The VaxSurge ransomware reported Sunday included a previously undetected worm that attacked health department freezers holding COVID-19 vaccines. “We under-estimated the sophistication of the VaxSurge ransomware,” General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), told reporters this morning: “When we saw how easy it was to stop the spread of the data encryption process, we assumed that the attacker was not using a sophisticated ransomware program. We were wrong.”
The CI-SOC researchers discovered the worm (unofficially being called the FreezerWorm according to technicians I have talked to) after the Delano, GA Health Department reported discrepancies in their temperature monitoring processes.
A researcher from Dragonfire Cyber, speaking on background, told reporters that the Delano facility was using old-style circular chart recorders in addition to the digital temperature reporting system provided by the freezer manufacturer. They did this in response to last November’s attack on Mengele Pharma. The chart recorder showed a significant temperature rise not reflected by the digital system. The company immediately informed the Dragonfire team that was on-site for the VaxSurge investigation.
Lilian Wald, the Director for the Delano Public Health Department, told reporters at the CI-SOC news conference that temperatures never got above the safe storage temperature limit for the vaccines. “Thanks to the prompt action of the Dragonfire team, the vaccines are still safe to use,” Wald told reporters.
The Chief-Technical Officer for Dragonfire Cyber, Dade Murphy, explained to reporters at the press conference that the worm associated with the VaxSurge attack exploited a new vulnerability in the Robotron data historian that effectively bypasses the digital data diode used in that system. “We have communicated the vulnerability to Robotron and they are working on mitigation measures,” Murphy explained.
CI-SOC has a software tool that reverses the attack on the Robotron freezer control system. “Any organization that has received the VaxSurge email, should immediately contact CI-SOC for assistance,” Turgidson explained at the end of the VaxSurge presentation.
Mary Cavart, spokesperson for the Department of Health and Medical Services, confirmed today by video feed that the Department had shut down the email account that had been used to spread the VaxSurge ransomware.
The Federal Bureau of Inquiry is investigating the attack on that email server. “As far as we can tell that account was established at least eight months ago,” Johnathan Quest, FBI spokesperson said; “It does appear that may have been associated with the Solar Winds based attack last year.”
The FBI reports that they have now received notifications form over 150 health departments about receiving the VaxSurge email. Because of the news reporting Sunday, most of those reporting did not open the email on Monday when it was first seen in their inboxes. “Most of the reporting health departments are located in the South Eastern United States,” Quest reported.