Sunday, December 27, 2020

SolarFlare Affects Robotron ICS Installations

SolarFlare Affects Robotron ICS Installations

This morning the Critical Infrastructure Security Operations Center announced that it had detected a new attack mode associated with the SUNBURST vulnerabilities. According to General Buck Turgidson, Director of CI-SOC, it has been determined that a new class of malware had been detected at SUNBURST affected facilities that were using equipment from Robotron. The SolarFlare malware set up a separate backdoor in ICS servers that communicated with the attacker via a compromised server in the Robotron maintenance monitoring system.

The CI-SOC SolarFlare report notes that it appears that in all known instances of the SolarWind compromise, a search was made for Robotron control system equipment on all reachable networks. Where Robotron equipment was found SolarFlare was installed on the associated server and large amounts of data were exfiltrated from the system through the compromised Robotron server.

Turgidson told reporters this morning that it does not appear at this time that any changes had been made to any of the Robotron equipment at any of the affected installations. “At this point it looks as if the purpose of the attack was to acquire information about the status and operation of Robotron control system equipment,” Turgidson said.

Robotron President Erich Mielke confirms that the Robotron server had been compromised during the SUNBURST attack on the company. “When the SUNBURST vulnerabilities were reported earlier this month, we started our internal investigation of its potential impact on our organization since we use the affected Orion software,” Mielke said in a prepared statement; “We had just identified that this server had been impacted when the authorities from CI-SOC contacted us. We have taken the affected server off-line and are cooperating with authorities in both the EU and the United States in their investigations.”

Dade Murphy, the CTO of Dragonfire Cyber, said in a video feed from Germany where he is working with the investigation at Robotron: “We have identified the specific information exfiltrated from one of the companies that was affected by SolarFlare. It contained detailed programming information for various PLC’s at the affected facility as well as process safety files from the facility.”

When asked why there was only information on the one facility, Murphy explained: “Once the server sends the information on to its command-and-control device, all records about the information are erased from the infected Robotron server. The data we saw had not yet been forwarded to the attacker when Robotron took the server off-line.”

Turgidson closed today’s news conference by stating that:

“At this point we do not know the purpose of the SolarFlare attacks. It appears that this was just a data collection effort at this time. The scope of the information that appears to have been obtained, however, is more than a little disconcerting. The information could be used to develop sophisticated attacks on industrial control systems at a wide variety of critical infrastructure facilities. Effective attacks on facilities such as these require a great deal of information and understanding of the interactions between a variety of systems. That level of information now appears to be available to the attackers behind the SUNBURST attacks.”

CAUTIONARY NOTE: This is a future news story –

Saturday, December 12, 2020

COVID Cyber Protection Act Introduced

Yesterday Sen TJ Kong (R,GA) introduced SB 4569, the COVID Cyber Protection Act. The bill would require any company that accepts federal money for the production, distribution or dispensing of a vaccine for the SARS-COV-19 virus to allow the Critical Infrastructure Security Operations Center (CI-SOC) full access to any computer network involved in getting the vaccine to the citizens of the United States. A press release from Kong’s office notes that the bill was drafted in response to the recent ransomware attack on Mengele Pharma that resulted in millions of doses of their COVID-19 vaccine being destroyed.

According to Kong, while the original SI-SOC authorizing legislation provided for private sector companies to voluntarily place themselves under the cyber protection of the CI-SOC, this bill would mandate participation of manufacturers of COVID-19 vaccines, transportation companies, storage facilities and clinics that administer the COVID-19 vaccine to the public in the CI-SOC protective regimen.

General Buck Turgidson, Director of the CI-SOC, told reporters this morning that his staff had worked with the Senator’s staff in the crafting of the legislation. “We have staff and facilities available to start protecting the vaccine manufacturers in the United States,” Kong said; “Providing coverage to transportation and storage organizations will require a substantial expansion of staff and equipment. That is the reason that bill includes a $1.5 million spending authorization. We do not currently know how many clinics would need cybersecurity coverage.”

An unnamed source at the CI-SOC tells me that there is plenty of room in the facility for the staff expansion expected to support the demands set forth in SB 4569. There would have to be some expansion of the communications capabilities, but the initial facility design included provisions for that addition as the CI-SOC operations expanded.

Clark Stanley, spokesperson for the Federal Drug Administration, responded to email questions about the bill. He reported that the agency had been in communication with the Senator’s office about the proposed legislation. “We have also been talking with CI-SOC about the requirements for expanding cybersecurity support for vaccine manufacturers. We are very concerned about the attack on Mengele Pharma and want to ensure that no further cyberattacks interfere with getting the vaccines produced and distributed.”

An unnamed staffer at Kong’s Washington Office told me that the Senator does not expect that the Senate will actually have time to take-up the bill in the days left in the 116th Congress. “We are working to try to get added to the omnibus spending bill that will be introduced later this week,” the staffer said; “If that does not happen, we expect to get the bill introduced in the opening days of the 117th Congress. Hopefully we would be able to see quick action on the bill in the opening weeks of the session.”

Wolfgang Gerhard, President of Mengele Pharma, has said that his company does not want any cybersecurity assistance from CI-SOC. “We have no need to provide unrestricted access to CI-SOC to our computer infrastructure,” Gerhard told reporters last week; “We do not want to provide anyone with access to our proprietary research and manufacturing software systems. A large portion of our profitability and innovation capability rests on these unique, in-house developed systems. We cannot afford to have them compromised by any outside agency not under our control.”

Gerhard reported that those systems had not been involved in last month’s ransomware attack. “We have those systems completely isolated from our IT systems and they are not accessible from the Internet,” he explained; “We did not provide CI-SOC investigators access to these systems during their investigation of the attack and we will not do so in the future.”

CAUTIONARY NOTE: This is a future news story –

Sunday, December 6, 2020

RoboDozer Hacked

At a news conference last night, General Buck Turgidson, Director of the Critical Infrastructure Security Operation Center (CI-SOC) confirmed that an unidentified computer hacker was responsible for the recent attack on the office of Rep. Harvey Milk (D,CA). “We have confirmed that the attacker exploited a known vulnerability in the control system for the a RoboKonstruk R9 autonomous bulldozer to take control of the vehicle and drive it into the Congressman’s office,” Turgidson told reporters via a Zoom conference.

Johnathan Quest, spokesman for the Federal Bureau of Inquiry, told reporters that the FBI has taken jurisdiction over the investigation since it included an attack on a member of Congress. “We intend to work closely with the CI-SOC in our efforts to track down and arrest the perpetrators of this attack,” Quest told reporters.

Dade Murphy, CTO of Dragonfire Cyber reported that the known vulnerability that Turgidson was referring to involved the radio controller that was used on the bulldozer. “The attacker exploited a credential replay vulnerability in the Robotron SDR-1000i radio system,” Murphy explained; “This vulnerability was publicly reported six months ago, and updates were available to mitigate the issue.”

Dragonfire Cyber is providing the on-site team for the CI-SOC investigation of the incident.

Dillyboys Construction, the owner of the bulldozer, reported that they were not aware of the cyber vulnerability in system. “We were never told about the problem,” company spokesman James Portman told reporters; “We are a construction company, our expertise is in earth moving and site preparation, not cybersecurity.”

The cybersecurity researcher who discovered the radio system vulnerability a year ago goes by the handle cYbrg0D. He told me that it is relatively easy to exploit this vulnerability. The attacker would have to listen on the radio frequency used by the devices and copy the code that was initially sent by the operator to start the vehicle. That code then could be replayed by the attacker using a different radio controller to take control of the system at a later time.

Erich Mielke, spokesman for Robotron, supplied a statement that noted that the SDR-1000i is a very common radio control system. “It is used in hundreds of our products including all of the remotely operated equipment produced by our construction subsidiary, RoboKonstruk,” the statement explains. The system is also used by a number of other vendors of remotely operated equipment around the world. Robotron has sold over 10,000 remote controllers for the system over the last ten years, the Company reports. Used versions of the controller are available for sale on eBay®.

Quest told reporters that the FBI thinks that the person who operated the bulldozer was an experienced heavy equipment operator. “More than just cyber skills were obviously used int his attack,” Quest explained; “The tracks in the street from the construction site to the Congressman’s office demonstrated smooth operation and direct control as several obstacles were avoided during the movement.”

cYbrg0D confirmed to me that it would not have taken a skilled hacker to take control over this vehicle. “It easily could have been an equipment operator with a very modest set of hacking skills that executed this attack,” he said; “Driving the bulldozer is much more difficult than hacking that radio controller.”

Milk’s office reports that the Congressman is calling for a congressional investigation of the security of the controls over remotely operated equipment. That investigation in not expected to be started in this session of Congress, but Milk is slated to be the Chair of the new Cybersecurity Subcommittee of the House Transportation Committee in the 117th, Congress.

Building inspectors for the City confirmed that the building will have to be destroyed, there is no structural stability remaining that would allow for repairs to be made.

CAUTIONARY NOTE: This is a future news story –

Wednesday, December 2, 2020

Robo Bulldozer Attacks Congressman’s Office

Early this morning a bulldozer from a construction site near the Embarcadero Center in San Francisco, CA was sighted leaving the site without a visible operator present. It traversed 1.5 miles of city streets to the local office of Rep. Harvey Milk (D,CA) and crashed into the office. No one was hurt, but the first-floor office was destroyed and the remainder of the building was evacuated pending a building safety inspection.

James Portman, spokesman for Dillyboys Construction, confirmed that an autonomous earthmover was missing from their construction site. “The vehicle number provided to us by the police department is consistent with the vehicle missing from our site,” Portman told reporters, “But we have not had a chance to physically confirm that the machine is ours.”

The machine, still inside the congressional office, has been identified as a RoboKonstruk R9 autonomous bulldozer. RoboKonstruk is a division of the German Robotron Automation, an industrial control system giant. That division was formed three years ago to provide industrial automation systems for the construction industry.

W.E. Ulbricht, spokesman for RoboKonstruk, confirmed to this reporter that the company’s R9 bulldozer was capable of operating without an operator being on the vehicle, or even present on the work site. “Our machines are designed to be used in either a tele-operational mode where the operator directly controls the machine from a remote console,” Ulbricht said, “Or in a preprogramed mode where a series of operations and movements are designated in advance.”

General Buck Turgidson, Director of the Critical Infrastructure Security Operations Center (CI-SOC), in a brief statement released by the CI-SOC, said that the Center has no information about the cybersecurity status of the RoboKonstruk equipment. “It is not something that has been called to our attention as a potential threat,” the statement reads; “Nor are we aware of any publicly released research on the subject. We are in touch with RoboKonstruk and will be working with them to look at the situation.”

A spokesperson for Rep. Milk told reporters that no one had been in the office when the incident occurred due to the early morning hour. “The Congressman has no relationship with Dillyboys and has no reason to suspect that they might have been responsible for the damage to our office. We will be working closely with investigators to find out who is responsible for this attack.”

CAUTIONARY NOTE: This is a future news story –