The Critical Infrastructure Security Operations Sector issued an order this morning that all facilities operating under its protections stop using the Robotron Werkzeugkasten backup server. General Buck Turgidson, Director of CI-SOC, said that the latest automatic update of the server software installed BlockKopieren, a new ransomware program that starts with the encryption of all data on the corporate backup servers before proceeding with a normal ransomware attack.
“Robotron reported the first ransomware attack on a small company in the Netherlands to us last night,” Turgidson told reporters; “We have not yet seen an attack on any companies in the US, but we know that a large number of the facilities we oversee use the Werkzeugkasten backup servers to mitigate potential ransomware attacks.” Turgidson reported that they had established a close working relationship with Robotron and that was responsible for the early notification that they had received.
Erich Mielke, spokesperson for Robotron, confirms that an automatic update for the backup servers that originated in their facility contained the malware. “Our corporate design system was compromised in the SolarWind attack and this apparently allowed those attackers to add the malware to our latest routine update of the Werkzeugkasten software.”
Dade Murphy, CTO of Dragonfire Cyber, told me that if the SolarWinds attack were the source of the BlockKpieren ransomware, it would be the first time that those attackers had done anything beyond compromise information on the systems that they had hacked. “This is not the type of attack that one would expect from a nation-state actor,” Murphy said; “Okay, with the possible exception of the North Koreans, but they were not involved in the SolarWinds attack.”
An investigator at CI-SOC who was not authorized to talk with the press agreed with Murphy. “We do not think that the group responsible for the SolarWinds attack was behind this attack on Robotron’s systems,” the investigator told me. He did think that it was possible that a sophisticated attacker could have used the publicly available information on the SolarWinds attack to find an operational backdoor into the Robotron system and exploit that vulnerability.
There have been no public reports of anyone being affected by the BlockKopieren ransomware, but Murphy reported that there have been some indications this morning that some manufacturers in Europe are having some software issues. “We have been contacted by some companies with requests for assistance, but we do not have enough information yet to say that they are related. We do have investigation teams enroute.