Saturday, September 26, 2020

Hearing at CI-SOC on Recent Ransomware Attacks in Delano

Rep. Tucker Watts (R,GA) was on site today at the Critical Infrastructure Security Operations Center (CI-SOC) to participate in a virtual hearing of the House Subcommittee on Cybersecurity Oversight looking at the recent ransomware attacks on two facilities in Delano, GA that appeared to be related. Watts is the Ranking Member of the Committee and requested the hearing.

In his opening statement, Chairman Richard Gil (D,NY) explained that todays meeting was called to look at both the root cause of the two attacks and the role that IC-SOC could have played in preventing such attacks. “Let us be clear,” Gil explained; “Neither the Intershop Meat Plant nor the Delano Waste Water Treatment Plant had signed up to be covered by the IC-SOC, so the IC-SOC team was not setup to protect those facilities. And, even if they had, since the attacks were both initiated by an onsite insertion of a USB device, as currently configured, IC-SOC would not have been able to prevent the attacks.”

General Buck Turgidson, the Director of the National Critical Infrastructure Security Operations Center, present onsite with Congressman Watts, testified that away teams from IC-SOC responded to both incidents at the request of ECS-CERT. “Our teams only had to drive a couple of minutes across town,” Turgidson said; “The ECS-CERT team would have taken a day or more to get here.”

Immanuel C. Securitage, ECS-CERT spokesperson, testified by a video link from Washington. “We asked for assistance for two reasons,” he explained as a response to a question by Watts; “First the IC-SOC away teams were already in Delano. Second, and maybe more importantly, our staffing was cut in half to provide investigative personnel to IC-SOC.”

Horst Sinderman, the facility manager at the Delano meat plant that was attacked, testified remotely from the corporate headquarters in Birmingham, AL. He explained that, when it became obvious that the investigation team was not going to be able to fix the problem, corporate management contacted the company’s cyber-insurance provider who provided the funds to pay the ransom.

Dragonfire Cyber assisted in the investigation of attack on the meat plant and was on hand when the ransom was paid. “We were able to intercept the decryption key when it was sent to the facility,” Dade Murphy testified by video remote; “Having copies of both the encryption software from the USB devices and the decryption key, we were able to put together a decryption key for the attack on the Delano Waste Water Treatment Plant.”

That plant was able to restart about two hours after it had started discharging untreated wastewater into the Flint River. That discharge resulted in a large fish-kill and two cities downstream had to slow their processing of drinking water from the River to ensure that all contaminants and bacteria from the discharge were removed. Cities further downstream noticed little additional contamination in their intake testing.

Mayor Arrington Carter provided a written statement that was read into the record of the hearing. In part she said, “We are very grateful for the assistance that IC-SOC provided to the two facilities in the city during these attacks on our essential infrastructure. A major employer and our city services would have been affected much more severely if the government team had not stepped in with their expertise.”

The Federal Bureau of Inquiry is still investigating the two attacks. Johnathan Quest, spokesperson for the FBI, answered my questions this morning in a telephone interview about the investigation. The FBI continues to investigate both incidents as part of a larger plot by TrabajoSeUnen to affect operations at meat packing plants around the country. “While they are employing typical labor jargon in their messaging,” Quest said; “We can find no evidence of collusion between the group and local labor organizations. We believe that this is a straightforward ransomware campaign executed with the intent to make money.”

Congressman Watts told this reporter that he intended to introduce legislation that would require municipal water treatment facilities and wastewater treatment facility to either join IC-SOC or some other cybersecurity monitoring service. “We just cannot afford to have these facilities shut down by either criminals or terrorists,” he said.

CAUTIONARY NOTE: This is a future news story –

 

1 comment:

  1. Several of the most prolific ransomware operators work directly for North Korean and Iranian governments. As such they are covered by national and international sanctions. In my limited understanding of the law, paying a ransom to these organizations can be a breach of sanctions, even if the paying organization is not aware of the sanctions, or of who they are paying the money to. And again, in my limited understanding, such payment makes the paying organization liable for up to a $20M fine in the USA, and possibly other penalties. I'm told there is an entire sub-industry of consultants that has built up, to give advice to businesses considering paying ransoms, to help them understand what the possible consequences of such payments might be for them.

    ReplyDelete