Rare Earth Recovery Company Victim of Ransomware Attack

Today, Rare Earth Recovery (RER – NASDAQ) announced that it was declaring force majeure on deliveries because of serial ransomware attacks. “During the last three weeks we have experienced ransomware attacks on our commercial sales system, our HR and email systems, and most recently on the control systems for our Materials Recovery unit;” RER spokesperson Carl A. Arrhenius told reporters; “In each case, we were able to recover systems without paying ransoms, but the cumulative effects have seriously interfered with our production and shipping operations.”

Investigators from the National Critical Infrastructure Security Operations Center (CI-SOC) are working with RER to ensure that their systems are free from infection and prepared to move forward without additional attacks. “Our people have found indications that earlier attacks left backdoors in the corporate system that have allowed the attacker to regain access to the system,” General Buck Turgidson, CI-SOC Director: “These appear to be sophisticated attackers.”

The Federal Bureau of Inquiry is also investigating these attacks. “RER recovered materials are being used in critical defense systems, and so for national security reasons, the FBI is taking responsibility for the criminal investigation,” Johnathan Quest told reporters. There are rumors that that this attack is related to the attacks reported last week at Bermite Ammo. “BAM is a customer of ours,” Arrhenius told reporters, “We do not have any cyber linkage beyond the occasional email.”

BAM is one of the companies that will have delayed deliveries from RER. Patrick Lizza, BAM spokesperson noted that the rare earth metals provided by RER are used in house to manufacture proprietary components that it uses in their fuses. “We can still manufacture and fill the shell casings, but without the fuses, we are unable to ship to the Army,” Lizza said.

Kate Libby, a technical response manager with Dragonfire Cyber, that is working with CI-SOC on this investigation, told reporters this morning that it was unusual for an attacker to take three separate shots at getting ransom from a target. “They have not acted like a normal money-driven ransomware attacker. They have not made any other data extortion efforts to get money out of the company,” she told reporters. Turgidson added that there appeared to be another motive in these attacks, but refused to talk about what that motive might be.

REM is a biotechnology company that extracts minerals and rare earth metals from coal power plant ash using bioengineered bacteria and produces geo-bricks from the remaining ash.

CAUTIONARY NOTE: This is a future news story –

Innovative Ammo Manufacturer Shut Down to Ransomware Attacks

Bermite Ammo Mfg announced today that it would miss delivery of the next batch of its new carbon-composite 155mm artillery shells to the US Army because of a ransomware attack on its facility in Saugus, CA. “We have experienced a ransomware attack on the IT systems at our Saugus facility, so we have shut down all of our cyber systems pending resolution of the problem,” Patrick Lizza, corporate spokesperson told reporters; “Our production control systems were not directly affected by the ransomware, but we are doing detailed checks of those systems out of an abundance of caution.”

The Army Ammunition Command reports that they are aware of the shutdown and have coordinated with Cyber Command for assistance in investigating the problem. LTC Henry Knox, from AAC, told reporters at a press conference in St Louis, MO: “We are concerned about any delay in the manufacture at BAM since their new carbon composite 155mm artillery shells allow us to free up additional ammunition for shipment to Ukraine as the Army replaces their conventional shells with the lighter, more powerful BAM shells.”

Bermite had met all Army cybersecurity requirements for primary manufacturers, so the Cyber Command is concerned that this may represent a more effective ransomware attack. Cyber Command has employed investigators from Dragonfire Cyber to look specifically at the industrial control systems on the site to see if they were impacted. “Dragonfire has specific experience in incident response in the type of equipment utilized at BAM, Knox told reporters; “Cyber command will look at the ransomware issue, and Dragonfire will clear the control systems.”

A technician with Dragonfire that is not authorized to talk to the press about the investigation told me that there were some indications of unusual activity between corporate IT systems and the control systems at the facility. “Investigators are still looking to see if any changes had been made in device programming or security settings,” she said.

CAUTIONARY NOTE: This is a future news story –

‘We’re Back’ Ransomware Targets Chemical Facilities

The National Critical Infrastructure Security Operations Center (CI-SOC) reported today that it was seeing an increasing number of chemical facilities being affected by ‘We’re Back’ ransomware attacks. “This ransomware is specifically designed to disrupt chemical manufacturing operations,” Gen Buck Turgidson told reporters; “Instead of shutting down equipment, it typically closes valves at non-critical points in the process and sends a ‘We’re Back’ message to the HMI controlling that valve.”

 The Federal Bureau of Inquiry is investigating these attacks. “We have only been notified of three attacks, so far,” Johnathan Quest, FBI spokesperson, said, “We know from anecdotal reports that many more facilities have been affected.” The FBI is requesting that any facilities that have been affected by this ransomware contact their local FBI office.

Turgidson confirmed that they have been notified of more than three attacks. “We have had some facilities share information with us on the condition that we specifically do not report the information to law enforcement,” Turgidson explained. CI-SOC does not report the incident to the FBI in those cases, but they do share technical information about the attack.

Kate Libby, a Technical Director for Dragonfire Cyber which is working with the CI-SOC on this investigation, told reporters that they have not yet been able to track down how the ransomware has made its way into the systems. “The previously unidentified attackers have apparently been in these systems for some time and have erased their tracks well,” Libby explained. Dragonfire has been able to locate the ransomware in the systems, it resides in programmable logic controllers (PLC’s). “We have found multiple copies of the malware in each facility,” she reported; “We are concerned that this may mean that the attackers may be prepared to re-demand ransom in the future.”

“We have not yet been able to identify the group behind the attacks, they are very sophisticated in their security measures,” Turgidson told reporters, “We do believe that they are operating out of Venezuela.”

According to the FBI, efforts to track the bit coins have been unsuccessful, “The WB Group, as we are currently calling them, transfers funds out of their initial wallets almost immediately and closes wallets or abandons wallets once used,” Quest said; “We need to be able to track transactions in real time if we are to have any hope of shutting these folks down. This is why we need to be informed immediately about any attack.”

CAUTIONARY NOTE: This is a future news story –

Multiple Ransomware Attacks on Artillery Contractors

The Defense Armaments Agency announced today that production of 155mm artillery shells at Blackshear Arsenal in Georgia has been halted for two weeks due to multiple ransomware attacks on subcontractors supply parts for the high-tech munitions that are being consumed in high number in the Ukraine. “We are unable to obtain component parts for the fuses and attitude control systems because various manufacturers have had production interruptions due to cyberattacks on manufacturing facilities,” Samuel C Robinson, spokesperson for the Agency, told reporters this morning.

The Federal Bureau of Inquiry is the lead agency in the investigation because the facilities are not directly contracted by the Department of Defense. According to Johnathan Quest, FBI spokesperson, the companies involved provide parts to component manufacturers that supply the Blackshear Arsenal. “In most cases, the initial set of attacks were being investigated by State and local authorities as routine ransomware attacks,” Quest explained.

General Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC) which is supporting the investigation, it was not until Blackshear reported supply interruptions of multiple contractors that national level interest was focused on the investigation. “For the most part, these are small businesses using highly-automated manufacturing systems to provide small volume, high-tech components for these ammunition components,” Turgidson explained.

“It looked like these were simply ransomware attacks on random organization when we first started receiving reports form our suppliers” Blackshear spokesperson George Forno told reporters; “When we started receiving reports of damaged control systems after ransoms were paid, it became apparent that this was something more organized.”

“We are still not convinced that this is a centrally directed effort,” Quest responded. The FBI has isolated four different ransomware programs associated with known criminal groups from Russia, North Korea, Iran and Nigeria.

CI-SOC had determined that there have been some indicators that some unknown actor is providing corporate access data to known ransomware groups. “While most of these small businesses do not have significant cyber defenses due to a lack of cybersecurity personnel, there have been at least two of the facilities have been supported by the CI-SOC,” Turgidson explained; “Access to those systems took a level of sophistication not normally associated with criminal organizations.”

A technician at CI-SOC that is not authorized to talk to the press has told me that a number of cybersecurity and industrial control system companies are working closely with CI-SOC, the FBI and the affected facilities in a coordinated effort to get them back on line. Turgidson confirmed that this is an all-hands effort. “We cannot afford to allow production at Blackshear to remain idle while our allies in Ukraine are preparing for an expected Russian offensive. They need these 155mm shells.”

CAUTIONARY NOTE: This is a future news story –

Liability for Known Vulnerabilities Bill Introduced

Rep Mark Sloan (R,CA) introduced the Liability for Known Vulnerabilities Act today. The bill would make manufacturers of computer controlled equipment used in hospitals and schools financially liable for deaths and serious injuries that resulted from cyberattacks on those institutions using vulnerabilities that had been reported to the vendor more than six months before the attack. Sloan’s Los Angeles office says that the bill is a direct response to the attack on the Angels Memorial Hospital earlier this week that killed four people.

The four deaths in the hospital’s intensive care ward occurred when power back up systems failed to restore power to critical medical monitoring systems and medical devices during a power outage caused by local storms. The uninterruptable power system’s (UPS) control system had been breached by an unidentified hacker using vulnerabilities in the SotoPower HMI. Those vulnerabilities had been publicly reported to SotoPower last June by Israeli researchers. SotoPower reported Tuesday that they were still working on fixes for the reported vulnerabilities.

Sloan told reporters that an independent review of the Israeli research confirmed that the three reported vulnerabilities, including a path traversal vulnerability and a hard-coded credential vulnerability, were relatively easy to fix. “Security researchers looking at this week’s attack reported that those vulnerabilities were used to gain access to the system at Angels Memorial,” the Congressman explained, “Those basic vulnerabilities should not take six months to correct.”

Sloan’s bill would establish a prima facie case for product liability in any case where a cyber attack at a school or hospital resulted in deaths or serious injuries and the attack was facilitated by vulnerabilities that had been identified more than six months earlier.

CAUTIONARY NOTE: This is a future news story –

Hospital Deaths Due to UPS Hack

The Angels Memorial Hospital in Los Angeles announced today that three deaths overnight in their intensive care ward were due to cyberattacks on the hospital’s backup power system. A local power outage led to the failure of critical medical devices when the hospital’s UPS systems failed to switch power to the battery backups designed to take over in the event of local grid failures. The hospital has not released the names of the victims.

The Federal Bureau of Inquiry is investigating the apparent cyberattack that stopped the UPS control system from activating the backup power system. “Potential suspects have not yet been identified,” Johnathan Quest, FBI spokesperson, told reporters this afternoon; “But we are in the very early stages of the investigation.”

SotoPower has been identified as the manufacturer of the uninterruptable power supply system used by Angels Memorial. Jake Hanley, company spokesperson, told reporters in a brief statement that the company was cooperating fully with investigators. “The security of our systems is a high-priority for our company,” Hanley said.

In the early summer of 2022, the Israeli cybersecurity firm, BuddaHack, published a report outlining three vulnerabilities in the SotoPower HMI, the control system used in the medical facility power backup system. Last month the federal ECS-CERT, published an advisory about the same vulnerabilities. “SotoPower did not respond to our coordination efforts about the vulnerabilities reported by BuddaHack,” Immanuel C Securitage told reporters this afternoon. “We have no indication that the vulnerabilities have been addressed.”

Hanley responded to questions about the reported vulnerabilities, “We are continuing to work on remediation efforts,” he said; “Our web site includes instructions to protect systems from outside access.”

Ira Haaretz, a researcher with BuddaHack, told me that the vulnerabilities identified last summer could allow an attacker with access to the hospital network to reprogram the UPS control system. “These access control vulnerabilities provide a relatively low-skilled attacker with the ability to obtain administrative level access,” Haaretz said; “They do not require any significant programing capabilities beyond changing a publicly available URL.”

A wrongful death lawsuit was filed today in Los Angles Superior Court on behalf of one of the families. Details were not available when this article was published.

 

CAUTIONARY NOTE: This is a future news story –