Innovative Ammo Manufacturer Shut Down to Ransomware Attacks

Bermite Ammo Mfg announced today that it would miss delivery of the next batch of its new carbon-composite 155mm artillery shells to the US Army because of a ransomware attack on its facility in Saugus, CA. “We have experienced a ransomware attack on the IT systems at our Saugus facility, so we have shut down all of our cyber systems pending resolution of the problem,” Patrick Lizza, corporate spokesperson told reporters; “Our production control systems were not directly affected by the ransomware, but we are doing detailed checks of those systems out of an abundance of caution.”

The Army Ammunition Command reports that they are aware of the shutdown and have coordinated with Cyber Command for assistance in investigating the problem. LTC Henry Knox, from AAC, told reporters at a press conference in St Louis, MO: “We are concerned about any delay in the manufacture at BAM since their new carbon composite 155mm artillery shells allow us to free up additional ammunition for shipment to Ukraine as the Army replaces their conventional shells with the lighter, more powerful BAM shells.”

Bermite had met all Army cybersecurity requirements for primary manufacturers, so the Cyber Command is concerned that this may represent a more effective ransomware attack. Cyber Command has employed investigators from Dragonfire Cyber to look specifically at the industrial control systems on the site to see if they were impacted. “Dragonfire has specific experience in incident response in the type of equipment utilized at BAM, Knox told reporters; “Cyber command will look at the ransomware issue, and Dragonfire will clear the control systems.”

A technician with Dragonfire that is not authorized to talk to the press about the investigation told me that there were some indications of unusual activity between corporate IT systems and the control systems at the facility. “Investigators are still looking to see if any changes had been made in device programming or security settings,” she said.

CAUTIONARY NOTE: This is a future news story –

‘We’re Back’ Ransomware Targets Chemical Facilities

The National Critical Infrastructure Security Operations Center (CI-SOC) reported today that it was seeing an increasing number of chemical facilities being affected by ‘We’re Back’ ransomware attacks. “This ransomware is specifically designed to disrupt chemical manufacturing operations,” Gen Buck Turgidson told reporters; “Instead of shutting down equipment, it typically closes valves at non-critical points in the process and sends a ‘We’re Back’ message to the HMI controlling that valve.”

 The Federal Bureau of Inquiry is investigating these attacks. “We have only been notified of three attacks, so far,” Johnathan Quest, FBI spokesperson, said, “We know from anecdotal reports that many more facilities have been affected.” The FBI is requesting that any facilities that have been affected by this ransomware contact their local FBI office.

Turgidson confirmed that they have been notified of more than three attacks. “We have had some facilities share information with us on the condition that we specifically do not report the information to law enforcement,” Turgidson explained. CI-SOC does not report the incident to the FBI in those cases, but they do share technical information about the attack.

Kate Libby, a Technical Director for Dragonfire Cyber which is working with the CI-SOC on this investigation, told reporters that they have not yet been able to track down how the ransomware has made its way into the systems. “The previously unidentified attackers have apparently been in these systems for some time and have erased their tracks well,” Libby explained. Dragonfire has been able to locate the ransomware in the systems, it resides in programmable logic controllers (PLC’s). “We have found multiple copies of the malware in each facility,” she reported; “We are concerned that this may mean that the attackers may be prepared to re-demand ransom in the future.”

“We have not yet been able to identify the group behind the attacks, they are very sophisticated in their security measures,” Turgidson told reporters, “We do believe that they are operating out of Venezuela.”

According to the FBI, efforts to track the bit coins have been unsuccessful, “The WB Group, as we are currently calling them, transfers funds out of their initial wallets almost immediately and closes wallets or abandons wallets once used,” Quest said; “We need to be able to track transactions in real time if we are to have any hope of shutting these folks down. This is why we need to be informed immediately about any attack.”

CAUTIONARY NOTE: This is a future news story –

Multiple Ransomware Attacks on Artillery Contractors

The Defense Armaments Agency announced today that production of 155mm artillery shells at Blackshear Arsenal in Georgia has been halted for two weeks due to multiple ransomware attacks on subcontractors supply parts for the high-tech munitions that are being consumed in high number in the Ukraine. “We are unable to obtain component parts for the fuses and attitude control systems because various manufacturers have had production interruptions due to cyberattacks on manufacturing facilities,” Samuel C Robinson, spokesperson for the Agency, told reporters this morning.

The Federal Bureau of Inquiry is the lead agency in the investigation because the facilities are not directly contracted by the Department of Defense. According to Johnathan Quest, FBI spokesperson, the companies involved provide parts to component manufacturers that supply the Blackshear Arsenal. “In most cases, the initial set of attacks were being investigated by State and local authorities as routine ransomware attacks,” Quest explained.

General Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC) which is supporting the investigation, it was not until Blackshear reported supply interruptions of multiple contractors that national level interest was focused on the investigation. “For the most part, these are small businesses using highly-automated manufacturing systems to provide small volume, high-tech components for these ammunition components,” Turgidson explained.

“It looked like these were simply ransomware attacks on random organization when we first started receiving reports form our suppliers” Blackshear spokesperson George Forno told reporters; “When we started receiving reports of damaged control systems after ransoms were paid, it became apparent that this was something more organized.”

“We are still not convinced that this is a centrally directed effort,” Quest responded. The FBI has isolated four different ransomware programs associated with known criminal groups from Russia, North Korea, Iran and Nigeria.

CI-SOC had determined that there have been some indicators that some unknown actor is providing corporate access data to known ransomware groups. “While most of these small businesses do not have significant cyber defenses due to a lack of cybersecurity personnel, there have been at least two of the facilities have been supported by the CI-SOC,” Turgidson explained; “Access to those systems took a level of sophistication not normally associated with criminal organizations.”

A technician at CI-SOC that is not authorized to talk to the press has told me that a number of cybersecurity and industrial control system companies are working closely with CI-SOC, the FBI and the affected facilities in a coordinated effort to get them back on line. Turgidson confirmed that this is an all-hands effort. “We cannot afford to allow production at Blackshear to remain idle while our allies in Ukraine are preparing for an expected Russian offensive. They need these 155mm shells.”

CAUTIONARY NOTE: This is a future news story –