Airport Ransomware Slows Christmas Returns

Fred P. Ayres, Operations Manager for the Porter Alexander Airport, confirmed today that the flight delays yesterday at the Delano, GA airport were caused by a ransomware attack on the carryon baggage screening equipment being used at the passenger screening checkpoints. He was not able to tell reporters this morning whether a ransom had been paid.

Bessie Coleman, spokesperson for the Airline Transportation Security Agency (ATSA), confirmed that there had been screening delays at Alexander. “We had to go to 100% manual baggage screening of carryon baggage at that airport,” Coleman told reporters; “For security reasons, I cannot discuss what prompted that requirement.”

“We had flight delays of up to two hours to allow for passengers to complete the screening protocols,” Ayers told reporters.

Frank Whittle, who’s son was scheduled to fly back to Ft Carson, Co, after Christmas leave, reported that his son missed his connecting flight in Atlanta. “He ended up spending twelve hours in the Atlanta airport and ended up getting back to his unit three hours late,” Whittle explained; “I hope he does not get in trouble with the Army over the delay.”

The National Critical Infrastructure Security Operations Center (CI-SOC) has been working with the airport and the ATSA on the investigation of the cyberattack. Turgidson told reporters this morning that it is unusual to see a ransomware attack on federal government operations. “Everyone knows that the official policy of the government is to not pay ransoms,” Turgidson explained; “So there is little incentive for a ransomware attack.”

There are rumors circulating that this was not a typical ransomware attack, that files were not encrypted. A security employee of the airport, not associated with ATSA, told me that the screening devices were picking up false weapon returns. Three passengers were apparently pulled aside for additional screening before the ransomware message showed up on the system.

CAUTIONARY NOTE: This is a future news story –

Polymer Hack Via Drive-by Malware

The Federal Bureau of Inquiry confirmed today that the attack earlier this week on the Blew Bayou polymer facility used a new version of the SolarFlare malware that was originally delivered as part of the 2019 Sunburst campaign. “There have been substantial modifications to the malware,” Johnathan Quest, FBI spokesperson, told reporters this morning; “Enough changes in language and syntax that we are not sure if this was produced by the original team or a completely different attacker.”

Kate Libby, a researcher at Dragonfire Cyber that has been working with the FBI on the Blew Bayou investigation, told reporters that the malware was introduced into the polymer control system via a sophisticated phishing attack. “A personal email to the process control engineer directed her to go to the Robotron web site to see a new product introduction,” Libby explained; “The engineer did not click the link in the email but used an existing link from her system to get to the Robotron web site. While on the site she clicked on one of those ubiquitous check boxes accepting site cookies. That action downloaded the malware.”

Erich Mielke, spokesperson for Robotron, confirmed that the company’s web site had been hacked to set up the drive by download. “We use a web privacy compliance company, Datenshutz, to handle all of our website regulatory compliance activities,” Mielke explained; “They were responsible for the cookies notification application on our site. We have been assured that they have corrected the problem.”

Helga Brache, spokesperson for Datenshutz, confirmed that the company was responsible for the application on the Robotron site. “We are currently investigating how the malware download was inserted into our application. We do not believe that any other sites have been affected at this time.”

Libby urged anyone that had visited the Robotron site over the last six months to have their systems checked for the presence of the SolarFlare malware. “The indicators of compromise that were published by CI-SOC for the original malware still apply to the new version,” Kate explained to reporters.

Quest told reporters that the FBI investigation was still progressing. “We are continuing to follow leads and hope to identify the perpetrators of this attack in the coming days,” he explained; “If you have any indications that your systems have been compromised via the Robotron web site, please contact your local FBI office.”

CAUTIONARY NOTE: This is a future news story –

Water Treatment Chemical Manufacturer Declares Force Majeure

The Blew Bayou Chemical Company in Louisiana announced yesterday evening that their production capacity for polyacrylamide emulsion polymers had been cut in half by a suspected cyberattack on their facility. The Blew Bayou facility is one of only two domestic facilities currently producing these polymers for the municipal water treatment market. The loss of production at the facility could begin impacting drinking water and wastewater treatment facilities across the United States in the next two weeks.

The chemical reaction vessel was damaged when the mixing system was interrupted in the early stages of a polymerization process. The lack of agitation prevented adequate cooling and the exothermic reaction ran out of control. Safety systems stopped a catastrophic overpressure situation from occurring, but the vessel and many of its attached lines were damaged in the incident. Engineers are currently assessing how much damage actually occurred and what repairs will be necessary to return the facility to operation.

An older sister plant in Mississippi was taken out of operation early in the pandemic because of efficiency issues and limited monomer availability. Blew Bayou is reportedly considering reopening that plant.

Blew Bayou CEO Issac B Kaghun told reporters this morning that the agitator stoppage was apparently caused by a cyberattack. “Our engineers have log data showing that the agitator motor was turned off remotely, even while the control room computers were showing continued agitation,” Kaghun said.

The Federal Bureau of Inquiry has confirmed that they are investigating a potential cyber attack at the facility. “We have a cyber investigation team at the site,” Johnathan Quest, FBI spokesperson, said at a news conference this morning.

CAUTIONARY NOTE: This is a future news story –

Server Crash Due to Building Control Hack

Yesterday’s Baton Rouge refinery shutdown was ultimately due to an attack on a building control system, according to reports this morning by Dragonfire Cyber. The Ravard Refinery was shutdown Sunday by three crashing servers supporting the facility control systems. Kate Libby from Dragonfire reports that those servers failed due to overheating when attackers took over control of the server room cooling system.

“Attackers changed the PLC programming for the HVAC system,” Libby told reporters this morning; “They changed room temperature set points and bypassed the temperature reporting process so that only expected temperatures were reported to the facility control room.”

Reportedly, no vulnerabilities in the PLC were involved in the attack. Access to the Robotron GS Building Control System (BCS) provided the necessary authorization to access to the PLC and change its programming. “This should require physical access to the GS BCS controls in the server room,” Libby explained; “But someone had set up port forwarding on the system firewall enabling remote access to Port 3671 on the BCS. No authentication is required when accessing the system through that port.”

A technician working with Dragonfire that is not authorized to talk to reporters told me that it looked like an integrator had set up the port forwarding to provide remote access for maintenance support for the building control system. Maintenance of the HVAC system and its associated controls is handled by a local vendor, not the refinery staff.

The Federal Bureau of Inquiry is investigating the attack on the refinery. “There is no indication that this was a terrorist attack,” FBI spokesman Johnathan Quest told reporters; “We are currently looking at the possibility that this was an economic attack.”

The refinery recently switched over their production mix to produce #2 fuel oil. This household heating fuel is shipped to the northeastern United States via pipeline. Heating oil stocks in New England are at historic lows for this time of year and the Ravard Refinery is a prime supplier into that market. It will take at least two weeks for the refinery to restart because of minor equipment damage sustained in the emergency shutdown. This will lead to shortages in heating oil supply as people are trying to fill their tanks for the coming winter season.

CAUTIONARY NOTE: This is a future news story –

Multiple Server Failures Shuts Down Refinery

The Rafael Ravard Refinery outside of Baton Rouge, LA went into an emergency shutdown early this morning. According to Cesar Chavez, spokesperson for the refinery, the cause of the shutdown was due to multiple servers in the process control system crashing at nearly the same time. “Automatic backups did not come online,” Chavez reported; “But local safety systems throughout the plant did allow for a safe shutdown.”

There were local reports of people observing widespread flaring throughout the refinery during the shutdown. “Flaring is a normal occurrence in safety shutdowns,” Chavez explained.

Dragonfire Cyber has a team on site. Kate Libby, a spokesperson for Dragonfire said: “We are working with the Ravard Refinery to determine the cause of the shutdown. We have no news at this time beyond being able to report that three Robotron servers at the facility all shut down. This was the proximate cause of the facility shutting down.”

A technician working with Dragonfire who is not authorized to talk to reporters told me that the server room had apparently overheated. “This was probably the reason that the three initial servers crashed,” she said; “Two other servers crashed shortly after our team arrived on site.”

CAUTIONARY NOTE: This is a future news story –

Semiconductor Designs Compromised

Robotron announced today that it has received reports of attacks on customers using the Robotron RoboHD semiconductor design software. The Robotron press release notes that one customer has reported a chip design compromise as a result of an attack by the AngryHD malware. Robotron is cooperating with national computer security agencies around the world on an ongoing investigation into the attacks.

Gen Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), told reporters this morning that the CI-SOC was working with Robotron on the investigation. “We know of one instance in the US where a chip design was compromised,” Turgidson reported, “The design flaw was found before the chip went into production, so no hardware has been compromised that we know of.”

Kate Libby of Dragonfire Cyber explained on background this morning that the Robotron Kern real-time operating system (RTOS) (acquired in the recent buyout of Beratergrafik) has been found to contain a number of vulnerabilities that could be remotely exploited to compromise products like RoboHD. “We have seen similar vulnerabilities in a large number of RTOS in recent years,” she explained; “So the problems in Kern are not unusual, unfortunately.”

A technician working with CI-SOC who is not authorized to talk to reporters told me that the agency has a copy of the AngryHD malware. “This is definitely advanced stuff,” she said, “We are probably looking at a state sponsored attack here, not cyber criminals.”

Dragonfire Cyber has released indicators of compromise that will allow users of RoboHD to determine if their systems have been compromised by the AngryHD malware. Dade Murphy, chief technical officer of Dragonfire told reporters that they were working with Robotron to develop methods of blocking such attacks while Robotron was continuing to work on an update for the Kern RTOS and RoboHD products.

CAUTIONARY NOTE: This is a future news story –

Holey Condom Attack

This morning Robotron announced that new versions of sixteen different programs released in the last 60-days all have backdoor access due to a recent exploit of a vulnerability in their proprietary compiler. Customers who have received those new program versions via the automatic update process have been contacted. Robotron has provided firewall rules to block that access pending development of new code. Robotron reports that they have not received reports of any exploits of the backdoor vulnerability.

Kate Libby, a security analyst with Dragonfire Cyber, explains that: “This sounds like an exploit of the recently disclosed Trojan Source compiler vulnerability. The crafter of this attack needs access to source code used in program development, but this could be from code libraries used in the modern programing environment.”

Eric Mielke, spokesperson for Robotron, confirmed that the vulnerability arose from using a particular piece of code from a commonly used source. “We are working with the outside developer to determine how their library code had become compromised.” Mielke explained; “We expect that the developer will disclose the vulnerability within the coming week when the corrected code is released.”

Libby reported that Dragonfire has determined that the backdoor found in the new Robotron code uses Port 727. “That port is not used for other Robotron processes,” Libby explained; “We have told all of our clients to specifically ensure that that Port is blocked in all of their firewalls protecting Robotron devices.”

Gen Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), confirmed that the CI-SOC is aware of the Port 727 backdoor in the Robotron devices. “We have contacted all of our supported organizations about the vulnerability,” Turgidson explained; “We are actively monitoring communications via that Port. We will be able to detect ‘phone home’ communications via that backdoor and will quickly isolate any command-and-control system utilizing this vulnerability.”

A source at CI-SOC that is not authorized to speak to the press confirmed to me that there is a very strong possibility that other software from other vendors could be affected by this particular vulnerability that CI-SOC is internally tracking as ‘Holey Condom’. “Most compilers using the same source code would establish the same backdoor,” she explained.

CAUTIONARY NOTE: This is a future news story –

NASTE Publishes SP 123456789

Today the National Academy of Security and Technology Equipment (NASTE) published a draft of their newest cybersecurity publication, SP 123456789, Password Selection for Little Used Applications with No Access to Sensitive Information. This publication was designed to provide guidance on how to select a password for access to free publications and stand-alone applications that provide no access to personally identifiable information.

Kate Libby, a researcher with Dragonfire Cyber, and one of the co-authors of the draft, explained: “The proliferation of devices and applications requiring a unique password for adequate cybersecurity protections has made it increasingly difficult for the average person to keep track of the multiple passwords. We need to make it simpler for people to remember their passwords by using realistic passwords for devices and applications where system compromise will have minimal impact on individual security.

In addition to selection of easily remembered passwords, a chapter of the proposed standard discusses the use of fake names and fictional biographic data when signing up for access to devices and accounts where there are few or limited security concerns.

CAUTIONARY NOTE: This is a future news story –

Local Blackouts Caused by Electric Grid Hack

Atkinson Electric Cooperative announced today that the recent series of electrical blackouts in the area around Delano, GA have been caused by attacks on the local electric distribution system. “We have seen a pattern of electric system shutdowns that appear to be caused by cyber-attacks on many of our automated circuit reclosers,” Preston S. Arkwright, AES spokesperson, told reporters this morning at the daily CI-SOC news conference; “These devices are designed to maintain power distribution in the face of minor interruptions and these hackers are using them as a weapon against our distribution system.”

General Turgidson, Director of National Critical Infrastructure Security Operations Center (CI-SOC), told reporters that teams from the Center had helped to investigate the power system interruptions. “Our teams discovered that the Robotron AWS systems had been individually hacked and reprogramed so that the reclosers did not actually reset the power connection when a potentially minor interruption occurred. Turgidson told reporters.

Dade Murphy, CTO of Dragonfire Cyber, told reporters at the news conference that a team of analysts had isolated a copy of a new Bluetooth malware, they were calling SoreTooth, that allowed attackers to use the AWS Bluetooth connection to reprogram the switch controller. “The crafters of this malware were using a new 0-day vulnerability and two known Bluetooth vulnerabilities to gain administrator level access to the switch software.”

The Federal Bureau of Inquiry is working with the CI-SOC and Dragonfire investigators to try to determine who is behind the attack. Johnathan Quest, FBI spokesperson, refused to comment on apparent claims that a terrorist group was behind the attack; “This is an ongoing investigation and we are not prepared to comment on the identity of potential suspects at this time.”

An Instagram account, since taken down, had been claiming that a group called Carbon Restoration was behind the attack. The group reportedly was acting to stop local utilities from buying solar and hydro generated electricity to replace power previously produced at coal fired power plants. The AEC web site notes that it was targeting a 50% share of daytime power supply from the growing number of solar power farms in Georgia.

CAUTIONARY NOTE: This is a future news story –

VaxSurge Ransomware Hits Freezers

The VaxSurge ransomware reported Sunday included a previously undetected worm that attacked health department freezers holding COVID-19 vaccines. “We under-estimated the sophistication of the VaxSurge ransomware,” General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), told reporters this morning: “When we saw how easy it was to stop the spread of the data encryption process, we assumed that the attacker was not using a sophisticated ransomware program. We were wrong.”

The CI-SOC researchers discovered the worm (unofficially being called the FreezerWorm according to technicians I have talked to) after the Delano, GA Health Department reported discrepancies in their temperature monitoring processes.

A researcher from Dragonfire Cyber, speaking on background, told reporters that the Delano facility was using old-style circular chart recorders in addition to the digital temperature reporting system provided by the freezer manufacturer. They did this in response to last November’s attack on Mengele Pharma. The chart recorder showed a significant temperature rise not reflected by the digital system. The company immediately informed the Dragonfire team that was on-site for the VaxSurge investigation.

Lilian Wald, the Director for the Delano Public Health Department, told reporters at the CI-SOC news conference that temperatures never got above the safe storage temperature limit for the vaccines. “Thanks to the prompt action of the Dragonfire team, the vaccines are still safe to use,” Wald told reporters.

The Chief-Technical Officer for Dragonfire Cyber, Dade Murphy, explained to reporters at the press conference that the worm associated with the VaxSurge attack exploited a new vulnerability in the Robotron data historian that effectively bypasses the digital data diode used in that system. “We have communicated the vulnerability to Robotron and they are working on mitigation measures,” Murphy explained.

CI-SOC has a software tool that reverses the attack on the Robotron freezer control system. “Any organization that has received the VaxSurge email, should immediately contact CI-SOC for assistance,” Turgidson explained at the end of the VaxSurge presentation.

Mary Cavart, spokesperson for the Department of Health and Medical Services, confirmed today by video feed that the Department had shut down the email account that had been used to spread the VaxSurge ransomware.

The Federal Bureau of Inquiry is investigating the attack on that email server. “As far as we can tell that account was established at least eight months ago,” Johnathan Quest, FBI spokesperson said; “It does appear that may have been associated with the Solar Winds based attack last year.”

The FBI reports that they have now received notifications form over 150 health departments about receiving the VaxSurge email. Because of the news reporting Sunday, most of those reporting did not open the email on Monday when it was first seen in their inboxes. “Most of the reporting health departments are located in the South Eastern United States,” Quest reported.

CAUTIONARY NOTE: This is a future news story –

VaxSurge Ransomware

The Federal Bureau of Inquiry announced this morning that it was investigating a new ransomware campaign targeted at local public health agencies. While the attack was encoding files at the affected agencies the attacker has not been demanding a monetary ransom. Instead, they are unlocking files once the agency has published a notice in the local newspaper that they were not supporting the President’s new mandatory COVID-19 vaccination program.

“We have been notified by twenty local public health agencies about successful attacks since yesterday morning,” Johnathan Quest, spokesperson for the FBI, told reporters this morning; “Since the attacks appear to have started on Saturday, we expect to receive more notifications on Monday when many of these organizations return to normal workhours.”

The National Critical Infrastructure Security Operations Center (CI-SOC), working with the Delano, Georgia Health Department, has determined that the attackers have delivered the ransomware via a letter emailed to the Department. “The email was apparently sent by a compromised email server in the Department of Health and Medical Services. It purportedly came from the Office for COVID Vaccinations,” General Turgidson explained at an unusual Sunday press conference at CI-SOC.

A spokesperson for the Department confirmed that there was no such office in DHMS.

A technician from the CI-SOC, speaking on background, told reporters that this was not a very sophisticated ransomware program. Instead of trying to penetrate the organization network before announcing its presence, the ransomware encrypted the machine at the point of infection before it started penetrating the network. Promptly unplugging the connections to the network effectively stopped the spread of the ransomware.

Turgidson reported that the infected email included a Microsoft Word document entitled “Mandatory COVID-19 Vaccination Surge”. It contained an ActiveX-control that exploited the newly reported 0-day Microsoft® MSHTML Remote Code Execution Vulnerability. “The rapid exploitation of the Microsoft vulnerability and the use of the old-school ransomware program do not paint a consistent picture of this attacker,” Turgidson explained; “That combined with an exploitation of a SolarWinds compromised mail system is causing us all sorts of investigative headaches.”

CI-SOC is calling this the VaxSurge malware campaign because of that term is used in a comment line in the malware code sample that they are working on.

CAUTIONARY NOTE: This is a future news story –

CI-SOC Expands Robotron Advisory

Today, at an unusual afternoon press conference, Gen Turgidson, the Director of the Director for the National Critical Infrastructure Security Operations Center (CI-SOC), announced that on-going investigations related to yesterday’s announcement by Robotron had determined that a number of other vendor products were affected by the underlying JavaScript vulnerability. “We have already identified seven products from three other vendors that have SMS reporting tools that allow the exfiltration of system configuration files.” Turgidson told reporters.

A new alert published today by CI-SOC did not name the vendors or products that have been identified. A CI-SOC spokesperson speaking on background said that the government was working with the vendors to develop mitigation measures and did not want their names released until such fixes were available. “We expect to announce those mitigation measures within the next couple of days,” she told reporters.

The alert does note that any organization that has an industrial control system, building control system or security system that provides SMS alerts containing .PNG images of HMI screens associated with those alerts should contact CI-SOC. According to the alert, CI-SOC has a relatively simple test available that identifies active exploits of the JavaScript vulnerability.

Turgidson explained to reporters that the exploit of this vulnerability was a precursor tosome sort of potential future attack. “The configuration data would provide attackers insights into the cybersecurity weaknesses at the affected facilities that could potentially be exploited by a wide variety of potential actors, the General said.

In a series of messages, cYberg0d, the researcher who originally reported the vulnerability being exploited, explained to me that the JavaScript module that they identified was designed to search for a number of specific control system related devices and copy their configuration files. The information would then be encoded in a .PNG file and sent to one of a series of cell phone numbers hardcoded in the module.

When asked if this did not make the attacker vulnerable, Cyberg0d said that both the phone list and target systems had been changed in the module at least twice since he originally identified the problem. “The phones for the old numbers have probably been destroyed.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry confirmed that the FBI was working with CI-SOC to try to identify the identity of the attackers. “We are also working with a number of cybersecurity firms to keep an eye on the facilities that we have identified as being impacted by this problem,” Quest explained; “We are hoping to prevent any subsequent attacks on these facilities.”

CAUTIONARY NOTE: This is a future news story –

Robotron Announces Data Exfiltration Vulnerability

Today, Robotron announced the presence of a bug in their RoboAlarm® product that has been exploited in the wild to exfiltrate control system configuration files from secure control systems. Robotron spokesperson Erich Mielke explained that this bug was actually an exploit of the JavaScript CVE-2021-23406 vulnerability. Robotron has an update available to fix the vulnerability. RoboAlarm is packaged as a component of many Robotron products, including all of their HMI stations.

According to Robotron’s RoboAlarm advisory the vulnerability was reported by cYbrg0D. In a tweet published right after Robotron’s announcement, cYbrg0d explained that the current vulnerability could be expanded to include process information exfiltration by modifying a specific JavaScript module.

General Turgidson, the Director for the National Critical Infrastructure Security Operations Center (CI-SOC), urged all companies that owned Robotron equipment to update their RoboAlarm systems immediately. “We have documented cases where this bug has been used to exfiltrate control system configuration data,” Turgidson explained at the CI-SOC morning press conference: “This information would provide an attacker with critical intelligence needed to execute an effective attack on an industrial control system.”

Kate Libby, a spokesperson for Dragonfire Cyber, explained that RoboAlarm is a messaging application used by Robotron human-machine interfaces to send remote notifications about process upset conditions to managers and engineers in an organization. The messages typically include a screen shot of the HMI to provide more details for the recipient to make more informed judgements about an alarm condition.

“The system uses a .PNG file for the screen shot,” Libby explained: “So this JavaScript within the RoboAlarm product converts configuration files into .PNG files for exfiltration.”

In response to a question about the underlying vulnerablity Mielke reported that Robotron had not been aware of the JavaScript vulnerability until being informed about how it impacted their RoboAlarm product by cYbeg0D. “We are going back and reviewing all of the JavaScript code used in our products.” Mielke said.

CAUTIONARY NOTE: This is a future news story –

FMPC Sues PSSOO Over Pipeline Security Directive

On Friday the Friendly Morning Pipeline Company (FMPC) filed a suit in the 14^th US District Court against the Pipeline Safety, Security and Operations Office (PSSOO) over their labeling of the most recent PSSOO pipeline security directive as Sensitive Security Information. SSI is part of the sensitive but unclassified (SBU) information protection system maintained by various agencies of the US government.

The suit claims that the PSSOO’s declaring the security directive as SSI imposed an unreasonable financial burden on the pipeline company because the SSI regulations required that the company install special computer equipment at each of its offices to store the directive and all associated files in accordance with the requirements of SP 800-171. The lawsuit also alleges that the SSI requirements are an unlawful restraint of the company’s free speech rights to discuss regulatory actions of a government agency.

Michael E. Thane, spokesperson for PSSOO, told reporters this morning that the agency had no comment on the lawsuit, explaining: “It is the policy of the Federal Government to not speak to the press about on-going litigation.”

Thane did, however, confirm that the SDO2, the most recent PSSOO cybersecurity directive for pipelines was labeled as SSI. “SDO2 contains detailed cybersecurity requirements for covered pipeline owner/operators;” Thane explained; “If adversaries of the United States had access to that information, it would allow them to bypass those security controls. That could imperil the safety and security of the United States.”

Werner Bergeron, a lawyer for StormFury, an environmental activist organization, has filed a friend of the court brief on the lawsuit. In a press release issued today, Bergeron said: “It is not often that I agree with pipeline operators, but the PSSOO clearly overstepped its authority in the classification of SDO2. We are concerned that the application of the SSI label to a purely regulatory document inhibits public discussion about the appropriateness and legality of the regulatory requirements. It prevents organizations such as ours from reviewing the directive and commenting on its efficacy in protecting the environment.”

I talked with Kate Libby, spokesperson for Dragonfire Cyber. She confirmed that the company was working with a number of pipeline operators in implementing the controls outlined in SDO2. “I cannot comment on the specific requirements of SDO2 since that document is classified as SSI,” Kate told me; “But if a regulation required all covered facilities to implement two factor authentication to access control system computers, that would be insufficient information for even a nation-state actor to bypass those controls. It would require specific information on what type of 2FA was being used and which specific software tool the facility was using to implement that requirement for an exploit to be crafted. I can tell you that SDO2 does not specify specific pieces of hardware, software or firmware.”

CAUTIONARY NOTE: This is a future news story –

Meat Plant Wastewater Treatment Facility Shut Down

This morning Horst Sinderman, facility manager for the Intershop Meat Plant in Delano GA, announced that the facility would be shut down for at least a week. “Starting with the 11 to 9 shift today we are in an unplanned maintenance shutdown through next Thursday,” Sinderman told reporters; “In accordance with our employee contracts, we will be paying all hourly employees at the standdown rate.”

When asked about the reason for the shutdown, Horst explained that the facility’s wastewater treatment plant had experienced control system issues last night and the processing systems had to be shut down. “Since we cannot process our wastewater, we cannot continue the operation of the facility,” Sinderman said. Sinderman insisted that the computer problems were not the result of a cyberattack on the facility or ransomware but would not go into details about the problem.

A team from Dragonfire Cyber was seen entering the plant early yesterday evening, but there is no comment from company spokespersons about what the team was doing. “We do have a team on site helping Intershop with their control system issues,” Kate Libby, a Dragonfire spokesperson, told reporters; “I can confirm that the problems they are experiencing are not the result of outsider actions.”

An Intershop employee who was not authorized to speak with the press told me that the problem was due to actions taken by the facility IT team in response to a Water ISAAC alert. “It was something called BadAlloc,” the employee told me; “The IT people installed an update and the whole system crashed.”

I asked Gen Turgidson about this BadAlloc problem at this morning’s press briefing at the National Critical Infrastructure Security Operations Center (CI-SOC). “I do not know anything about the specific problems at Intershop, but I can tell you that we are very concerned about the BadAlloc vulnerabilities that many control systems face.” He went on to explain that these vulnerabilities affect a number of real time operating systems. “Exploits of these vulnerabilities could lead to unexpected behavior such as a crash or a remote code injection/execution.”

Turgidson went on to explain that many of the affected operating systems do have new versions that are unaffected by the BadAlloc vulnerabilities. When I asked if installing one of these new versions could result in a system crash, Turgidson said that that would depend on a number of things. “We always suggest that updates be tested on off-line systems before being installed on operational systems,” he explained; “Every control system is a unique entity, and no one can predict the interactions between all of the active components of the system.”

CAUTIONARY NOTE: This is a future news story –

Robotron Reports Bug Bounty Program Hacked

Today Robotron reported that their bug bounty program, Robo Bug Report, had been hacked. “The unidentified hacker has had access to vulnerability reports from independent researchers for at least two months,” Erich Mielke, spokesperson for Robotron, told reporters this morning. The hack was discovered because a researcher reported a double payment for a reported vulnerability.

cYbrg0D announced on TWITTER® during the Robotron news conference that they were the researcher that reported the double payments. “Identical payments from different Robotron branded accounts from different banks – I got suspicious and reported the issue”, the TWEET read. Mielke confirmed that cYbrg0D was the researcher who initiated the investigation.

Gen Turgidson addressed the issue at the daily news conference for the National Critical Infrastructure Security Operations Center (CI-SOC) this morning. “Robotron has contacted us, and we are working with them to try to identify the extent of the problem,” Turgidson told reporters when asked about the Robotron announcement.

A CI-SOC staffer, explaining on background, told reporters that the concern here is that this was apparently a man-in-the-middle attack where whoever was responsible was seeing the reported vulnerabilities before Robotron. The problem is that the attacker has been notified of at least 20 zero-day vulnerabilities that Robotron knows of. “There is no way of knowing how many zero-day vulnerabilities the attacker received and did not allow Robotron to know about,” the staffer explained.

Mielke reported that all of the communications about vulnerabilities in the Robo Bug Report program were encrypted. cYbrg0D responded on TWITTER, “The hackers did not pay me for a report they could not read – They have the Key”. Mielke responded when informed of cYbrg0D’s TWEET: “Our communications are secure.”

At the later CI-SOC press conference Turgidson, when asked about cYbrg0D’s comment, responded: “I think she has a point.”

Turgidson is asking all researchers who have submitted vulnerability reports to Robo Bug Report in the last six months to contact the German BIS, who are conducting the criminal investigation of the attack. “Do not contact Robotron directly,” Turgidson said, “They have not yet identified the full scope of the intrusion and thus their communications system security is suspect, at best.”

CAUTIONARY NOTE: This is a future news story –

Russians Take Down Water Follies Hackers

The Russian government today posted a video purported to be of special operations soldiers taking out a Syrian hacker group. In an accompanying statement the Russians said that the building holding the Burj Shemali Group was in Damascus, Syria. Reportedly, this was the group responsible for last weekend’s attack on the water park in Delano, GA that killed three people and sent hundreds to the hospital.

The Russian statement went on to say:

“While our law enforcement personnel will continue to work with their international partners on ransomware and other cyber-crimes, the attack last week on the American water park was an act of international terrorism that cannot be tolerated. We staged our attack on the terrorist compound yesterday with the cooperation of the Syrian government. Let this send a message to cyber-terrorists around the world that their actions will not be tolerated by the international community.”

John Jay, spokesperson for the Department of Foreign Affairs, confirmed that the Russians had informed the government that they had identified the persons responsible for the Water Follies attack and were providing information about the group to US investigators. “Our embassy in Berlin, Germany received a package last night containing hard drives that the Russians had taken from the computers in the Syrian raid,” Jay told reporters. Jay had no comment when asked about the amount of force that the Russians employed in their operation in Syria.

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, confirmed that the Legal Attaché in Berlin had received the hard drives from the Russian and had hand delivered them to the FBI headquarters. “We will be doing a forensic analysis of the drives to determine if they had been used in the attack,” Quest reported.

Quest also reported that the server provided to the Bureau by the Russians last week did contain files indicating that it had served as the command-and-control server for the attack on the water park. “It appears that the Burj Shemali Group, used this server for other operations as well,” Quest reported, “We are expanding our research on the actions of this group, and we have notified a number of friendly governments about potential ongoing operations against facilities in their countries.”

When asked why the server that was purportedly used by the Burj Shemali Group had been located in Moscow, Quest explained that it was not unusual for international criminals to use servers in third-party countries in an effort to throw off investigators. “This server was reportedly located in a commercial facility and was being leased by a dummy corporation controlled by the Syrian group,” Quest said, “The Russians told us that the facility owner had fully cooperated with the FKR, the Russian government’s cyber investigation force.”

Gen Turgidson, the Director of the National Critical Infrastructure Security Operations Center (CI-SOC), who was still using the Delano City Hall for the Center’s daily news conferences because of the attack on their server farm told reporters that a research team from the CI-SOC would be assisting the FBI analysis. When asked why he thought that the Russians were being so helpful the General told reporters that there had been an attempt by the water park attackers to make it look like the Russians were responsible for the attack. “While there is not much we can do about the Russian’s turning a blind eye towards Russian cyber-criminals attacking companies in this country,” Turgidson explained, “The killing of American citizens in an American city would not be something that the President could ignore.”

An aide to Turgidson that could not be named explained on background that some people in the intelligence community thought that the Syrian attack had been guided by an unofficial Iranian group that was advising elements of the Syrian government. There is some hope that information on the hard drives provided by the Russians will contain some proof of that activity. Such activity by the Iranians would interfere with the Russian control of the Syrian military.

CAUTIONARY NOTE: This is a future news story –

CI-SOC Attacked

Gen Turgidson, the Director of the National Critical Infrastructure Security Operations Center (CI-SOC), announced this morning from the Delano City Hall, that the CI-SOC was temporarily shutdown because of a cyber-attack on the facility. “At this point it looks like the building energy management system was attacked by some unknown party,” he said, “at 3:00 this morning the power to the cooling system for our server room was shut down. Emergency power systems started, but there is still no power getting to the cooling system.”

As the server room started to approach critical temperatures, the CI-SOC personnel started their shutdown procedure, but there were a number of power surges that may have damaged the servers. “We will not know for sure if there was any data loss until we can restart the systems when the power problems are taken care of.” Turgidson explained, “We, of course, have complete backups stored in our backup facility.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, confirmed that the agency was conducting an investigation of the CI-SOC attack in conjunction with the CI-SOC investigators.

CAUTIONARY NOTE: This is a future news story –

Russians Seize Water Follies Attack Server

John Jay, the spokesman for the Department of Foreign Affairs, announced this morning that a foreign government had seized the server that was used in the cyberattack on the Water Follies facility in Delano, GA on Saturday, but he refused to identify the government involved. “The government concerned has made arrangements to turn over the server to the Federal Bureau of Inquiry this afternoon,” Jay explained at the press conference. Jay took no questions about the server issue.

Esther Williams, the manager for Water Follies, was at this morning’s press conference at the National Critical Infrastructure Security Operations Center (CI-SOC) this morning. She confirmed that her operations staff was working with CI-SOC to remove the malware from the control system so that the facility could be opened back up to the public. “The team from Dragonfire Cyber is helping to remediate the zero-day vulnerability that the attackers used in the cyber assault on the facility,” Williams told reporters. Williams studied computer science at Georgia Tech while she competed internationally in swimming.

Gen Turgidson, Director of CI-SOC, told reporters that a team from his organization would be on hand in Berlin when the server was turned over later today. “Our investigators identified the location of the server in Moscow, and we provided the location to the FBI. They contacted their law enforcement counterparts in Russia,” Turgidson explained.

A technician at Dragonfire that was not authorized to talk to the press told me that while the incident response team (IRT) identified the location of the command-and-control server in Moscow, they did not believe that the operation was controlled from that country. “One of our investigators is from Israel and she identified many of the programming comments found remotely on the server as being idiomatic Arabic.” The technician said.

The IRT is reportedly concerned that it was almost too easy to identify the location of the command-and-control server. Gen Turgidson confirmed that, so far, the technical investigation is not pointing at the Russians as a source of the attack. “This was not a real sophisticated attack once one gets past the 0-day vulnerability.” Turgidson explained, “The attackers had some detailed knowledge about the operations at the water park, but there were no great hacking skills in evidence.”

CAUTIONARY NOTE: This is a future news story –

Water Park Incident Caused by Hackers

Yesterday’s incident at the Delano Water Follies waterpark which injured 100 and killed two, was caused when large amounts of muriatic acid and bleach were added to the large wading pool at the same time. The chemical reaction between the two water treating chemicals produced a cloud of chlorine gas and heated the water in the pool to dangerous temperatures. Now there are unconfirmed reports that someone gained control of the water treatment system to deliberately cause the incident.

Esther William, the Water Follies manager, confirmed that the injuries at the park yesterday were caused by the mixing of the two chemicals. “We do not use that particular charging system during the times the park is open to avoid this type of problem, but we never expected anyone to add the amount of these two chemicals that were added yesterday,” Esther explained to reporters.

A maintenance worker who was not allowed to talk to the press, told me that there were over 2,000-lbs of muriatic acid added from a totebin and almost twice that much bleach from the large on-site storage tank. “That is two days of chemical use for the park added to the one pool in less than 30 minutes,” he explained.

Williams refused to comment on the possibility of hackers being involved, but a team from Dragonfire Cyber, a team known to work with the National Critical Infrastructure Security Operations Center (CI-SOC), was seen moving around the park today.

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, confirmed that the agency was working with CI-SOC on the investigation of the incident. “We have not yet confirmed that it was a cyberattack,” Quest said, “But our investigators looking at the security videos from the site did not see anyone in the vicinity of the manual valves that would have to have been manipulated for a physical attack at the time of the incident.”

CAUTIONARY NOTE: This is a future news story –

Delano Airport Hack Was Proof-of-Concept Demonstration

Yesterday, three instrument landings at the Porter Alexander Airport in Delano, GA were canceled as the Airport experienced problems with its instrument landing systems (ILS) equipment. This morning, Fred P. Ayres, the airport manager, confirmed reports that the problems were the result of a cyber-attack on the facility’s Ground Based Augmentation System, the system that refines GPS data for the instrument landing system used at the airport.

“We received a copy of an email message that was sent to the FAA claiming responsibility for the attack,” Ayres told reporters this morning. That email was from DBCoop2 and claimed that the attack yesterday was a proof-of-concept exploit of vulnerabilities that the researcher had discovered in the current generation of GBAS used by many airports across the country. The email offered to sell the Federal Airline Administration (FAA) the details about the vulnerability for 1-Bitcoin.

The airport had three landings diverted to other airfields yesterday. They occurred when planes were attempting to land during heavy rains and were forced to use the ILS system. One of the pilots, who did not want his name used because of his corporate affiliation, told me that when the corporate jet dropped below the cloud layer, they were lined up almost 200 meters to the right of the runway, right along the facility fence line. The pilot was able to safely pull out of his approach and requested diversion to an alternate field.

The FAA would not comment on the email and a written statement said that yesterday’s ILS anomalies were under investigation.

When asked about the incident at the National Critical Infrastructure Security Operations Center’s (CI-SOC) morning press briefing, Gen Turgidson told reporters that the CI-SOC had not been contacted about the incident, but that he would personally talk to the airport manager as soon as the brief was over. “I fly in and out of that field frequently,” Turgidson explained. Turgidson spent 10-years as an Air Force transport pilot before moving into cyber operations.

Robotron Aero, the company that manufactures the GBS system used at PAA said in a written statement that they had just been notified about the potential problem and were cooperating with the FAA and the Federal Bureau of Inquiry on the investigation.

CAUTIONARY NOTE: This is a future news story –

Hundreds of Drugs Recalled Due to Cyber Attack

The Federal Drug Agency today announced that it was ordering the recall of three hundred forty-five drugs, including over-the-counter products, prescription drugs and two COVID-19 vaccines because of contamination issues with a precursor chemical manufactured by Mengele Pharma. The precursor (TMD (4tetramethyl-2death) is contaminated with unacceptable levels of benzene, a known carcinogen. Initial indications are that the contamination is the result of a cyberattack on the Mengele facility in Delano, GA.

Clark Stanley, FDA spokesperson, told reporters this morning that most of the drugs being recalled would not have high benzene levels because benzene is used in the manufacturing process after TMD is introduced so the manufacturers independently test for benzene residuals. “We do not have reason to suspect that the drugs being recalled are of any specific danger to the public,” Stanley explained, “But since the TMD is adulterated the drugs do not meet FDA standards for use by the public.”

An unnamed student in an analytic chemistry class at the South-Central Georgia Technical College in Delano was the initial discoverer of the high benzene levels. According to Professor Izaak M. Kolthoff, the student was developing a liquid chromatography assay for the chemical as part of a class project. “The benzene levels were 100 times higher than reported on the Mengele certificate of analysis,” Kolthoff explained in a phone interview, “I checked her results and calibration and then re-ran the test myself before I reported the findings to the Mengele QA lab.”

Wolfgang Gerhard, spokesperson for Mengele Pharma confirmed that the problem was first identified by a student at SCGTI. “We have a good relationship with the school since they train most of our technicians,” Gerhard explained, “And we have the upmost respect for Dr. Kolthoff since he worked for this company for 20 years before retiring. He established most of the test methods that we use today for production quality control.”

Stanley told reporters that the Mengele Pharma reported the problem to the FDA as soon as they confirmed the student’s report.

Gerhard told reporters that the company called in experts from Dragonfire Cyber to investigate after an internal investigation turned up oddities in the lab information management system that reported the erroneous results. While that investigation is ongoing, Gerhard told reporters that Dragonfire has confirmed that they have found malware on the LIMS and that the testing reporting process had been compromised.

The FDA and the Federal Bureau of Inquiry are conducting a joint investigation of the incicent.

CAUTIONARY NOTE: This is a future news story –

Hacker Retaliates Against Government Building

According to the anonymous hacker, cYbrg0D, last night’s lightshow at the Department of Foreign Affairs building in Washington, DC, was a hack of the building control system using a vulnerability he had reported to the Department’s vulnerability disclosure program. DFA refused to pay him for the reported vulnerability under the Department’s Bug Bounty program because the vulnerability did not affect an information system.

The lightshow last night at the building involved turning all of the lights on each of the fourteen floors on and off in a pattern that changed all night long. Government officials were only able to stop the light show early this morning by turning off the power to the building. Emergency systems are providing power to critical offices while system engineers are working to remove the malware that controls the lightshow.

John Jay, a spokesperson for the DFA, confirmed to reporters this morning that the Bug Bounty program did refuse to pay cYbrg0D for the reported vulnerability. “We are constrained by the congressional authorization for the program,” Jay explained, “The definition of information system used in the legislation authorizing the program clearly excluded operational control systems, such as the building management system that was apparently hacked last night.”

The hacker explained his point of view about the conflict with the Department of Foreign Affairs in a web page that was posted to the DFA web site. That page was taken down early this morning, just hours after it appeared on the site.

Junior Butts, a lawyer representing cYbrg0D, is in conversation with the Federal Bureau of Inquiry (FBI) about their interest in questioning the hacker. “My client is willing to cooperate with the Department in clearing the malware that is controlling the lighting system in exchange for acknowledgement that his vulnerability report should have been eligible for the bug bounty program,” Butts explained.

The Cybersecurity Agency is working with the DFA to resolve the control system security issue. “Technicians quickly found and removed the malware last night, but it reappears each time the system is restarted,” Ida Long, CSA spokesperson explained, “It is apparent that cYbrg0d found more vulnerabilities than the one that he reported to the VDP.”

Johnathan Quest, spokesperson for the FBI, confirmed that the agency is looking to talk to cYbrg0d about the incident. “We have not yet sought an arrest warrant for the individual,” Quest explained, “At this point, we just want to talk to the hacker.”

CAUTIONARY NOTE: This is a future news story –

Summer School Closed by Cyber Attack

Roosevelt High School in Delano, GA has announced that summer school classes will not be held this coming week because of problems with the building control systems. Linda Schrenko, Principal at the school, confirmed that the school has not been able to fix the problems that caused students to be sent home early on Friday. Students were sent home when the air conditioning systems stopped working Friday morning and the classroom temperatures quickly became unbearable.

“We used to hold classes without air conditioning all the time,” a teacher that did not want to be identified told this reporter, “But when the AC was installed and then people started getting worried about school shootings, the windows were redesigned so that they could not open. Without the AC there is just no circulation in those classrooms.”

Schrenko said the school was not hit by a ransomware attack. “We are having problems with the air conditioning,” she explained today in a phone interview, “These things happen with those systems, we will get them fixed and the students will be able to come back into the classrooms.”

A team from Dragonfire Cyber was seen at the school yesterday and an agent from the Federal Bureau of Inquiry was on site for about an hour last night. Johnathan Quest, a spokesperson for the FBI, confirmed that the agency was investigating a cyberattack at the school. “This is part of an ongoing investigation that is looking at a series of attacks on building control systems at an increasing number of schools across the country,” Quest said.

A technician from Dragonfire, who was not authorized to talk to the press, told me that the problem is broader than just the air conditioning system. “The complete building control system software has been wiped out,” she said.

The school uses the BauSystem building control system from Robotron. It controls the HVAC system, the access control system, and the fire alarm system within the buildings at the High School. A quick search of the name on Google® shows that there is a hard-coded account in the system that provides remote access to the system and the password for that account has been circulating on social media for a couple of weeks now.

“Looking at the social media surrounding the systems,” the technician told me, “It is apparent that students are probably responsible for most of the attacks on school systems over the last couple of weeks. There have always been kids that did not want to go to summer school but were required to do so for various reasons. Shutting schools down has to be attractive to those students.”

Erich Mielke, spokesperson for Robotron, confirmed that the company was working with the FBI and local authorities on fixing the school control system problems. “We expect to have an update available to correct this vulnerability in a couple of weeks,” Mielke said.

General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC) confirmed that his organization was working with social media organizations to try to takedown the instructions for wiping out the building control systems. “We are seeing the information being shared as posts on blogs and personal pages, pictures on photo sharing sites and, of course, how-to videos, and that is not even looking at the Dark Web,” Turgidson explained, “If Robotron does not get a fix in place before the schools reopen in the fall, this is going to create chaos across the country.”

CAUTIONARY NOTE: This is a future news story –

Robotron Ransomware Hits ICS Phones

Robotron announced today that the latest ransomware attack on their corporate networks has apparently spread to it Betriebstelefon product. Erich Mielke, CTO of Robotron, told reporters this morning that they have received numerous reports from customers that their phones began showing ransomware messages at midnight GMT. “We are negotiating with the attackers to get our systems, and our customer’s phones released,” Mielke announced, “It appears to be the same organization that was behind the BlockKopieren attack on Robotron earlier this year.”

Kate Libby, Senior Researcher with Dragonfire Cyber, explained that the Robotron Betriebstelefon was introduced two years ago to provide cellphone service in chemical facilities and other production areas where there was need for intrinsically safe devices. “The Robotron phone is rated for service in Class 1, Div 1 areas where a spark could ignite flammable atmospheres. They added industrial services to the phone that allowed secure communications with Rockwell control systems.”

Robotron’s web site explains that owners of their industrial phones can receive control system alarms and access data from the company’s data historian. The phones are keyed to specific installations to allow for encrypted communications.

That earlier attack cost Robotron €6 million in ransom and caused a 30% drop in share price. The companies stock price had just about returned to the pre-attack price last Friday before trading was stopped at 4:00 GMT when Robotron announced the most recent attack.

General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), told reporters this morning that they have received notifications from a number of their covered facilities about the problems with the Robotron phones. “The data diodes used in the phone system ensure that problems in the phones cannot be transmitted into the supported control systems,” Turgidson explained, “But facilities with the phones have expressed their concerns about the problems with the phones to both the CI-SOC and Robotron.”

Dade Murphy, CTO of Dragonfire Cyber, confirmed that his organization had teams at each of the facilities affected by the phone attacks. “While we have no indications that the attacks have spread to the facility control systems, we are taking extra precautions,” Murphy explained. Dragonfire has previously vetted the phone system for use in secure facilities.

An unnamed security researcher at Robotron has been quoted as saying that the recent ransomware attack was apparently set up in the earlier attack. The company has found indications the previous attack placed a backdoor into the corporate system. The attacker was present in the systems for a much shorter time period during this attack, indicating that the previous reconnaissance data was used in the latest ransomware attack.

CAUTIONARY NOTE: This is a future news story –

Autobody Shop Owner Charged with 147 Counts of Reckless Endangerment

Yesterday Tommy Smitherman, owner of Smitherman’s Autobody was arraigned on 147 counts of reckless endangerment for hacking customer automobiles and reducing the effectiveness of their non-skid braking systems. The District Attorney’s Office claims that Smitherman hit upon a scheme to increase repeat business at this repair shop by increasing the time between reapplication of braking pressure on the non-skid braking systems of his customer’s automobiles.

Delano Police Chief, S. James Butts told reporters that the investigation leading to Smitherman’s arrest was initiated last year when there was a sudden surge in police vehicles involved in rear end accidents. “Our payments for fixing front-ends on our police cruisers tripled in a six-month period and our insurance costs skyrocketed,” Butts explained.

After the Department’s accident investigation team determined that most of the vehicles involved in rear-end collisions were taking longer than normal to stop, an outside investigation team from the Automotive Safety and Security Council (ASSC), was brought in to look at the vehicles. “Our cyber-forensics team determined that the braking system programing on all of the vehicles had been tampered with,” Ed Cole, ASSC spokesman, told reporters, “This is not the first time that we have seen this particular hack.”

Once the Delano Police Department knew what to look for, they checked each of the cars in the Department’s and the City’s fleet. “We found twenty cars with the modified braking system and all of them had been to Smitherman’s Body Shop in the last two years,” Chief Butts explained. The Department got a warrant to search Smitherman’s shop and home and investigators found the OBD2 Dongle that was used to reprogram the vehicles.

Cole told reporters that the ASSC was working with the Federal Bureau of Inquiry to try to track down the people that are selling the ‘Braking Bad Dongle’ that Smitherman used. “Smitherman does not have the technical knowledge necessary to write the programming necessary to modify the braking systems,” Cole explained, “He bought it from somebody, probably on the Dark Web. We want to find the distributor and shut them down.”

Johnathan Quest, spokesperson for the FBI, confirmed that the agency was working on the investigation. “We have talked to Smitherman, and he is not willing to discuss where he got the Dongle from or even acknowledge what the Dongle was used for,” Quest told reporters during a video link, “Right now we do not have a federal crime that we could charge Smitherman with to provide additional pressure to make him cooperate in our ongoing investigation.”

When asked why all of the charges against Smitherman were ‘reckless endangerment’, Butts explained that all of the accidents caused by this cyberattack were minor, with no serious personal injuries. “Currently, there were no other charges that could be brought against Tommy,” Butts said, “There are, however, a number of civil suits against Smitherman that will be filed next week; including one from our Department.”

Cole told reporters that there is discussion in the industry with car companies trying to get Smitherman and similar body shop owners using the Braking Bad Dongle charged with copyright infringement.

CAUTIONARY NOTE: This is a future news story –

Capitol Attack Spread from Control Systems to IT Network

Last night the number of investigators working on the Capitol Hill cyberattack jumped drastically as computer systems in congressional offices began displaying ransomware notices. Investigators from the Federal Bureau of Inquiry and the National Critical Infrastructure Security Operations Center (CI-SOC) were joined by private security personnel hired by House and Senate chiefs of staff trying to get their systems back online.

Gen Buck Turgidson, Director of the CI-SOC told reporters this morning that investigators from Dragonfire Cyber working for his agency had confirmed that the ransomware infection had moved from the building services computer systems, through administrative networks in the Capitol, to individual computers in congressional offices. “This is the first time that we have seen a major cyber attack move from OT networks to IT networks.” Turgidson told reporters.

Unconfirmed reports from personnel close to the investigation seem to indicate that the initial attack on the building controls systems was initiated through a Bluetooth connection in the building access control system. A technician from Dragonfire Cyber, who is not authorized to talk to the press, told me that a Bluetooth connection between metal scanning wands used by Capitol Police and the security control station at the Cannon House Office Building has been identified as the route of entry into building services network.

Early yesterday afternoon, William Thornton, Capitol Building Services Manager, had announced that power had been restored to the Capitol Building and each of the six congressional office buildings. While HVAC systems and building security systems were still off-line, the decision was made at 6:00 pm to allow staffers back into their offices so that they could prepare for the emergency joint session of Congress scheduled for this afternoon. At about 8:00 pm, reports started coming in about ransomware demands on office computer systems.

While each of the congressional office computer systems are linked to the Capitol IT network, investigators quickly determined that the yet unidentified attackers are treating each congressional office as a separate target, demanding 1-Bitcoin (about $36,000) for the decryption code for each office.

Turgidson reported to the Congressional Leadership last night that the CI-SOC did not have enough people available to respond to each office in a timely manner. The decision was made to have Dragonfire Cyber teams look at the offices of the top two leaders of the House and Senate, and allow each of the remaining offices to address the issues with private contractors if they so desired. “We will review each congressional office’s computers before we close out the investigation.” Turgidson promised Congressional leaders.

The House and Senate are scheduled to meet in a rare joint legislative session at 4:00 pm EDT today. They are scheduled for a limited debate and subsequent vote on HR 10, the Respond, Evaluate, and Counter Terrorism (REACT) Act. Details of the bill are still being ironed out, but sources say the bill will authorized and require the CIA, NSA and Cyber Command to provide intelligence assistance and material support to the investigation by CI-SOC and the FBI into the cyber attack on the US Capitol. Apparently still being debated by the Congressional leadership is the extent of the military response that will be authorized against the perpetrators of the attack. Rumors have it that there are loud calls for expanded response authority after the attack spread to congressional office systems.

The White House has announced that the President will sign HR 10 when it reaches his desk.

CAUTIONARY NOTE: This is a future news story –

More Problems with the Capitol Cyber Attack

A brief press release from the office of the Capitol Buildings Services Manager reported early this morning that while the servers and system control computers had been decrypted overnight, attempts at restarting the various systems had failed because the system components that operated the various building systems had been wiped of all programing during the attack. Lights, power, ventilation and security control systems were all affected.

Yesterday, at about 9:30 am EDT the building control system computers for the Capitol Building and six Congressional Office Buildings were shut down by a ransomware attack. A previously unidentified group, DL76, signed the ransom screen demanding a 10-bitcoin ($370,000) ransom to unlock the system. A joint statement by the leaders of both parties of both the House and Senate yesterday afternoon, firmly reported that no ransom would be paid.

Late last night the National Critical Infrastructure Security Operations Center (CI-SOC) announced that an incident response team from that organization was working with the CBSM to restore the servers and control system computers from the most recent backups. Unofficial word came out at 2:00 am this morning that the restoration process was completed and that a system restart was imminent.

This morning’s press release stated that the Senate session and all Congressional hearings scheduled for today were canceled until further notice. All attempts to contact congressional leadership were met with a uniform ‘no comment at this time’ response. A joint press conference is scheduled for 9:00 am at the White House.

A technical expert working with Dragonfire Cyber on the restoration process told me this morning that they had discovered that the attackers used the same version of the “SMASHINGCOCONUT” wiper program that was used in the recent attack on NACL Industries. “While an ecoterrorist group was responsible for that attack,” the expert told me under condition of anonymity as they were not authorized to talk to the press, “There is no indication that the current attack on the Capitol was conducted by that group. The wiper program is available for rent on the dark web.”

When I asked this expert why backups were not being used to restore the components that were affected by the wiper program, she told me that while backups were available for the operational programming for most of the devices, the operating software was not locally backed up. Various vendors were being contacted for copies of the appropriate software and firmware. Restoration of all of the affected devices could take a couple of days.

CAUTIONARY NOTE: This is a future news story –

Capitol Ransomware Attack Shuts Down Congress

The Capitol Building was evacuated today when a ransomware attack shut down all building services, including air conditioning and power. According to William Thornton, the Capitol Building Services Manager, the attack on the computer systems used to control all of the building services started at 9:30 am this morning. “Since Congress was not in session today,” Thornton told reporters, “There were very few people in the Capitol Building or the six congressional office buildings affected by the attack. We have not yet been able to confirm that all personnel have left all seven buildings because our access control logs were also affected by the attack.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, confirmed that the FBI was investigating the incident. “It is way too early in the incident to be able to provide any details about our investigation,” Quest told reporters, “We do have agents on the scene and a cyber forensics team is enroute.”

When asked about the apparent ransom demand, Quest told reporters that the United States does not pay ransoms to criminals or terrorists. That statement prompted immediate questions about whether this was a terrorist attack. Quest immediately responded: “We have no information about who the attackers are at this point in our investigation, but there are no indications that this is a terrorist attack.”

A technical expert with Dragonfire Cyber, a company that works closely with the National Critical Infrastructure Security Operations Center (CI-SOC), told me that the attack on the capitol control systems did not start today. “To accomplish a shutdown of this magnitude, an attacker would have to have been in the computer system for at least a couple of weeks,” she said.

Capitol Police are out in force at all seven buildings and the Washington, D.C. police department has a tactical command trailer parked near the Capitol.

The President and Vice President have both been informed about the incident. The Vice-President’s office had no comment when asked it the Senate will meet tomorrow as scheduled. The House is not scheduled to meet in Washington this week.

CAUTIONARY NOTE: This is a future news story –

Environmental Agency to Ration Chlorine Shipments

This morning the Federal Environmental Process Protection Agency (FEPPA) announced that it was implementing Defense Production Act supervisory authority for all bulk chlorine shipments in the United States. The Agency was taking this action because of the loss of production at the NACL Industries facility in Louisiana.

“The nation is experiencing a critical shortage of chlorine gas for water treatment and wastewater treatment facilities because of the terrorist attack on the chlorine production facility in Louisiana,” Jay Muir, FEPPA spokesperson told reporters this morning, “The NACL Industries facility was almost 20% of our national production capability and that places a severe strain on facilities that need that material for public sanitation needs.”

A press release from the Chlorine Gas Institute explained that there is still sufficient chlorine product to meet sanitation needs even with the closure of the NACL Industries facility. “Our manufacturers have legal obligations to other customers that must be taken into account,” spokesman Hamilton Castner explained, “We welcome the efforts of FEPPA to help prioritize the allocation of our temporarily restricted resources, but the government must realize that chlorine gas is used in a large number of critical manufacturing processes including many pharmaceuticals. We cannot just cut off supply to those industries.”

“FEPPA is working hard to coordinate with all critical users of chlorine gas,” Muir said, responding to questions about chlorine allocations, “But we have been notified by four drinking water utilities in the southeast that they are going to have to initiate boil water warnings for their systems later this week because of the loss of shipments of chlorine gas.” FEPPA is reporting that those four water systems supply drinking water to 2.5 million households.

In an update on the ongoing terrorist threat to chlorine manufacturing, the National Critical Infrastructure Security Operations Center reported today that they had found initial stages of compromise at two additional chlorine manufacturing agencies. This required a temporary shut down of the manufacturing control systems at those facilities to deal with the early stages of the attack. “Production at those facilities should resume later this week,” General Turgidson, Director of CI-SOC, told reporters this morning.

Dade Murphy, CTO of Dragonfire Cyber, the company working directly on the response at NACL Industries, told reporters at the morning CI-SOC press conference that his company had ten responders at the facility working with representatives from Robotron, the supplier of the control system used at the facility, and elements of the Louisiana National Guard, all working on restoring the control system at the facility.

“We are having to carefully check each programmable piece of equipment on the site,” Dade explained, “We need to insure that there are no elements of the wiper program left on the devices before we can reload the software or firmware to the device. Once that is done, we will be able to use the system backups to restore the actual operating controls and programming for the facility.”

A control system technician that was not authorized to speak to the press told me that remnants of the “SMASHINGCOCONUT” wiper program had been found in a number of pieces of equipment throughout the facility. “Someone wanted to be able to come back and wipe this system out again, if we got it restored,” she told me.

CAUTIONARY NOTE: This is a future news story –

CI-SOC/FBI Chlorine Bulletin

Early this morning the National Critical Infrastructure Security Operations Center (CI-SOC) and the Federal Bureau of Inquiry published an alert concerning an ongoing terrorist attacks on the industrial control systems at chemical manufacturing plants involved in the manufacturing of chlorine products. This is related to the recent attack on the NACL Industries plant in Blew Bayou, LA.

Gen Buck Turgidson told reporters this morning that, while the NACL Industries facilities was the only one to date that had had its control system equipment erased, there have been indications that similar attacks were underway at two other chloralkali facilities. “While we were not able to stop the destruction of the production processes at NACL Industries,” Turgidson said, “We have been able to prevent the terrorists from taking down two other facilities this week. Today’s alert goes out to all facilities that produce or handle chlorine in bulk. It provides indicators of compromise that will allow facilities to determine if their systems are currently under attack.”

Johnathan Quest, spokesperson for the FBI, told reporters that they had assessed that the known eco-terrorist group, Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), was behind the attack. “They have not publicly claimed responsibilities for these attacks,” he said, “But there are numerous similarities between theses attacks and earlier ones carried out by SFINCTER. The wiper program that they are using was written by the North Koreans, and we have been tracking recent contacts between SFINCTER and the DPRK.”

Ernest A. LeSueur, President of NACL Industries, had recently confirmed that the attack on their facility looked initially like a ransomware attack. “We did pay a $1 million ransom,” LeSueur said, “But when we applied the decryption key provided by the attackers, we were only able to regain access to our corporate IT network.”

Quest confirmed that the FBI was attempting to track the bitcoin wallets used in processing the ransomware payment. “We have confirmed that about 10% of the payment has been transferred to a bank account that had been used by the DPRK in Singapore, but that account was closed shortly after the money was deposited. We suspect that that was payment for the use of the malware used by SFINCTER.”

Dade Murphy, CTO of Dragonfire Cyber, told reporters at this morning’s news conference that researchers from his organization were quickly able to establish that the North Korean SMASHINGCOCONUT wiper program had been adapted to erase all software on the industrial control system’s equipment at the plant. “The control system was comprehensively erased,” Murphy explained, “Servers, HMIs, PLCs, even the firmware for motor controllers and sensors was erased.”

LeSueur explained that the production and maintenance staff were hard at work replacing devices where they were available and beginning the reprogramming process where necessary. “We are receiving a great deal of assistance from Robotron, both on site and remotely.”

Turgidson urged all chlorine related chemical process facilities to take a hard look at today’s alert. We have strong reason to suspect that SFINCTER is planning a comprehensive attack on the chloralkali industry as part of their anti-chlorine manifesto. “We know that they have successfully attacked one facility and were in the processes of attacking two other facilities in Texas and Alabama,” the General said, “Other facilities are certainly in their sights.”

CAUTIONARY NOTE: This is a future news story – 

Control System Destroyed at Chlorine Plant

Gen Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), confirmed this morning that the CI-SOC was working with NACL Industries to determine how the program for the plants chlorine production facility was completely wiped out this week. There are reports that North Korean malware was involved.

On Monday, there were reports from sources at the company’s Blew Bayou, LA. chlorine production facility that a production stoppage over the weekend was due to a ransomware attack on the industrial control system at the plant. A spokesman for the company refused to answer questions about a ransomware attack, stating that: “We can neither confirm nor deny that a ransomware attack has been made against any company assets.”

A representative from Dragonfire Cyber who was seen yesterday in Blew Bayou and who was not authorized to talk to the press, told me that the cyber investigation firm had found indications that an updated version of “SMASHINGCOCONUT” wiper program had been employed at the plant. That program was reportedly developed by a North Korean APT group in 2017. “The new version was specifically modified to wipe files on a Robotron control system down to the instrument level,” the source said.

Ernest A. LeSueur, President of NACL Industries, told reporters that the chlorine production facilities had been shutdown since a cyber attack on the control systems occurred on Saturday. “We are cooperating with CI-SOC and criminal investigators to determine who is responsible for the attack,” he said; “But our real focus is the safe restart of our production facilities.”

LeSueur confirmed that the Company had declared force majeure on their chlorine delivery contracts for the foreseeable future.

NACL Industries was the target of a cyber attack almost two years ago. In that instance a terrorist group, Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), claimed responsibility for the attack. No arrests have been made in connection with the earlier attack.

CAUTIONARY NOTE: This is a future news story –

Drive-by Cyber Attack Behind Sewer Explosion

Last week’s cyberattack on the sewer system in Delano, GA was set up by an attack on a web site run by WWTP Support, LLC in California. That company supplies technical assistance and engineering support to wastewater treatment plants across the country. According to the National Critical Infrastructure Security Operations Center (CI-SOC), a tool available on that site provided attackers with a foothold on the computer of anyone that used the tool in the last three months.

“We are working with the Federal Bureau of Inquiry and the owners of WWTP Support to try to identify who is responsible for the attack on that web site,” General Buck Turgidson, Director of CI-SOC, told reporters this morning.

Kate Libby, a spokesperson for Dragonfire Cyber, told reporters that it looks like the web site attackers may be selling access to the affected treatment plants, treatment plants like the one in Delano. “We have seen ads on the DarkWeb by an individual known as FlusherSale selling access to small to medium size wastewater treatment plants,” she told reporters at the CI-SOC press conference; “While most of these sales are for ransomware attackers, we did find conversations between FlusherSale and Anti-Arr.”

Libby went on to explain that Anti-Arr was seeking a discount on the use of access to the Delano WWTP system because they were not going to use the access for ransomware. They argued that FlusherSale could still sell the Delano information to someone else in a couple of days. CI-SOC confirms that they did stop a ransomware attack on the Delano WWTP systems during their investigation of last week’s attack.

A person connected with the Delano Police Department who was not authorized to talk with the press, told me that they are investigating rumors that a political opponent of Mayor Carter was behind the attack last week. I was told that it was not either of the two candidates running also running for Mayor, but someone with a long-time grudge against Carter.

CI-SOC and the FBI have issued a joint cyber alert on the drive-by attack on the WWTP Support web site and are urging all waste water treatment operators that may have had personnel visiting that site to have cybersecurity experts check their control systems for the indicators of compromise that the researchers at Dragonfire Cyber have identified.

“We have confirmed that at least two recent ransomware attacks on treatment facilities are associated with the WWTP Support website compromise,” Johnathan Quest, FBI spokesperson told reporters via video link this morning.

Kate Libby noted at this morning’s new CI-SOC news conference that they had been able to stop the ransomware attack on the Delano system. “Preventing a ransomware attack is much cheaper than responding to one,” Libby reminded the audience.

CAUTIONARY NOTE: This is a future news story –

Yesterday’s Sewer ‘Explosion’ a Cyber Attack

The eruption of sewage at yesterday’s campaign rally for Mayor Arrington was caused by an attack on components of the city’s sewer control system according to Eric Schlamm, the director for the Delanao WWTP. “We have determined that someone commanded the pumps at two separate throttle pipes to turn on and remain on, creating an overpressure situation in the interceptor tube that ran beneath the park where the rally was being held, Schlamm told reporters this morning.

Investigators from the National Critical Infrastructure Security Operations Center (CI-SOC) have confirmed that they have been assisting the City in its investigation of the incident. “We have been able to document the changes in the programming for the pumps,” Gen. Turgidson, CI-SOC Director told reporters over a morning conference call; “But this was a more sophisticated than just that, the pressure sensors in the system were also attacked, this effectively bypassed the safety interlocks on the pumps that allowed the system to be over pressured.”

A spokesman for Mayor Arrington’s office confirmed that the Mayor had been released from the hospital overnight after being treated for scrapes and abrasions she received as she tried to help some of her supporters that had been felled by the flow of sewage. “The doctors have her on a prophylactic regime of antibiotics because of her exposure to the sewage and her open wounds.”

Delano Police Chief, S. James Butts, told reporters that almost one hundred people at the rally were decontaminated and treated on site for minor injuries related to the incident. Those with open wounds were sent to local emergency rooms as a precautionary measure. “This was a discharge from a combined sewer system, so we were concerned about both biological and chemical exposure issues,” he explained.

The Federal Bureau of Inquiry is involved in the investigation of the incident. “We are involved for two reasons,” Johnathan Quest, an FBI spokesman, told reporters, “First the sewer system is part of a federally regulated waste-water treatment system and attacks on that are a federal crime. Second, since this was an apparent attack on a political gathering, we are concerned that there might be a terror nexus involved.”

CAUTIONARY NOTE: This is a future news story –

Developer Arrested for Traffic System Hack

Harry R. Haldeman, the District Attorney for Los Angeles, announced the arrest of Doug Wilson for cyber attacks on the traffic control system for the County. Wilson was indicted yesterday after his accomplice outlined the two-year system intrusion for a grand jury. Wilson was released on $250,000 bail pending trial later this year.

Haldeman told reporters this morning that Wilson had hatched the scheme to modify data in the traffic control system to make it easier for people living in his new development in San Ferando Valley, Agrestic, to reach the business district in downtown Los Angeles. “A hacker in his employ modified the timing controls on traffic lights on the main route between Agrestic and downtown to reduce the average transit time;” he said, “This resulted in more delays and traffic congestion along routes that intersected the Agrestic traffic.”

Haldeman did not name the hacker, but people familiar with the grand jury testimony report that it was Silas Botwin that was responsible for the modifications to the Robotron Verkehrskontrolle system that the County installed three years ago. Sources close to the investigation say that Botwin modified data from sensors on and around the route which caused the system to run green lights longer along the Agrestic route, cutting transit times.

Francis C. Whelan, the attorney representing Wilson told reporters at a separate news conference, that Botwin was solely responsible for the attacks. “He had worked for Hodes Automation, the company that installed the Robotron system for the County,” Whelan said, “He was fired shortly after the installation was completed for drug related problems. These attacks were in part retribution for the firing and part helping his sister-in-law who lives in Agrestic and works downtown.”

Up until yesterday, the sales web site for the Agrestic development touted the short transit times to downtown Los Angeles.

CAUTIONARY NOTE: This is a future news story –

2nd Suez Blockage Caused by Cyber Attack

As the Suez canal reopened from the blockage of the Ever Given another giant cargo vessel, the PF Carmen, ran aground near the site of the Ever Given misadventure. This time, as captured by a video crew from Le Monde, it appears that the grounding was caused by a cyber attack on the ships control system. Videos clearly show the confusion amongst the bridge crew on the Carmen as the ship makes a turn to the right and the engines accelerate.

Capt. Passepartout of the Carmen confirmed that the video accurately captured the scene on the bridge this afternoon. “We were taking every precaution; the pilot was keeping the ship steady down the center of the canal when the ship started veering to the right. The helmsman attempted to correct to the left, but the ship did not respond.”

Monique La Roche, the Le Monde reporter working with the video team, said that just before she and her crew were told to leave the bridge, there was discussion amongst the crew of a potential cyber attack as the cause of the change in course of the ship. Passepartout would not confirm that, nor would the corporate headquarters in London.

An engineer working with the Egyptian team that freed the Ever Given told reporters that the PF Carmen was slightly smaller than the Ever Given, so it might be easier to unblock the canal this time, especially with the experience that the team on site had with the earlier blockage. “The bow does appear to be further aground this time as the ships engines continued pushing the ship further into the sand before they could be manually shut down,” the engineer said.

Gary Record of the International Shipping Chamber told reporters that this second blockage, no matter how short, is throwing the international shipping situation even further into chaos. “Ships that had turned back from exiting the Mediterranean on the announcement of the clearance of the Ever Given do not know what to do. Taking the longer track around Africa is becoming more hazardous as there are increasing reports of pirate attacks off the Nigerian coast, but the Suez route has become less secure with this apparent cyberattack,” Record told reporters.

CAUTIONARY NOTE: This is a future news story –