2nd Suez Blockage Caused by Cyber Attack

As the Suez canal reopened from the blockage of the Ever Given another giant cargo vessel, the PF Carmen, ran aground near the site of the Ever Given misadventure. This time, as captured by a video crew from Le Monde, it appears that the grounding was caused by a cyber attack on the ships control system. Videos clearly show the confusion amongst the bridge crew on the Carmen as the ship makes a turn to the right and the engines accelerate.

Capt. Passepartout of the Carmen confirmed that the video accurately captured the scene on the bridge this afternoon. “We were taking every precaution; the pilot was keeping the ship steady down the center of the canal when the ship started veering to the right. The helmsman attempted to correct to the left, but the ship did not respond.”

Monique La Roche, the Le Monde reporter working with the video team, said that just before she and her crew were told to leave the bridge, there was discussion amongst the crew of a potential cyber attack as the cause of the change in course of the ship. Passepartout would not confirm that, nor would the corporate headquarters in London.

An engineer working with the Egyptian team that freed the Ever Given told reporters that the PF Carmen was slightly smaller than the Ever Given, so it might be easier to unblock the canal this time, especially with the experience that the team on site had with the earlier blockage. “The bow does appear to be further aground this time as the ships engines continued pushing the ship further into the sand before they could be manually shut down,” the engineer said.

Gary Record of the International Shipping Chamber told reporters that this second blockage, no matter how short, is throwing the international shipping situation even further into chaos. “Ships that had turned back from exiting the Mediterranean on the announcement of the clearance of the Ever Given do not know what to do. Taking the longer track around Africa is becoming more hazardous as there are increasing reports of pirate attacks off the Nigerian coast, but the Suez route has become less secure with this apparent cyberattack,” Record told reporters.

CAUTIONARY NOTE: This is a future news story –

Water Facility AI Delivers Ransomware

The Critical Infrastructure Security Operations Center (CI-SOC) announced this morning that the ransomware attacks that took place at over 200 small to medium sized water treatment facilities across the United States yesterday were linked to a vulnerability in the Robotron VWS-AI software That cybersecurity software was introduced into many water treatment facilities after last month’s attack on the water treatment facility in Delano, GA.

“We have not yet determined exactly what vulnerability was involved,” General Buck Turgidson, Director of the CI-SOC, told reporters this morning; “but all 200 facilities had recently installed the cybersecurity artificial intelligence tool; it is the only common factor in all of the attacks which took place simultaneously at 4:20 pm EDT yesterday.”

A written statement from Robotron confirmed that the company was working with the CI-SOC on the problem.

Treatment system control screens at all of the facilities turned red and showed the following in large black text: “VWS-Blendung  Your control systems have been encrypted  It will cost you 1 Bitcoin to get your water flowing again”. The current market for Bitcoin shows an exchange rate of about $57,000 for one Bitcoin.

CI-SOC has confirmed that all of the affected facilities have been able to resume operations under manual controls. Turgidson told reporters that the manual operation is taking its toll on operators who are having to typically work double shifts to keep facilities operating. Water treatment units from the Army National Guard across the country are being mobilized by governors to help keep the water treatment facilities operational.

Robotron is already scrambling to deal with the fall out over the BlockKopieren ransomware attacks on its backup server product. Today’s announcement by CI-SOC has already sparked calls for a formal investigation of Robotron’s status as a major supplier of industrial control systems in the United States. Sen TJ Kong (R,GA) has asked ECS-CERT for a report on the vulnerability history of products from Robotron and how fast the company has responded with fixes to those vulnerabilities. Rep. Harvey Milk (D,CA) has called for a series of congressional hearings on the issue of control system cybersecurity. Rep Rebecca Pinter (D,MA) has asked the Speaker to establish a Select Committee on Cybersecurity.

Robotron’s SVS AI was introduced to the market last summer, but sales were very slow. Targeted at smaller facilities, there was little funding available, and no major call for cybersecurity protection at these facilities. Just before the Delano attack, Robotron set up a low-cost software leasing program to get better market penetration. The chlorination incident at the Delano, GA facility established the need for low-cost automated security controls.

CAUTIONARY NOTE: This is a future news story –

Robotron Firewall Breach

The ECS-CERT issued an emergency order this morning to all manufacturers to stop downloading any updates or software from Robotron. Immanuel C. Securitage, spokesperson for ECS-CERT, said that the agency had been notified by Robotron that there had been a major security breach of their corporate system and that there were indicators that the attackers had altered product software. ECS-CERT is working with Robotron to determine exactly what products are affected.

“We are suggesting that any facility that has downloaded Robotron software or updates within the last couple of weeks to consider shutting down operations pending a complete cybersecurity review of their industrial control system operations.” Securitage told reporters.

Erich Mielke, CEO of Robotron, told reporters that there had been a firewall breach at their corporate headquarters, allowing the attackers full access to their networks. “We only noticed the breach after an investigation into unusual cyber activity in our product development department;” Mielke said, “We have confirmed that unauthorized changes have been made to the latest software update for our MotorSteuerung product.”

A source at ECS-CERT that is not authorized to talk to the press told me that it looks like the attack on the Robotron corporate network could have been made with the HKFirewall tool that was reportedly developed by the Cyber Operations Agency. The COA has refused to comment on rumors about the tool.

The Critical Infrastructure Security Operations Center (CI-SOC) has confirmed that it was monitoring the situation. “We know of at least one of our monitored facilities has had issues related to an apparently compromised Robotron device;” General Buck Turgidson, told reporters at a separate news conference this morning, “We are working closely with ECS-CERT on the issue.”

CAUTIONARY NOTE: This is a future news story –

Robotron Backup Software Compromised

The Critical Infrastructure Security Operations Sector issued an order this morning that all facilities operating under its protections stop using the Robotron Werkzeugkasten backup server. General Buck Turgidson, Director of CI-SOC, said that the latest automatic update of the server software installed BlockKopieren, a new ransomware program that starts with the encryption of all data on the corporate backup servers before proceeding with a normal ransomware attack.

“Robotron reported the first ransomware attack on a small company in the Netherlands to us last night,” Turgidson told reporters; “We have not yet seen an attack on any companies in the US, but we know that a large number of the facilities we oversee use the Werkzeugkasten backup servers to mitigate potential ransomware attacks.” Turgidson reported that they had established a close working relationship with Robotron and that was responsible for the early notification that they had received.

Erich Mielke, spokesperson for Robotron, confirms that an automatic update for the backup servers that originated in their facility contained the malware. “Our corporate design system was compromised in the SolarWind attack and this apparently allowed those attackers to add the malware to our latest routine update of the Werkzeugkasten software.”

Dade Murphy, CTO of Dragonfire Cyber, told me that if the SolarWinds attack were the source of the BlockKpieren ransomware, it would be the first time that those attackers had done anything beyond compromise information on the systems that they had hacked. “This is not the type of attack that one would expect from a nation-state actor,” Murphy said; “Okay, with the possible exception of the North Koreans, but they were not involved in the SolarWinds attack.”

An investigator at CI-SOC who was not authorized to talk with the press agreed with Murphy. “We do not think that the group responsible for the SolarWinds attack was behind this attack on Robotron’s systems,” the investigator told me. He did think that it was possible that a sophisticated attacker could have used the publicly available information on the SolarWinds attack to find an operational backdoor into the Robotron system and exploit that vulnerability.

There have been no public reports of anyone being affected by the BlockKopieren ransomware, but Murphy reported that there have been some indications this morning that some manufacturers in Europe are having some software issues. “We have been contacted by some companies with requests for assistance, but we do not have enough information yet to say that they are related. We do have investigation teams enroute.

CAUTIONARY NOTE: This is a future news story –

CDE Reports that Cancer Death Cluster Linked to Cyberattack

This morning the Center for Disease Eradication in Atlanta, GA announced that it had determined that a cancer death cluster in Alabama was caused by a cyberattack on infusion pumps being used for chemotherapy at the Thomas Parran Health Clinic, Notasulga, AL. Twenty-five people had died in the area in the three months before the investigation was initiated from various types of cancer; all of them had been treated at the Parran Health Clinic. Ten more people died before the cause of the deaths was determined to be linked to the infusion therapy being provided at the clinic.

Taliaferro Clark, Director of the Parran Clinic told reporters that he and the clinic staff were devastated that they had in any way contributed to the death of their patients. “We established this clinic in Notasulga to provide advanced cancer treatments to the underserved population of the area,” he said: “The very idea that our attempts to help these people accelerated their demise is heartbreaking.” Most of the patients at the clinic are black and low income. The clinic charges no fees for their treatment.

Julius Rosenwald, CDE spokesperson, told reporters this morning that investigators quickly determined that the proximate cause of death was high-rate of chemotherapy drug administration leading to toxic events in the body. “We reviewed the clinic protocols for therapy and found them to be well within established norms,” Rosenwald said; “We then had the Clinic demonstrate their protocol on a simulated patient and determined that 80% of the chemotherapy drugs were administered within the first five minutes of the two-hour infusion. Our attention then turned to the infusion pumps.”

Kate Libby, a Senior Investigator with Dragonfire Cyber, was brought in to look into the infusion pump programming. She explained that the model of infusion pumps being used at the clinic were no longer under support by the manufacturer but had recently been refurbished before they were donated to the clinic. “We looked at the programming on the devices and discovered that it had been significantly altered from the last version provided by the manufacturer, Vaernet Medical,” Libby explained; “When the infusion rate was set into the pump, the program set two infusion rates so that the bulk of the drugs were administered immediately and the remainder over the rest of the infusion period.”

Libby also reported that there were comments in the code that indicated that it had been prepared by a group called ‘Aryan Coders for Victory’. Once a cyber attack had been documented, the CDE brought the Federal Bureau of Inquiry into the investigation.

The FBI contacted Eunice Rivers, the lawyer that handled the donation of the infusion pumps to the Clinic. That donation was anonymous, but Rivers was able to provide a name, address and description of the person that approached her to deal with the donation process. The FBI is still looking for that person and is currently withholding the name from the press. Ms Rivers issued a statement that she is fully cooperating with the FBI, but will not discuss the matter in public.

CAUTIONARY NOTE: This is a future news story –

Geoengineering Craft Hacked

The Gathmann Balloon Project announced this morning that their first geoengineering study over the Pacific Ocean was halted today when the sensors used to monitor the progress of the experiment failed due to a cybersecurity attack on the craft. “The calcium carbonate dust was released as planned,” explained Dr Irving Langmuir, senior scientist for the project; “When we relocated the balloon to start the data collection process, all of our sensors stopped operating.”

StormFury, an environmental action group that opposes geoengineering activities, claimed responsibilities for the attack in a statement issued today through a lawyer that handles environmental justice cases. The statement said: “While today’s experiment would likely have minimal environmental effects, the concept of geoengineering the atmosphere to mitigate global climate change is fraught with grave potential to harm the environment even more than humans have already done. We will take whatever action necessary to prevent such studies from being conducted.”

Dade Murphy, CTO of Dragonfire Cyber, told reporters by video conference that the sensors being used by the Gathmann Balloon Project have known security vulnerabilities that allow a remote attacker to execute a denial-of-service attack. “This certainly sounds like what may have happened today,” he said, “We have been asked by the Project to investigate the incident and suggest security measures to prevent future occurrences.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, acknowledged that the FBI had been contacted to investigate the incident. “Since the study was being funded in part by a federal grant,” Quest said, “The FBI would certainly have jurisdiction over the event.”

Langmuir told reporters that after appropriate measures were put in place to prevent future attacks, the test flights would resume. “The work we are doing is designed to protect the environment from the further effects of escalating climate change.”

CAUTIONARY NOTE: This is a future news story –