The National Critical Infrastructure Security Operations
Center (CI-SOC) reported today that it was seeing an increasing number of
chemical facilities being affected by ‘We’re Back’ ransomware attacks. “This
ransomware is specifically designed to disrupt chemical manufacturing
operations,” Gen Buck Turgidson told reporters; “Instead of shutting down
equipment, it typically closes valves at non-critical points in the process and
sends a ‘We’re Back’ message to the HMI controlling that valve.”
The Federal Bureau of Inquiry is investigating these attacks. “We have only been notified of three attacks, so far,” Johnathan Quest, FBI spokesperson, said, “We know from anecdotal reports that many more facilities have been affected.” The FBI is requesting that any facilities that have been affected by this ransomware contact their local FBI office.
Turgidson confirmed that they have been notified of more than three attacks. “We have had some facilities share information with us on the condition that we specifically do not report the information to law enforcement,” Turgidson explained. CI-SOC does not report the incident to the FBI in those cases, but they do share technical information about the attack.
Kate Libby, a Technical Director for Dragonfire Cyber which is working with the CI-SOC on this investigation, told reporters that they have not yet been able to track down how the ransomware has made its way into the systems. “The previously unidentified attackers have apparently been in these systems for some time and have erased their tracks well,” Libby explained. Dragonfire has been able to locate the ransomware in the systems, it resides in programmable logic controllers (PLC’s). “We have found multiple copies of the malware in each facility,” she reported; “We are concerned that this may mean that the attackers may be prepared to re-demand ransom in the future.”
“We have not yet been able to identify the group behind the attacks, they are very sophisticated in their security measures,” Turgidson told reporters, “We do believe that they are operating out of Venezuela.”
According to the FBI, efforts to track the bit coins have been unsuccessful, “The WB Group, as we are currently calling them, transfers funds out of their initial wallets almost immediately and closes wallets or abandons wallets once used,” Quest said; “We need to be able to track transactions in real time if we are to have any hope of shutting these folks down. This is why we need to be informed immediately about any attack.”
CAUTIONARY NOTE:
This is a future news story –
No comments:
Post a Comment