LA Sues CI-SOC for Access to Bitcoin Tracking Tool

On Friday, Harry R. Haldeman, the District Attorney for Los Angeles, filed suit in 14th US District Court against asking the Court to order General Buck Turgidson (USA, Ret), the director of the US Critical Infrastructure Security Operations Center to make available to prosecutors in the United States the tool known as “Bitcoin Tracker”. Haldeman claims that the tool used in recent attacks reported by CI-SOC would allow government to track, identify and prosecute the actors behind the recent spate of ransomware attacks.

Haldeman told reporters today that he had talked to Turgidson immediately after the ransom recovery had been announced by CI-SOC last week about obtaining access to the tool. “Buck told me that CI-SOC was not releasing the tool for National Security reasons.” Haldeman said, “I have done some additional checking and it does appear that he has gotten into some hot water with the national security establishment for even announcing that the tool existed. But at this point the cat is out of the bag and we need access to this invaluable tool to put a stop to the ransomware epidemic.”

Turgidson would not comment, citing federal rules about not commenting on ongoing litigation. An official working at CI-SOC who cannot be named confirmed that Turgidson had been reprimanded for discussing the tool. “The counterterror folks have been using this tool for over a year now to track money flow to various terrorist organizations,” the official said, “It has helped them to identify both sources of funding and the places where the moneys have been used to fund operations. The concern is now that the bad guys know that we have the tool, that they will start to use some different method of moving money around.”

According to another source in the government, Turgidson knew about these concerns when he released the information. He reportedly felt that the current ransomware threat was a more immediate and widespread threat to the safety of the country than was the current level of terrorism. The announcement of the possession of the tool, according to sources close to the Director, was made to let the ransomware community know that they were no longer protected by the expected anonymity of the Bitcoin service.

If that was the case, one source was asked, why has Turgidson refused to turn over the tool to prosecutors like Haldeman? “It is not as simple as turning over a disc for someone else to use. The process is complicated and uses resources that not currently available outside of the intelligence community.”

CAUTIONARY NOTE: This is a future news story –

COVID-19 Vaccine Hack

General Buck Turgidson, Director of the Critical Infrastructure Security Operations Center (CI-SOC), told a press conference this morning that the ransomware attack on Mengele Pharma earlier this week used a variant of the WannaControl ransomware. He also noted that investigators working for CI-SOC discovered that the as yet unidentified attackers gained access to the warehouse facility control system via storage batteries associated with the rooftop solar array.

Turgidson told reporters: “There were significant changes made to the ransomware code. We do not believe at this time that those changes were made by Stasi Ehemalige, the authors of the original ransomware.” A manager at CI-SOC told me that there are indications that Stasi Ehemalige has been selling copies of their ransomware on the Dark Web.

A briefing document provided to reporters says that changes to the ransomware include the inclusion of a data exfiltration module as well as a tool specifically designed to make modifications to the programming of the Robotron Kühlsicherheit refrigeration safety system that is used at the facility. The report also notes that the manufacturing control system at the Mengele Pharma vaccine plant adjacent to the warehouse was also infected, but that it had not yet been shut down by the ransomware.

Dade Murphy, CTO at Dragonfire Cyber, said that his team supporting the CI-SOC investigation had been able to deconstruct the ransomware package that shut down the warehouse operations. “The new code that facilitated this particular attack,” Murphy told reporters, “has significant structural and coding differences that indicate that a different team of developers worked on the new modules. There are many similarities between the coding styles used here and that used in the ĀnquánShújīn PLC ransomware used in an attack earlier this summer.” Murphy was unable to explain why those coders would have used Stasi Ehemalige malware for this attack.

Murphy told reporters that they had found one of the affected freezers had an old-style circular chart recorder for temperature still working on the freezer. “This system with its dedicated thermocouple was unaffected by the attack. While the one-week chart had not been changed in a month we can clearly see that the temperature in the freezer rose to -30˚C for extended periods,” Murphy said; “If this chart had been tracked, the problem would have been detected in time to prevent the problems with vaccine storage conditions.”

The attack on the warehouse control system was initiated via the energy storage system associated with the roof top solar array. “The known vulnerability in the direct internet connection of the battery system was used to gain access to the facility maintenance network.” Murphy told reporters, “Once that network access was gained, it was relatively easy for the attackers to pivot into the building automation system and then into the warehouse refrigeration systems.”

Wolfgang Gerhard, President of Mengele Pharma told reporters that the solar system had apparently been installed before the vulnerability was reported. “We have been in contact with the contractor we used for that installation.” Gerhard said, “They are currently working on updating the system and mitigating that particular vulnerability.”

Wolfgang was able to update reporters on the effect of the refrigeration attack on the inventory of COVID-19 vaccine stored on the premises. Each box is equipped with a chemical temperature warning decal that changes color when the temperature rises above a set point. “We have examined each of the boxes in all five of the freezers on site,” Gerhard said; “About 80% of the indicators show that the packages had been exposed to temperatures above the -50˚C limit set by the Federal Drug Administration in their approval of the vaccine.” Mengele is turning over all of those cases to the FDA for study and disposal.

Clark Stanley, spokesperson for the FDA, told reporters that the agency would be storing each of the affected boxes in the appropriate conditions. “We will be conducting efficacy testing on samples from each of the boxes to determine what effect the unfortunate temperature excursions had on the vaccine,” Stanley said; “We may be able to provide box-by-box approval for the use of some of the vaccine. We do understand the importance of having a COVID-19 vaccine available as quickly as possible, but we want to ensure that it is an effective vaccine that the public can rely on.”

CAUTIONARY NOTE: This is a future news story –

COVID-19 Vaccine Storage Hit by Ransomware

Mengele Pharma announced this morning that their Schenectady, NY warehouse had been hit by a ransomware attack. All facility control systems, including the ultra-refrigeration system for the storage of the initial manufacturing run of their new COVID-19 vaccine were shut down. Wolfgang Gerhard, company President, acknowledged that there are concerns about the potential effects on the efficacy of the 20 million doses of vaccine stored in the facility.

General Buck Turgidson, Director of the Critical Infrastructure Security Operations Center, confirmed that the CI-SOP was working with Mengele Pharma on rectifying the problem. “Our investigators are on the scene and working with the facility security team to determine the extent of the problem,” Turgidson told reporters; “Preliminary indicators would seem to tell us that the attackers had been active on the system for at least a week prior to the shutdown.”

The Mengele vaccine requires storage at -50˚C. It can be held briefly, for up to a day at temperatures as high as 0˚C. Higher temperatures cause the vaccine to break down and quickly loose efficacy.

Clark Stanley, spokesperson for the Federal Drug Administration (FDA), told reporters that Mengele will have to be able to demonstrate that the storage conditions, including ultra-refrigeration met the required standards set for this vaccine before any distributions will be able to be made from this warehouse. “Failure to be able to document storage temperatures will not be acceptable,” Clark said.

Clark did tell reporters that Mengele was in the final stages of receiving emergency approval of their vaccine. The FDA and the company were making plans to be able to start distribution sometime in early December.

Sources at Mengele that are not authorized to talk to the press report that the company has paid the 1-milllion bit coin ransom but has not received the code necessary to regain control of their systems.

Sen TJ Kong told reporters this morning that his Committee would be looking at requiring the CI-SOP to begin providing cyber-protection to all vaccine manufacturers whether or not they had requested protection. “Vaccine manufacturers that are planning on taking Federal money for vaccine distribution or manufacture should be required to cooperate with CI-SOP.”

Mengele has not received any federal research funding for the development of their vaccine.

CAUTIONARY NOTE: This is a future news story –

CI-SOC Recovers Bitcoin Ransom

The Critical Infrastructure Security Operations Center (CI-SOC) announced today that it had successfully conducted operations today against a North Korean ransomware gang that was operating out of Soul, South Korea. The bitcoin ransom paid by three separate, unidentified companies in the United States was recovered, the small server farm used by the gang was seized and four North Korean agents were arrested.

General Buck Turgidson, Director of CI-SOC, told reporters that his group, working with the South Korean government and elements of US Special Operations Command, tracked the gang by following the bitcoin trail to a compound on the outskirts of Soul. “A special team of Army Special Forces that included cyber-operators worked with a team from the South Korean Army to enter the compound and seize computer equipment before any information could be destroyed,” Turgidson told reporters.

Special Operations Command confirmed that special operations forces were involved but refused to comment on the identity of the team. They explained the participation of the military by noting that the underlying cyberattacks had been performed by agents of a foreign government. There have been rumors circulating in Washington of the formation of a Cyber A-team being formed to work on this type of operation, but there has been no confirmation from Special Operations Command or the Pentagon.

The four North Koreans captured in the raid are being held in Soul pending extradition to the United States. There are rumors that the Justice Department has concerns about trying them for their alleged cyber crimes because of search and seizure implications. A national security warrant had been issued for tracking the bitcoins, but the rules of evidence for supporting that type of warrant are different from those that would be used in a criminal court case in the United States. The tools used to track the bitcoin trail were developed by the National Security Agency and that agency would not be prepared to share the technology upon which that trace was based with the defense team. It is suspected that any criminal defense attorney would move to have the identification of his clients by such undisclosed technology suppressed.

There are rumors circulating that the Justice Department is considering certifying the ransomware attacks as terrorist attacks and allowing the foreign nationals to be tried by a military tribunal.

CAUTIONARY NOTE: This is a future news story –