Environmental Agency to Ration Chlorine Shipments

This morning the Federal Environmental Process Protection Agency (FEPPA) announced that it was implementing Defense Production Act supervisory authority for all bulk chlorine shipments in the United States. The Agency was taking this action because of the loss of production at the NACL Industries facility in Louisiana.

“The nation is experiencing a critical shortage of chlorine gas for water treatment and wastewater treatment facilities because of the terrorist attack on the chlorine production facility in Louisiana,” Jay Muir, FEPPA spokesperson told reporters this morning, “The NACL Industries facility was almost 20% of our national production capability and that places a severe strain on facilities that need that material for public sanitation needs.”

A press release from the Chlorine Gas Institute explained that there is still sufficient chlorine product to meet sanitation needs even with the closure of the NACL Industries facility. “Our manufacturers have legal obligations to other customers that must be taken into account,” spokesman Hamilton Castner explained, “We welcome the efforts of FEPPA to help prioritize the allocation of our temporarily restricted resources, but the government must realize that chlorine gas is used in a large number of critical manufacturing processes including many pharmaceuticals. We cannot just cut off supply to those industries.”

“FEPPA is working hard to coordinate with all critical users of chlorine gas,” Muir said, responding to questions about chlorine allocations, “But we have been notified by four drinking water utilities in the southeast that they are going to have to initiate boil water warnings for their systems later this week because of the loss of shipments of chlorine gas.” FEPPA is reporting that those four water systems supply drinking water to 2.5 million households.

In an update on the ongoing terrorist threat to chlorine manufacturing, the National Critical Infrastructure Security Operations Center reported today that they had found initial stages of compromise at two additional chlorine manufacturing agencies. This required a temporary shut down of the manufacturing control systems at those facilities to deal with the early stages of the attack. “Production at those facilities should resume later this week,” General Turgidson, Director of CI-SOC, told reporters this morning.

Dade Murphy, CTO of Dragonfire Cyber, the company working directly on the response at NACL Industries, told reporters at the morning CI-SOC press conference that his company had ten responders at the facility working with representatives from Robotron, the supplier of the control system used at the facility, and elements of the Louisiana National Guard, all working on restoring the control system at the facility.

“We are having to carefully check each programmable piece of equipment on the site,” Dade explained, “We need to insure that there are no elements of the wiper program left on the devices before we can reload the software or firmware to the device. Once that is done, we will be able to use the system backups to restore the actual operating controls and programming for the facility.”

A control system technician that was not authorized to speak to the press told me that remnants of the “SMASHINGCOCONUT” wiper program had been found in a number of pieces of equipment throughout the facility. “Someone wanted to be able to come back and wipe this system out again, if we got it restored,” she told me.

CAUTIONARY NOTE: This is a future news story –

CI-SOC/FBI Chlorine Bulletin

Early this morning the National Critical Infrastructure Security Operations Center (CI-SOC) and the Federal Bureau of Inquiry published an alert concerning an ongoing terrorist attacks on the industrial control systems at chemical manufacturing plants involved in the manufacturing of chlorine products. This is related to the recent attack on the NACL Industries plant in Blew Bayou, LA.

Gen Buck Turgidson told reporters this morning that, while the NACL Industries facilities was the only one to date that had had its control system equipment erased, there have been indications that similar attacks were underway at two other chloralkali facilities. “While we were not able to stop the destruction of the production processes at NACL Industries,” Turgidson said, “We have been able to prevent the terrorists from taking down two other facilities this week. Today’s alert goes out to all facilities that produce or handle chlorine in bulk. It provides indicators of compromise that will allow facilities to determine if their systems are currently under attack.”

Johnathan Quest, spokesperson for the FBI, told reporters that they had assessed that the known eco-terrorist group, Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), was behind the attack. “They have not publicly claimed responsibilities for these attacks,” he said, “But there are numerous similarities between theses attacks and earlier ones carried out by SFINCTER. The wiper program that they are using was written by the North Koreans, and we have been tracking recent contacts between SFINCTER and the DPRK.”

Ernest A. LeSueur, President of NACL Industries, had recently confirmed that the attack on their facility looked initially like a ransomware attack. “We did pay a $1 million ransom,” LeSueur said, “But when we applied the decryption key provided by the attackers, we were only able to regain access to our corporate IT network.”

Quest confirmed that the FBI was attempting to track the bitcoin wallets used in processing the ransomware payment. “We have confirmed that about 10% of the payment has been transferred to a bank account that had been used by the DPRK in Singapore, but that account was closed shortly after the money was deposited. We suspect that that was payment for the use of the malware used by SFINCTER.”

Dade Murphy, CTO of Dragonfire Cyber, told reporters at this morning’s news conference that researchers from his organization were quickly able to establish that the North Korean SMASHINGCOCONUT wiper program had been adapted to erase all software on the industrial control system’s equipment at the plant. “The control system was comprehensively erased,” Murphy explained, “Servers, HMIs, PLCs, even the firmware for motor controllers and sensors was erased.”

LeSueur explained that the production and maintenance staff were hard at work replacing devices where they were available and beginning the reprogramming process where necessary. “We are receiving a great deal of assistance from Robotron, both on site and remotely.”

Turgidson urged all chlorine related chemical process facilities to take a hard look at today’s alert. We have strong reason to suspect that SFINCTER is planning a comprehensive attack on the chloralkali industry as part of their anti-chlorine manifesto. “We know that they have successfully attacked one facility and were in the processes of attacking two other facilities in Texas and Alabama,” the General said, “Other facilities are certainly in their sights.”

CAUTIONARY NOTE: This is a future news story – 

Control System Destroyed at Chlorine Plant

Gen Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), confirmed this morning that the CI-SOC was working with NACL Industries to determine how the program for the plants chlorine production facility was completely wiped out this week. There are reports that North Korean malware was involved.

On Monday, there were reports from sources at the company’s Blew Bayou, LA. chlorine production facility that a production stoppage over the weekend was due to a ransomware attack on the industrial control system at the plant. A spokesman for the company refused to answer questions about a ransomware attack, stating that: “We can neither confirm nor deny that a ransomware attack has been made against any company assets.”

A representative from Dragonfire Cyber who was seen yesterday in Blew Bayou and who was not authorized to talk to the press, told me that the cyber investigation firm had found indications that an updated version of “SMASHINGCOCONUT” wiper program had been employed at the plant. That program was reportedly developed by a North Korean APT group in 2017. “The new version was specifically modified to wipe files on a Robotron control system down to the instrument level,” the source said.

Ernest A. LeSueur, President of NACL Industries, told reporters that the chlorine production facilities had been shutdown since a cyber attack on the control systems occurred on Saturday. “We are cooperating with CI-SOC and criminal investigators to determine who is responsible for the attack,” he said; “But our real focus is the safe restart of our production facilities.”

LeSueur confirmed that the Company had declared force majeure on their chlorine delivery contracts for the foreseeable future.

NACL Industries was the target of a cyber attack almost two years ago. In that instance a terrorist group, Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER), claimed responsibility for the attack. No arrests have been made in connection with the earlier attack.

CAUTIONARY NOTE: This is a future news story –

Drive-by Cyber Attack Behind Sewer Explosion

Last week’s cyberattack on the sewer system in Delano, GA was set up by an attack on a web site run by WWTP Support, LLC in California. That company supplies technical assistance and engineering support to wastewater treatment plants across the country. According to the National Critical Infrastructure Security Operations Center (CI-SOC), a tool available on that site provided attackers with a foothold on the computer of anyone that used the tool in the last three months.

“We are working with the Federal Bureau of Inquiry and the owners of WWTP Support to try to identify who is responsible for the attack on that web site,” General Buck Turgidson, Director of CI-SOC, told reporters this morning.

Kate Libby, a spokesperson for Dragonfire Cyber, told reporters that it looks like the web site attackers may be selling access to the affected treatment plants, treatment plants like the one in Delano. “We have seen ads on the DarkWeb by an individual known as FlusherSale selling access to small to medium size wastewater treatment plants,” she told reporters at the CI-SOC press conference; “While most of these sales are for ransomware attackers, we did find conversations between FlusherSale and Anti-Arr.”

Libby went on to explain that Anti-Arr was seeking a discount on the use of access to the Delano WWTP system because they were not going to use the access for ransomware. They argued that FlusherSale could still sell the Delano information to someone else in a couple of days. CI-SOC confirms that they did stop a ransomware attack on the Delano WWTP systems during their investigation of last week’s attack.

A person connected with the Delano Police Department who was not authorized to talk with the press, told me that they are investigating rumors that a political opponent of Mayor Carter was behind the attack last week. I was told that it was not either of the two candidates running also running for Mayor, but someone with a long-time grudge against Carter.

CI-SOC and the FBI have issued a joint cyber alert on the drive-by attack on the WWTP Support web site and are urging all waste water treatment operators that may have had personnel visiting that site to have cybersecurity experts check their control systems for the indicators of compromise that the researchers at Dragonfire Cyber have identified.

“We have confirmed that at least two recent ransomware attacks on treatment facilities are associated with the WWTP Support website compromise,” Johnathan Quest, FBI spokesperson told reporters via video link this morning.

Kate Libby noted at this morning’s new CI-SOC news conference that they had been able to stop the ransomware attack on the Delano system. “Preventing a ransomware attack is much cheaper than responding to one,” Libby reminded the audience.

CAUTIONARY NOTE: This is a future news story –

Yesterday’s Sewer ‘Explosion’ a Cyber Attack

The eruption of sewage at yesterday’s campaign rally for Mayor Arrington was caused by an attack on components of the city’s sewer control system according to Eric Schlamm, the director for the Delanao WWTP. “We have determined that someone commanded the pumps at two separate throttle pipes to turn on and remain on, creating an overpressure situation in the interceptor tube that ran beneath the park where the rally was being held, Schlamm told reporters this morning.

Investigators from the National Critical Infrastructure Security Operations Center (CI-SOC) have confirmed that they have been assisting the City in its investigation of the incident. “We have been able to document the changes in the programming for the pumps,” Gen. Turgidson, CI-SOC Director told reporters over a morning conference call; “But this was a more sophisticated than just that, the pressure sensors in the system were also attacked, this effectively bypassed the safety interlocks on the pumps that allowed the system to be over pressured.”

A spokesman for Mayor Arrington’s office confirmed that the Mayor had been released from the hospital overnight after being treated for scrapes and abrasions she received as she tried to help some of her supporters that had been felled by the flow of sewage. “The doctors have her on a prophylactic regime of antibiotics because of her exposure to the sewage and her open wounds.”

Delano Police Chief, S. James Butts, told reporters that almost one hundred people at the rally were decontaminated and treated on site for minor injuries related to the incident. Those with open wounds were sent to local emergency rooms as a precautionary measure. “This was a discharge from a combined sewer system, so we were concerned about both biological and chemical exposure issues,” he explained.

The Federal Bureau of Inquiry is involved in the investigation of the incident. “We are involved for two reasons,” Johnathan Quest, an FBI spokesman, told reporters, “First the sewer system is part of a federally regulated waste-water treatment system and attacks on that are a federal crime. Second, since this was an apparent attack on a political gathering, we are concerned that there might be a terror nexus involved.”

CAUTIONARY NOTE: This is a future news story –

Developer Arrested for Traffic System Hack

Harry R. Haldeman, the District Attorney for Los Angeles, announced the arrest of Doug Wilson for cyber attacks on the traffic control system for the County. Wilson was indicted yesterday after his accomplice outlined the two-year system intrusion for a grand jury. Wilson was released on $250,000 bail pending trial later this year.

Haldeman told reporters this morning that Wilson had hatched the scheme to modify data in the traffic control system to make it easier for people living in his new development in San Ferando Valley, Agrestic, to reach the business district in downtown Los Angeles. “A hacker in his employ modified the timing controls on traffic lights on the main route between Agrestic and downtown to reduce the average transit time;” he said, “This resulted in more delays and traffic congestion along routes that intersected the Agrestic traffic.”

Haldeman did not name the hacker, but people familiar with the grand jury testimony report that it was Silas Botwin that was responsible for the modifications to the Robotron Verkehrskontrolle system that the County installed three years ago. Sources close to the investigation say that Botwin modified data from sensors on and around the route which caused the system to run green lights longer along the Agrestic route, cutting transit times.

Francis C. Whelan, the attorney representing Wilson told reporters at a separate news conference, that Botwin was solely responsible for the attacks. “He had worked for Hodes Automation, the company that installed the Robotron system for the County,” Whelan said, “He was fired shortly after the installation was completed for drug related problems. These attacks were in part retribution for the firing and part helping his sister-in-law who lives in Agrestic and works downtown.”

Up until yesterday, the sales web site for the Agrestic development touted the short transit times to downtown Los Angeles.

CAUTIONARY NOTE: This is a future news story –