Airport Ransomware Slows Christmas Returns

Fred P. Ayres, Operations Manager for the Porter Alexander Airport, confirmed today that the flight delays yesterday at the Delano, GA airport were caused by a ransomware attack on the carryon baggage screening equipment being used at the passenger screening checkpoints. He was not able to tell reporters this morning whether a ransom had been paid.

Bessie Coleman, spokesperson for the Airline Transportation Security Agency (ATSA), confirmed that there had been screening delays at Alexander. “We had to go to 100% manual baggage screening of carryon baggage at that airport,” Coleman told reporters; “For security reasons, I cannot discuss what prompted that requirement.”

“We had flight delays of up to two hours to allow for passengers to complete the screening protocols,” Ayers told reporters.

Frank Whittle, who’s son was scheduled to fly back to Ft Carson, Co, after Christmas leave, reported that his son missed his connecting flight in Atlanta. “He ended up spending twelve hours in the Atlanta airport and ended up getting back to his unit three hours late,” Whittle explained; “I hope he does not get in trouble with the Army over the delay.”

The National Critical Infrastructure Security Operations Center (CI-SOC) has been working with the airport and the ATSA on the investigation of the cyberattack. Turgidson told reporters this morning that it is unusual to see a ransomware attack on federal government operations. “Everyone knows that the official policy of the government is to not pay ransoms,” Turgidson explained; “So there is little incentive for a ransomware attack.”

There are rumors circulating that this was not a typical ransomware attack, that files were not encrypted. A security employee of the airport, not associated with ATSA, told me that the screening devices were picking up false weapon returns. Three passengers were apparently pulled aside for additional screening before the ransomware message showed up on the system.

CAUTIONARY NOTE: This is a future news story –

Polymer Hack Via Drive-by Malware

The Federal Bureau of Inquiry confirmed today that the attack earlier this week on the Blew Bayou polymer facility used a new version of the SolarFlare malware that was originally delivered as part of the 2019 Sunburst campaign. “There have been substantial modifications to the malware,” Johnathan Quest, FBI spokesperson, told reporters this morning; “Enough changes in language and syntax that we are not sure if this was produced by the original team or a completely different attacker.”

Kate Libby, a researcher at Dragonfire Cyber that has been working with the FBI on the Blew Bayou investigation, told reporters that the malware was introduced into the polymer control system via a sophisticated phishing attack. “A personal email to the process control engineer directed her to go to the Robotron web site to see a new product introduction,” Libby explained; “The engineer did not click the link in the email but used an existing link from her system to get to the Robotron web site. While on the site she clicked on one of those ubiquitous check boxes accepting site cookies. That action downloaded the malware.”

Erich Mielke, spokesperson for Robotron, confirmed that the company’s web site had been hacked to set up the drive by download. “We use a web privacy compliance company, Datenshutz, to handle all of our website regulatory compliance activities,” Mielke explained; “They were responsible for the cookies notification application on our site. We have been assured that they have corrected the problem.”

Helga Brache, spokesperson for Datenshutz, confirmed that the company was responsible for the application on the Robotron site. “We are currently investigating how the malware download was inserted into our application. We do not believe that any other sites have been affected at this time.”

Libby urged anyone that had visited the Robotron site over the last six months to have their systems checked for the presence of the SolarFlare malware. “The indicators of compromise that were published by CI-SOC for the original malware still apply to the new version,” Kate explained to reporters.

Quest told reporters that the FBI investigation was still progressing. “We are continuing to follow leads and hope to identify the perpetrators of this attack in the coming days,” he explained; “If you have any indications that your systems have been compromised via the Robotron web site, please contact your local FBI office.”

CAUTIONARY NOTE: This is a future news story –

Water Treatment Chemical Manufacturer Declares Force Majeure

The Blew Bayou Chemical Company in Louisiana announced yesterday evening that their production capacity for polyacrylamide emulsion polymers had been cut in half by a suspected cyberattack on their facility. The Blew Bayou facility is one of only two domestic facilities currently producing these polymers for the municipal water treatment market. The loss of production at the facility could begin impacting drinking water and wastewater treatment facilities across the United States in the next two weeks.

The chemical reaction vessel was damaged when the mixing system was interrupted in the early stages of a polymerization process. The lack of agitation prevented adequate cooling and the exothermic reaction ran out of control. Safety systems stopped a catastrophic overpressure situation from occurring, but the vessel and many of its attached lines were damaged in the incident. Engineers are currently assessing how much damage actually occurred and what repairs will be necessary to return the facility to operation.

An older sister plant in Mississippi was taken out of operation early in the pandemic because of efficiency issues and limited monomer availability. Blew Bayou is reportedly considering reopening that plant.

Blew Bayou CEO Issac B Kaghun told reporters this morning that the agitator stoppage was apparently caused by a cyberattack. “Our engineers have log data showing that the agitator motor was turned off remotely, even while the control room computers were showing continued agitation,” Kaghun said.

The Federal Bureau of Inquiry has confirmed that they are investigating a potential cyber attack at the facility. “We have a cyber investigation team at the site,” Johnathan Quest, FBI spokesperson, said at a news conference this morning.

CAUTIONARY NOTE: This is a future news story –