Dragonfire Cyber published a report today on a recent
ransomware attack on a PLC being used in a safety system at a Louisiana
chemical manufacturing plant. There were two unique things about this
ransomware attack, the report states. First the ransomware did not encrypt system
files, it simply shutdown the safety system and demanded a 100-bitcoin ransom. The
second item of interest is that the system was re-infected as soon as the affected
PLC was released.
The active portion of the ransomware reset the Robotron SicherheitsKontrolle
PLC to factory default settings, erasing the programming designed to ensure that
the styrene storage tank remained in an inherently safe state. It also erased
the control screen on the HMI used by the safety system, replacing the virtual
system diagram with the ransomware message.
Since the affected system was a safety system, the facility
had a preprogramed replacement on hand for both the PLC and the HMI. As soon as
the ransomware message was reported, maintenance personnel were contacted and
the two devices were replaced within an hour.
“The attackers understood how easy it was to replace the
affected devices without resorting to paying the ransom,” Kate Libby, spokesperson
for Dragonfire, told this reporter; “So they designed their ransomware system
so that it would immediately infect the replaced equipment.”
The local control system maintenance personnel were not able
to find the initial source of the infection or the re-infection. In order to
ensure the safety of the facility, the company paid the ransomware and the
system was immediately returned to its pre-infection state.
Dragonfire was retained to discover the source of the
infection, determine how the system was re-infected, and ensure that there were
no other problems with the system. The source of the initial infection was the
USB that was used to apply the annual system updates for the safety system. The
USB, sent from Robotron offices in Germany, was apparently intercepted at the
local delivery company office and the infected with the ĀnquánShújīn worm.
The USB device was erased when it was removed from the laptop
used to update the PLC, but the technician who performed the update copied the
update to a backup drive for record keeping purposes. The drive erase program
was not transferred as it was hidden USB firmware. The malware programming on
the laptop was automatically erased and overwritten with the original update after
the safety system was updated.
“With a copy of the actual ransomware code on hand, it was
easy enough to track down the source of the re-infection,” Libby told me; “A
copy of the worm was moved to one of the smart sensors attached to the safety
system, in this case a Robotron DSensor”.
When the new PLC made initial
contact with the infected sensor, the worm reinstalled the malware on the PLC,
restarting the whole process.
Immanuel C. Securitage, spokesperson
for ECS-CERT, said that the malware seen in this attack was much more
sophisticated that the GUMMI BAREN ransomware that was seen
in earlier attacks on Robotron PLC’s. “Two years allows for a lot of
malware advancement,” IC Securitage told this reporter; “We also suspect that
there may be a State actor involved which also allows for an entirely different
level of sophistication.”
The Federal Bureau of Inquiry is reportedly
investigating if this incident is the work of the NoReturn group that has been causing
problems at a number of chemical companies in the United States. Johnathan
Quest refused to comment on that portion of the ongoing investigation, saying: “We
are continuing to work with the facility owner, ECS-CERT and Dragonfire on the
incident investigation. We currently have no suspects, but we are talking with
persons of interest at the GHB Air facility in Shreveport about the Robotron
USB delivery.
CAUTIONARY NOTE: This is a future news
story –
No comments:
Post a Comment