure that problems in the phones cannot be transmitted into the supported control systems,” Turgidson explained, “But facilities with the phones have expressed their concerns about the problems with the phones to both the CI-SOC and Robotron.”

Dade Murphy, CTO of Dragonfire Cyber, confirmed that his organization had teams at each of the facilities affected by the phone attacks. “While we have no indications that the attacks have spread to the facility control systems, we are taking extra precautions,” Murphy explained. Dragonfire has previously vetted the phone system for use in secure facilities.

An unnamed security researcher at Robotron has been quoted as saying that the recent ransomware attack was apparently set up in the earlier attack. The company has found indications the previous attack placed a backdoor into the corporate system. The attacker was present in the systems for a much shorter time period during this attack, indicating that the previous reconnaissance data was used in the latest ransomware attack.

CAUTIONARY NOTE: This is a future news story –

Autobody Shop Owner Charged with 147 Counts of Reckless Endangerment

Yesterday Tommy Smitherman, owner of Smitherman’s Autobody was arraigned on 147 counts of reckless endangerment for hacking customer automobiles and reducing the effectiveness of their non-skid braking systems. The District Attorney’s Office claims that Smitherman hit upon a scheme to increase repeat business at this repair shop by increasing the time between reapplication of braking pressure on the non-skid braking systems of his customer’s automobiles.

Delano Police Chief, S. James Butts told reporters that the investigation leading to Smitherman’s arrest was initiated last year when there was a sudden surge in police vehicles involved in rear end accidents. “Our payments for fixing front-ends on our police cruisers tripled in a six-month period and our insurance costs skyrocketed,” Butts explained.

After the Department’s accident investigation team determined that most of the vehicles involved in rear-end collisions were taking longer than normal to stop, an outside investigation team from the Automotive Safety and Security Council (ASSC), was brought in to look at the vehicles. “Our cyber-forensics team determined that the braking system programing on all of the vehicles had been tampered with,” Ed Cole, ASSC spokesman, told reporters, “This is not the first time that we have seen this particular hack.”

Once the Delano Police Department knew what to look for, they checked each of the cars in the Department’s and the City’s fleet. “We found twenty cars with the modified braking system and all of them had been to Smitherman’s Body Shop in the last two years,” Chief Butts explained. The Department got a warrant to search Smitherman’s shop and home and investigators found the OBD2 Dongle that was used to reprogram the vehicles.

Cole told reporters that the ASSC was working with the Federal Bureau of Inquiry to try to track down the people that are selling the ‘Braking Bad Dongle’ that Smitherman used. “Smitherman does not have the technical knowledge necessary to write the programming necessary to modify the braking systems,” Cole explained, “He bought it from somebody, probably on the Dark Web. We want to find the distributor and shut them down.”

Johnathan Quest, spokesperson for the FBI, confirmed that the agency was working on the investigation. “We have talked to Smitherman, and he is not willing to discuss where he got the Dongle from or even acknowledge what the Dongle was used for,” Quest told reporters during a video link, “Right now we do not have a federal crime that we could charge Smitherman with to provide additional pressure to make him cooperate in our ongoing investigation.”

When asked why all of the charges against Smitherman were ‘reckless endangerment’, Butts explained that all of the accidents caused by this cyberattack were minor, with no serious personal injuries. “Currently, there were no other charges that could be brought against Tommy,” Butts said, “There are, however, a number of civil suits against Smitherman that will be filed next week; including one from our Department.”

Cole told reporters that there is discussion in the industry with car companies trying to get Smitherman and similar body shop owners using the Braking Bad Dongle charged with copyright infringement.

CAUTIONARY NOTE: This is a future news story –

Capitol Attack Spread from Control Systems to IT Network

Last night the number of investigators working on the Capitol Hill cyberattack jumped drastically as computer systems in congressional offices began displaying ransomware notices. Investigators from the Federal Bureau of Inquiry and the National Critical Infrastructure Security Operations Center (CI-SOC) were joined by private security personnel hired by House and Senate chiefs of staff trying to get their systems back online.

Gen Buck Turgidson, Director of the CI-SOC told reporters this morning that investigators from Dragonfire Cyber working for his agency had confirmed that the ransomware infection had moved from the building services computer systems, through administrative networks in the Capitol, to individual computers in congressional offices. “This is the first time that we have seen a major cyber attack move from OT networks to IT networks.” Turgidson told reporters.

Unconfirmed reports from personnel close to the investigation seem to indicate that the initial attack on the building controls systems was initiated through a Bluetooth connection in the building access control system. A technician from Dragonfire Cyber, who is not authorized to talk to the press, told me that a Bluetooth connection between metal scanning wands used by Capitol Police and the security control station at the Cannon House Office Building has been identified as the route of entry into building services network.

Early yesterday afternoon, William Thornton, Capitol Building Services Manager, had announced that power had been restored to the Capitol Building and each of the six congressional office buildings. While HVAC systems and building security systems were still off-line, the decision was made at 6:00 pm to allow staffers back into their offices so that they could prepare for the emergency joint session of Congress scheduled for this afternoon. At about 8:00 pm, reports started coming in about ransomware demands on office computer systems.

While each of the congressional office computer systems are linked to the Capitol IT network, investigators quickly determined that the yet unidentified attackers are treating each congressional office as a separate target, demanding 1-Bitcoin (about $36,000) for the decryption code for each office.

Turgidson reported to the Congressional Leadership last night that the CI-SOC did not have enough people available to respond to each office in a timely manner. The decision was made to have Dragonfire Cyber teams look at the offices of the top two leaders of the House and Senate, and allow each of the remaining offices to address the issues with private contractors if they so desired. “We will review each congressional office’s computers before we close out the investigation.” Turgidson promised Congressional leaders.

The House and Senate are scheduled to meet in a rare joint legislative session at 4:00 pm EDT today. They are scheduled for a limited debate and subsequent vote on HR 10, the Respond, Evaluate, and Counter Terrorism (REACT) Act. Details of the bill are still being ironed out, but sources say the bill will authorized and require the CIA, NSA and Cyber Command to provide intelligence assistance and material support to the investigation by CI-SOC and the FBI into the cyber attack on the US Capitol. Apparently still being debated by the Congressional leadership is the extent of the military response that will be authorized against the perpetrators of the attack. Rumors have it that there are loud calls for expanded response authority after the attack spread to congressional office systems.

The White House has announced that the President will sign HR 10 when it reaches his desk.

CAUTIONARY NOTE: This is a future news story –

More Problems with the Capitol Cyber Attack

A brief press release from the office of the Capitol Buildings Services Manager reported early this morning that while the servers and system control computers had been decrypted overnight, attempts at restarting the various systems had failed because the system components that operated the various building systems had been wiped of all programing during the attack. Lights, power, ventilation and security control systems were all affected.

Yesterday, at about 9:30 am EDT the building control system computers for the Capitol Building and six Congressional Office Buildings were shut down by a ransomware attack. A previously unidentified group, DL76, signed the ransom screen demanding a 10-bitcoin ($370,000) ransom to unlock the system. A joint statement by the leaders of both parties of both the House and Senate yesterday afternoon, firmly reported that no ransom would be paid.

Late last night the National Critical Infrastructure Security Operations Center (CI-SOC) announced that an incident response team from that organization was working with the CBSM to restore the servers and control system computers from the most recent backups. Unofficial word came out at 2:00 am this morning that the restoration process was completed and that a system restart was imminent.

This morning’s press release stated that the Senate session and all Congressional hearings scheduled for today were canceled until further notice. All attempts to contact congressional leadership were met with a uniform ‘no comment at this time’ response. A joint press conference is scheduled for 9:00 am at the White House.

A technical expert working with Dragonfire Cyber on the restoration process told me this morning that they had discovered that the attackers used the same version of the “SMASHINGCOCONUT” wiper program that was used in the recent attack on NACL Industries. “While an ecoterrorist group was responsible for that attack,” the expert told me under condition of anonymity as they were not authorized to talk to the press, “There is no indication that the current attack on the Capitol was conducted by that group. The wiper program is available for rent on the dark web.”

When I asked this expert why backups were not being used to restore the components that were affected by the wiper program, she told me that while backups were available for the operational programming for most of the devices, the operating software was not locally backed up. Various vendors were being contacted for copies of the appropriate software and firmware. Restoration of all of the affected devices could take a couple of days.

CAUTIONARY NOTE: This is a future news story –

Capitol Ransomware Attack Shuts Down Congress

The Capitol Building was evacuated today when a ransomware attack shut down all building services, including air conditioning and power. According to William Thornton, the Capitol Building Services Manager, the attack on the computer systems used to control all of the building services started at 9:30 am this morning. “Since Congress was not in session today,” Thornton told reporters, “There were very few people in the Capitol Building or the six congressional office buildings affected by the attack. We have not yet been able to confirm that all personnel have left all seven buildings because our access control logs were also affected by the attack.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, confirmed that the FBI was investigating the incident. “It is way too early in the incident to be able to provide any details about our investigation,” Quest told reporters, “We do have agents on the scene and a cyber forensics team is enroute.”

When asked about the apparent ransom demand, Quest told reporters that the United States does not pay ransoms to criminals or terrorists. That statement prompted immediate questions about whether this was a terrorist attack. Quest immediately responded: “We have no information about who the attackers are at this point in our investigation, but there are no indications that this is a terrorist attack.”

A technical expert with Dragonfire Cyber, a company that works closely with the National Critical Infrastructure Security Operations Center (CI-SOC), told me that the attack on the capitol control systems did not start today. “To accomplish a shutdown of this magnitude, an attacker would have to have been in the computer system for at least a couple of weeks,” she said.

Capitol Police are out in force at all seven buildings and the Washington, D.C. police department has a tactical command trailer parked near the Capitol.

The President and Vice President have both been informed about the incident. The Vice-President’s office had no comment when asked it the Senate will meet tomorrow as scheduled. The House is not scheduled to meet in Washington this week.

CAUTIONARY NOTE: This is a future news story –