Russians Take Down Water Follies Hackers

The Russian government today posted a video purported to be of special operations soldiers taking out a Syrian hacker group. In an accompanying statement the Russians said that the building holding the Burj Shemali Group was in Damascus, Syria. Reportedly, this was the group responsible for last weekend’s attack on the water park in Delano, GA that killed three people and sent hundreds to the hospital.

The Russian statement went on to say:

“While our law enforcement personnel will continue to work with their international partners on ransomware and other cyber-crimes, the attack last week on the American water park was an act of international terrorism that cannot be tolerated. We staged our attack on the terrorist compound yesterday with the cooperation of the Syrian government. Let this send a message to cyber-terrorists around the world that their actions will not be tolerated by the international community.”

John Jay, spokesperson for the Department of Foreign Affairs, confirmed that the Russians had informed the government that they had identified the persons responsible for the Water Follies attack and were providing information about the group to US investigators. “Our embassy in Berlin, Germany received a package last night containing hard drives that the Russians had taken from the computers in the Syrian raid,” Jay told reporters. Jay had no comment when asked about the amount of force that the Russians employed in their operation in Syria.

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, confirmed that the Legal Attaché in Berlin had received the hard drives from the Russian and had hand delivered them to the FBI headquarters. “We will be doing a forensic analysis of the drives to determine if they had been used in the attack,” Quest reported.

Quest also reported that the server provided to the Bureau by the Russians last week did contain files indicating that it had served as the command-and-control server for the attack on the water park. “It appears that the Burj Shemali Group, used this server for other operations as well,” Quest reported, “We are expanding our research on the actions of this group, and we have notified a number of friendly governments about potential ongoing operations against facilities in their countries.”

When asked why the server that was purportedly used by the Burj Shemali Group had been located in Moscow, Quest explained that it was not unusual for international criminals to use servers in third-party countries in an effort to throw off investigators. “This server was reportedly located in a commercial facility and was being leased by a dummy corporation controlled by the Syrian group,” Quest said, “The Russians told us that the facility owner had fully cooperated with the FKR, the Russian government’s cyber investigation force.”

Gen Turgidson, the Director of the National Critical Infrastructure Security Operations Center (CI-SOC), who was still using the Delano City Hall for the Center’s daily news conferences because of the attack on their server farm told reporters that a research team from the CI-SOC would be assisting the FBI analysis. When asked why he thought that the Russians were being so helpful the General told reporters that there had been an attempt by the water park attackers to make it look like the Russians were responsible for the attack. “While there is not much we can do about the Russian’s turning a blind eye towards Russian cyber-criminals attacking companies in this country,” Turgidson explained, “The killing of American citizens in an American city would not be something that the President could ignore.”

An aide to Turgidson that could not be named explained on background that some people in the intelligence community thought that the Syrian attack had been guided by an unofficial Iranian group that was advising elements of the Syrian government. There is some hope that information on the hard drives provided by the Russians will contain some proof of that activity. Such activity by the Iranians would interfere with the Russian control of the Syrian military.

CAUTIONARY NOTE: This is a future news story –

CI-SOC Attacked

Gen Turgidson, the Director of the National Critical Infrastructure Security Operations Center (CI-SOC), announced this morning from the Delano City Hall, that the CI-SOC was temporarily shutdown because of a cyber-attack on the facility. “At this point it looks like the building energy management system was attacked by some unknown party,” he said, “at 3:00 this morning the power to the cooling system for our server room was shut down. Emergency power systems started, but there is still no power getting to the cooling system.”

As the server room started to approach critical temperatures, the CI-SOC personnel started their shutdown procedure, but there were a number of power surges that may have damaged the servers. “We will not know for sure if there was any data loss until we can restart the systems when the power problems are taken care of.” Turgidson explained, “We, of course, have complete backups stored in our backup facility.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, confirmed that the agency was conducting an investigation of the CI-SOC attack in conjunction with the CI-SOC investigators.

CAUTIONARY NOTE: This is a future news story –

Russians Seize Water Follies Attack Server

John Jay, the spokesman for the Department of Foreign Affairs, announced this morning that a foreign government had seized the server that was used in the cyberattack on the Water Follies facility in Delano, GA on Saturday, but he refused to identify the government involved. “The government concerned has made arrangements to turn over the server to the Federal Bureau of Inquiry this afternoon,” Jay explained at the press conference. Jay took no questions about the server issue.

Esther Williams, the manager for Water Follies, was at this morning’s press conference at the National Critical Infrastructure Security Operations Center (CI-SOC) this morning. She confirmed that her operations staff was working with CI-SOC to remove the malware from the control system so that the facility could be opened back up to the public. “The team from Dragonfire Cyber is helping to remediate the zero-day vulnerability that the attackers used in the cyber assault on the facility,” Williams told reporters. Williams studied computer science at Georgia Tech while she competed internationally in swimming.

Gen Turgidson, Director of CI-SOC, told reporters that a team from his organization would be on hand in Berlin when the server was turned over later today. “Our investigators identified the location of the server in Moscow, and we provided the location to the FBI. They contacted their law enforcement counterparts in Russia,” Turgidson explained.

A technician at Dragonfire that was not authorized to talk to the press told me that while the incident response team (IRT) identified the location of the command-and-control server in Moscow, they did not believe that the operation was controlled from that country. “One of our investigators is from Israel and she identified many of the programming comments found remotely on the server as being idiomatic Arabic.” The technician said.

The IRT is reportedly concerned that it was almost too easy to identify the location of the command-and-control server. Gen Turgidson confirmed that, so far, the technical investigation is not pointing at the Russians as a source of the attack. “This was not a real sophisticated attack once one gets past the 0-day vulnerability.” Turgidson explained, “The attackers had some detailed knowledge about the operations at the water park, but there were no great hacking skills in evidence.”

CAUTIONARY NOTE: This is a future news story –

Water Park Incident Caused by Hackers

Yesterday’s incident at the Delano Water Follies waterpark which injured 100 and killed two, was caused when large amounts of muriatic acid and bleach were added to the large wading pool at the same time. The chemical reaction between the two water treating chemicals produced a cloud of chlorine gas and heated the water in the pool to dangerous temperatures. Now there are unconfirmed reports that someone gained control of the water treatment system to deliberately cause the incident.

Esther William, the Water Follies manager, confirmed that the injuries at the park yesterday were caused by the mixing of the two chemicals. “We do not use that particular charging system during the times the park is open to avoid this type of problem, but we never expected anyone to add the amount of these two chemicals that were added yesterday,” Esther explained to reporters.

A maintenance worker who was not allowed to talk to the press, told me that there were over 2,000-lbs of muriatic acid added from a totebin and almost twice that much bleach from the large on-site storage tank. “That is two days of chemical use for the park added to the one pool in less than 30 minutes,” he explained.

Williams refused to comment on the possibility of hackers being involved, but a team from Dragonfire Cyber, a team known to work with the National Critical Infrastructure Security Operations Center (CI-SOC), was seen moving around the park today.

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, confirmed that the agency was working with CI-SOC on the investigation of the incident. “We have not yet confirmed that it was a cyberattack,” Quest said, “But our investigators looking at the security videos from the site did not see anyone in the vicinity of the manual valves that would have to have been manipulated for a physical attack at the time of the incident.”

CAUTIONARY NOTE: This is a future news story –

Delano Airport Hack Was Proof-of-Concept Demonstration

Yesterday, three instrument landings at the Porter Alexander Airport in Delano, GA were canceled as the Airport experienced problems with its instrument landing systems (ILS) equipment. This morning, Fred P. Ayres, the airport manager, confirmed reports that the problems were the result of a cyber-attack on the facility’s Ground Based Augmentation System, the system that refines GPS data for the instrument landing system used at the airport.

“We received a copy of an email message that was sent to the FAA claiming responsibility for the attack,” Ayres told reporters this morning. That email was from DBCoop2 and claimed that the attack yesterday was a proof-of-concept exploit of vulnerabilities that the researcher had discovered in the current generation of GBAS used by many airports across the country. The email offered to sell the Federal Airline Administration (FAA) the details about the vulnerability for 1-Bitcoin.

The airport had three landings diverted to other airfields yesterday. They occurred when planes were attempting to land during heavy rains and were forced to use the ILS system. One of the pilots, who did not want his name used because of his corporate affiliation, told me that when the corporate jet dropped below the cloud layer, they were lined up almost 200 meters to the right of the runway, right along the facility fence line. The pilot was able to safely pull out of his approach and requested diversion to an alternate field.

The FAA would not comment on the email and a written statement said that yesterday’s ILS anomalies were under investigation.

When asked about the incident at the National Critical Infrastructure Security Operations Center’s (CI-SOC) morning press briefing, Gen Turgidson told reporters that the CI-SOC had not been contacted about the incident, but that he would personally talk to the airport manager as soon as the brief was over. “I fly in and out of that field frequently,” Turgidson explained. Turgidson spent 10-years as an Air Force transport pilot before moving into cyber operations.

Robotron Aero, the company that manufactures the GBS system used at PAA said in a written statement that they had just been notified about the potential problem and were cooperating with the FAA and the Federal Bureau of Inquiry on the investigation.

CAUTIONARY NOTE: This is a future news story –

Hundreds of Drugs Recalled Due to Cyber Attack

The Federal Drug Agency today announced that it was ordering the recall of three hundred forty-five drugs, including over-the-counter products, prescription drugs and two COVID-19 vaccines because of contamination issues with a precursor chemical manufactured by Mengele Pharma. The precursor (TMD (4tetramethyl-2death) is contaminated with unacceptable levels of benzene, a known carcinogen. Initial indications are that the contamination is the result of a cyberattack on the Mengele facility in Delano, GA.

Clark Stanley, FDA spokesperson, told reporters this morning that most of the drugs being recalled would not have high benzene levels because benzene is used in the manufacturing process after TMD is introduced so the manufacturers independently test for benzene residuals. “We do not have reason to suspect that the drugs being recalled are of any specific danger to the public,” Stanley explained, “But since the TMD is adulterated the drugs do not meet FDA standards for use by the public.”

An unnamed student in an analytic chemistry class at the South-Central Georgia Technical College in Delano was the initial discoverer of the high benzene levels. According to Professor Izaak M. Kolthoff, the student was developing a liquid chromatography assay for the chemical as part of a class project. “The benzene levels were 100 times higher than reported on the Mengele certificate of analysis,” Kolthoff explained in a phone interview, “I checked her results and calibration and then re-ran the test myself before I reported the findings to the Mengele QA lab.”

Wolfgang Gerhard, spokesperson for Mengele Pharma confirmed that the problem was first identified by a student at SCGTI. “We have a good relationship with the school since they train most of our technicians,” Gerhard explained, “And we have the upmost respect for Dr. Kolthoff since he worked for this company for 20 years before retiring. He established most of the test methods that we use today for production quality control.”

Stanley told reporters that the Mengele Pharma reported the problem to the FDA as soon as they confirmed the student’s report.

Gerhard told reporters that the company called in experts from Dragonfire Cyber to investigate after an internal investigation turned up oddities in the lab information management system that reported the erroneous results. While that investigation is ongoing, Gerhard told reporters that Dragonfire has confirmed that they have found malware on the LIMS and that the testing reporting process had been compromised.

The FDA and the Federal Bureau of Inquiry are conducting a joint investigation of the incicent.

CAUTIONARY NOTE: This is a future news story –

Hacker Retaliates Against Government Building

According to the anonymous hacker, cYbrg0D, last night’s lightshow at the Department of Foreign Affairs building in Washington, DC, was a hack of the building control system using a vulnerability he had reported to the Department’s vulnerability disclosure program. DFA refused to pay him for the reported vulnerability under the Department’s Bug Bounty program because the vulnerability did not affect an information system.

The lightshow last night at the building involved turning all of the lights on each of the fourteen floors on and off in a pattern that changed all night long. Government officials were only able to stop the light show early this morning by turning off the power to the building. Emergency systems are providing power to critical offices while system engineers are working to remove the malware that controls the lightshow.

John Jay, a spokesperson for the DFA, confirmed to reporters this morning that the Bug Bounty program did refuse to pay cYbrg0D for the reported vulnerability. “We are constrained by the congressional authorization for the program,” Jay explained, “The definition of information system used in the legislation authorizing the program clearly excluded operational control systems, such as the building management system that was apparently hacked last night.”

The hacker explained his point of view about the conflict with the Department of Foreign Affairs in a web page that was posted to the DFA web site. That page was taken down early this morning, just hours after it appeared on the site.

Junior Butts, a lawyer representing cYbrg0D, is in conversation with the Federal Bureau of Inquiry (FBI) about their interest in questioning the hacker. “My client is willing to cooperate with the Department in clearing the malware that is controlling the lighting system in exchange for acknowledgement that his vulnerability report should have been eligible for the bug bounty program,” Butts explained.

The Cybersecurity Agency is working with the DFA to resolve the control system security issue. “Technicians quickly found and removed the malware last night, but it reappears each time the system is restarted,” Ida Long, CSA spokesperson explained, “It is apparent that cYbrg0d found more vulnerabilities than the one that he reported to the VDP.”

Johnathan Quest, spokesperson for the FBI, confirmed that the agency is looking to talk to cYbrg0d about the incident. “We have not yet sought an arrest warrant for the individual,” Quest explained, “At this point, we just want to talk to the hacker.”

CAUTIONARY NOTE: This is a future news story –