Hearing at CI-SOC on Recent Ransomware Attacks in Delano

Rep. Tucker Watts (R,GA) was on site today at the Critical Infrastructure Security Operations Center (CI-SOC) to participate in a virtual hearing of the House Subcommittee on Cybersecurity Oversight looking at the recent ransomware attacks on two facilities in Delano, GA that appeared to be related. Watts is the Ranking Member of the Committee and requested the hearing.

In his opening statement, Chairman Richard Gil (D,NY) explained that todays meeting was called to look at both the root cause of the two attacks and the role that IC-SOC could have played in preventing such attacks. “Let us be clear,” Gil explained; “Neither the Intershop Meat Plant nor the Delano Waste Water Treatment Plant had signed up to be covered by the IC-SOC, so the IC-SOC team was not setup to protect those facilities. And, even if they had, since the attacks were both initiated by an onsite insertion of a USB device, as currently configured, IC-SOC would not have been able to prevent the attacks.”

General Buck Turgidson, the Director of the National Critical Infrastructure Security Operations Center, present onsite with Congressman Watts, testified that away teams from IC-SOC responded to both incidents at the request of ECS-CERT. “Our teams only had to drive a couple of minutes across town,” Turgidson said; “The ECS-CERT team would have taken a day or more to get here.”

Immanuel C. Securitage, ECS-CERT spokesperson, testified by a video link from Washington. “We asked for assistance for two reasons,” he explained as a response to a question by Watts; “First the IC-SOC away teams were already in Delano. Second, and maybe more importantly, our staffing was cut in half to provide investigative personnel to IC-SOC.”

Horst Sinderman, the facility manager at the Delano meat plant that was attacked, testified remotely from the corporate headquarters in Birmingham, AL. He explained that, when it became obvious that the investigation team was not going to be able to fix the problem, corporate management contacted the company’s cyber-insurance provider who provided the funds to pay the ransom.

Dragonfire Cyber assisted in the investigation of attack on the meat plant and was on hand when the ransom was paid. “We were able to intercept the decryption key when it was sent to the facility,” Dade Murphy testified by video remote; “Having copies of both the encryption software from the USB devices and the decryption key, we were able to put together a decryption key for the attack on the Delano Waste Water Treatment Plant.”

That plant was able to restart about two hours after it had started discharging untreated wastewater into the Flint River. That discharge resulted in a large fish-kill and two cities downstream had to slow their processing of drinking water from the River to ensure that all contaminants and bacteria from the discharge were removed. Cities further downstream noticed little additional contamination in their intake testing.

Mayor Arrington Carter provided a written statement that was read into the record of the hearing. In part she said, “We are very grateful for the assistance that IC-SOC provided to the two facilities in the city during these attacks on our essential infrastructure. A major employer and our city services would have been affected much more severely if the government team had not stepped in with their expertise.”

The Federal Bureau of Inquiry is still investigating the two attacks. Johnathan Quest, spokesperson for the FBI, answered my questions this morning in a telephone interview about the investigation. The FBI continues to investigate both incidents as part of a larger plot by TrabajoSeUnen to affect operations at meat packing plants around the country. “While they are employing typical labor jargon in their messaging,” Quest said; “We can find no evidence of collusion between the group and local labor organizations. We believe that this is a straightforward ransomware campaign executed with the intent to make money.”

Congressman Watts told this reporter that he intended to introduce legislation that would require municipal water treatment facilities and wastewater treatment facility to either join IC-SOC or some other cybersecurity monitoring service. “We just cannot afford to have these facilities shut down by either criminals or terrorists,” he said.

CAUTIONARY NOTE: This is a future news story –

 

Water Treatment Plant Hit by Ransomware Attack

The Delano Waste Water Treatment Plant (WWTP) announced this morning that its computer systems that control the physical operation of the facility have been shutdown by a ransomware attack. The attackers, reportedly the same group that shutdown the operation of the Intershop Meat Plant last week, are demanding 1,000 bitcoin from the City of Delano to unlock the facility control systems.

George Funderburke, the director of the Delano Water Maintenance Department (DWMD) told reporters at a brief news conference that both the Federal Bureau of Inquiry and the Environmental Process Protection Agency (EPPA) about the attack. “EPPA and ECS-CERT will be sending teams to help us get our plant back in operation,” Funderburke said; “We have about six hours of storage capacity available for incoming sewage, after that we will have to start discharging untreated sewage into the Flint River.”

Jay Muir, spokesperson for the EPPA, told this reporter that the EPPA was sending an action team to Delano, but that it would probably be the ECS-CERT that would be the lead agency on the investigation. “The team we are sending are process engineering types,” Muir said; “They will be responsible for helping the WWTP operate as effectively as possible in a manual operating mode. They should arrive on site before it is necessary to start discharging untreated sewage.”

The WWTP has only limited capacity to continue operation under manual conditions. The facility will continue to be discharging treated water through manual operations. A warning will be issued before any untreated sewage is discharged. Cities downstream of Delano have been warned that a sewage discharge may be required.

The DWMD does not have funds available in their budget to pay the ransom. Mayor Arrington Carter has scheduled an emergency meeting of the Delano City Council for later this morning to see what actions the City will be taking. “The DWMD has had problems with cash flow since the COVID-19 epidemic hit last spring. They have had a much larger than normal non-payment rate on water bills for both household and commercial accounts. We have been using the City’s rainy day fund to supplement their accounts for the last two months, so we may have problems coming up with the money for the ransom.”

Kate Libby, a spokesperson for Dragonfire Cyber, said that the Company has not yet been notified about this ransomware attack, but was working with the ECS-CERT on the investigation at the Intershop Meat Plant. “We have discovered that the source of that attack was a USB drive inserted into one of the PLC’s at the facility; it was apparently an insider attack.”

Funderburke has asked residents and businesses in Delano to reduce their water use and waste generation while the City works to correct this problem. Commercial and industrial facilities with large volume discharges have been notified to stop those discharges as soon as possible. This does include the Intershop Meat Plant that just reopened yesterday.

The Critical Infrastructure Security Operations Center (CI-SOC) would not comment on this attack.

CAUTIONARY NOTE: This is a future news story –

Meat Packing Plant Closed by Ransomware Attack

 

The Intershop Meat Plant in Delano, GA was shut down over the weekend when the control system at the plant was hit by a ransomware attack. The facility was hit with the WannaControl ransomware that specifically targets industrial control systems made by the Robotron Company.

Immanuel C. Securitage, spokesperson for ECS-CERT told reporters this morning that that the company’s control systems at the Delano facility were locked out on Saturday morning as the first shift started work. After briefly trying to operate the facility’s chicken deboning production line manually, management sent the shift home early and announced that it would let workers know when they should return to the plant.

Horst Sinderman, the facility manager, told reporters that the company would not be meeting the ransom demand. “We have been having a hard-enough time keeping the facility open during the COVID-19 pandemic,” he said: “The increased cleaning costs and other COVID prevention measures have already cut deeply into our profit margin. There is no money available to pay for the demanded 1,000-bitcoin ransom demanded by Trabajo Se Unen, a previously unidentified malware group.

A tweet by TrabajoSeUnen that was quickly taken down on TWITTER® said: “We have struck down Intershop to take care of our sick brothers and sisters and their families.”

When Sinderman was asked about the tweet he acknowledged that over three hundred employees have contacted COVID-19. “Our company has covered the medical bills for all of the sick employees,” he said; “And we continued the employees pay checks during their recovery at half-pay even though we believe that most of the infections came from exposures outside of the facility.”

Dade Murphy, CTO of Dragonfire Cyber, said that his company has long thought that the WannaControl malware was the work of Stasi Ehemalige, the German hacking collective. “They have a long history of penetration of Robotron,” he told this reporter; “There are many coding similarities between WannaControl and other malware that affects Robotron products. We also suspect that they have organizational roots that trace back to European radical groups that were financed by the East Germans during the Cold War.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, told reporters that information gleamed from the dark web indicated that the authors of WannaControl have recently started to advertise cut-rate sales of their ransomware to radical labor activists in Europe and the United States. “According to some dialogs that we have intercepted, the WannaControl ‘sales team’ is recommending that ransomware attacks be used to punish companies that fail to properly take care of their employees during the COVID-19 pandemic,” Quest explained; “They are apparently selling the use of the malware for such attacks at a reduced rate. In at least one case the use was sold for 10% of the normal price.”

Vicente Lombardo Toledano, the President of Amalgamated Meat Cutters Local 1936 (AMC 1936), said that closing the plant was not in the best interest of the employees. “Our people are not going to get paid for sitting home waiting for the company to resolve this problem,” he told reporters at the local union hall; “Any claim that our union or our members had anything to do with this ransomware attack is completely unfounded and untrue.”

CAUTIONARY NOTE: This is a future news story –

IC-SOC Stops Sex App Attack on Chem Facility

This morning the CSA’s Critical Infrastructure Security Operations Center (IC-SOC) announced that it had intercepted a cyberattack on a chemical facility control system this weekend in Southern California. According to General Buck Turgidson, the IC-SOC director, a worm had been uploaded to the facility network from a contractor’s telephone. The phone was apparently infected when the owner signed on to the WFN sex-sharing application.

“Our system identified the sex app when the phone logged into the facility wi-fi system,” Turgidson told reporters at this morning’s news conference; “We know that the app has been used by Chinese Meiyou Tuihuo APT group as a means of infecting targeted industrial systems. With this knowledge we were prepared to intercept the worm and sent it to a sandboxed location on the system for observation.”

Dragonfire Cyber operates that particular sandbox for IC-SOC. Dade Murphy, CTO for Dragonfire told reporters that exploited several known vulnerabilities to make its way into the control system server. “Once on the server it reported back to a command-and-control server, it started to upload copies of our decoy control system files,” Murphy told reporters; “And we were able to insert our own report-back worms into the upload. We have spent the last twelve hours remotely inspecting the C&C server and have garnered a great deal of information.”

Murphy confirmed that the sandboxed control system was subsequently hit by a ransomware attack. “This was the same ransomware that we had seen in earlier attacks. We did not pay the ransom. We had appropriate backups in place and our sandbox was operational again within a couple of hours,” Murphy reported with a grin.

When asked if this would not be considered hacking by the Chinese government, similar to what he was arrested for last June, Murphy replied: “Our company was working under contract with and under the control of the IC-SOC. This was an authorized law enforcement operation and the Chinese government has been provided with the appropriate evidence of criminal activity.”

Turgidson added that it had become obvious that Murphy’s arrest in Singapore was a purely political move on the part of the Chinese government. “Mechanisms have been put into place to deal with such tit-for-tat semi-legal actions in the future;” the General said.

When asked if there were going to be any consequences to the owner of the phone involved in the attack, Turgidson said: “That will be up to his employer as it was a company owned phone. We do not have any evidence to indicate that the individual knowingly involved in the attack.”

Turgidson was also asked about the legality of the ‘search’ of the individual’s phone that initiated the IC-SOC activity. “Signs were posted at all entrances to the facility that all electronic devices were subject to search while on the property,” he replied; “Bringing the phone onto the facility grounds constituted providing permission to search the phone by any means at our disposal.”

CAUTIONARY NOTE: This is a future news story –