Dragonfire Outlines Bleichen Attack

Today Dade Murphy, a spokesman for Dragonfire, a control-system cybersecurity research firm, provided reporters with a broad outline for the cyber attack on Bleichen Chemical Company last week that resulted in ten deaths from chlorine exposure and other related injuries. Dragonfire has been working with ECS-CERT, the Chemical Safety Bureau and the Federal Bureau of Inquiry to examine the cyber-forensic data related to the attack.

Murphy noted that it appears that attackers had been in the corporate IT networks for as long as a year. A series of phishing emails were sent to a large number of company employees in October 2017, but it is not clear which employee (or employees) clicked on malicious links in those emails that ultimately provided attackers access to the networks. Those malicious links were to IP addresses known to be associated with Stasi Ehemalige, a notorious German hacking collective.

Since the Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) have pretty conclusively claimed responsibility for the attack, this link to Stasi Ehemalige and other technical indicators would seem to mean that SFINCTER was receiving technical support from the German hackers, Murphy reported.

Dade explained that many of the network logs had been altered or destroyed, so it is not clear exactly what information had been exfiltrated from the Bleichen networks during the lengthy period that it has been pwned by the attackers. What is known is that the attackers did obtain complete copies of the technical data Bleichen submitted to the Work Environment Safety Administration (WESA) to obtain WESA approval of their electronic lockout-tagout system for the chlorine storage tank. This data, along with the Wi-Fi 0-day vulnerability allowed the attack last week.

Murphy described the operation of the eLOTO system used at the facility. There was a standalone human-machine interface (HMI) located at the base the tank. The shift supervisor and the maintenance person working on the tank both logged into the HMI by scanning their badges and providing their password. They selected the general tank lockout from the screen. This closed automated valves on the tank fill line, the tank discharge line and the transfer-line to plant operations associated with the tank. It also shut-off power to the pump used to move material from the tank to plant operations. A manual LOTO system would have required that those valves (manual valves in a classic LOTO situation) be closed by hand and each of those employees to apply a lock to the handles. The eLOTO also sent text messages to the plant manager, the maintenance manager, the plant safety officer, the shift supervisor and each of the operators on duty that the safety system (the pressure relief valve located between the tank discharge valve and the transfer-line valve) was off-line as part of the facility management of change process. That text message was sent via the Wi-Fi connection of the Robotron SicherheitsKontrolle.

Dade refused to go into any details of the hack other than to note that the hackers accessed the safety system via the Wi-Fi connection and opened the discharge valve on the tank. Details of the hack are being tightly held pending further investigation and the hoped for arrest and prosecution of the attackers.

He did confirm that the video that was released by SFINCTER last night was a video of the incident. It was taken from a camera on a power pole outside of the facility. That camera was co-located with the Wi-Fi transmitter that was used in the attack.

William Henry Lee III, the Mayor of Delano, GA, announced today that three additional people have died as a result of chlorine exposures from the Bleichen incident. This brings the death toll to ten. There has also been a slight increase in the number of people hospitalized due to chlorine exposure from the attack. That total now stands at sixty-five.

Rep. Tucker Watts, Jr. (R,GA) announced that he is authoring the draft eLOTO legislation that will be considered Friday by a joint meeting of the House and Senate Homeland Security Committee. He said that the bill would require that all eLOTO systems include two-factor authentication, end-to-end encryption of data, shielded cables for all connections, and a 48-hour deadline to install software and/or firmware updates for all components. Companies providing eLOTO systems would be required to provide copies of all software/firmware (including updates and documentation) to a cybersecurity office (to be established) in WESA for approval before they could be used in the field. Existing eLOTO systems would have 90-days to receive that approval after the office is established or they would have to be removed from operation.