3 Chlorine Cylinders Stolen by BEC Fraud

Bleichen Chemical Company announced today that three 1-ton chlorine cylinders had been stolen from the company by fraud. “As a result of a business email compromise fraud, unknown parties set up a water treatment account with our company for chlorine supply at an abandoned water treatment plant on the East Side of Delano.” Carl Scheele, the Bleichen Delano Plant Manager told reporters this morning; “We made two deliveries over a three-week period and had a third order loaded on a truck when the FBI notified us that we had been scammed.”

Johnathan Quest, spokesperson for the Federal Bureau of Inquiry, told the news conference that the FBI had been tracking a series of BEC frauds being perpetrated by the same individual. When they intercepted emails from Bleichen about past due bills for the chlorine gas deliveries, they became concerned and contacted the company.

Scheele explained that Bleichen had received a request to set up a new delivery account for an existing food processing customer. “They claimed to be restarting the old Dolly Madison plant here in Delano and needed to get the water treatment plant functioning,” he explained: “They had the corporate account number and the right names on letterhead stationery as well as a legitimate looking email address for the account executive.”

Quest said that the FBI has lost track of the perpetrators and had not yet located their base of operations. “The Delano water facility where the deliveries were made has been cleaned up and re-abandoned.” He said, “We have multiple forensics teams going over the facility, but we have not yet found any useful evidence.”

When asked what the criminals had done with the chlorine gas, Quest replied: “We have found evidence that would seem to indicate that the material had been transferred to 5-lb pressure vessels, probably propane cylinders. We have not been able to identify a commercial purpose for small chlorine containers like this, so we do not know what financial incentives there were to perpetrate this fraud.”

Two 1-ton cylinders had been delivered for the initial order last month. A second order of one cylinder was delivered earlier this month and an empty cylinder was picked up. That means that as much as 2,000-lbs of chlorine gas may have been off-loaded into small cylinders. A technician from Bleichen that has been working with the FBI at the treatment facility told me that: “Propane cylinders are not approved for the storage of liquid chlorine, and there was no evidence of the equipment needed to do a liquid-liquid transfer at the site, so there is no way of telling how much chlorine was transferred to each cylinder. There were lots of them.”

CAUTIONARY NOTE: This is a future news story –

TSP Fleet Tankers Hacked During Navy Exercise

The US Naval Department confirmed this morning that, during a recent fleet exercise in the South Atlantic, civilian fuel tankers that are part of the new Tanker Security Fleet were hacked by elements of Fleet Cyber Command. “Naval cyber operators conducted active operations against Ulan Master and Torrey Canyon tankers that were providing fuel support during Operation Malvinas;” reported David D. Porter, Naval spokesperson. “Navy personnel were able to take remote control of engines and steerage on both vessels using known vulnerabilities in various systems onboard the vessels.”

Captain Frank F. Fletcher of the Torrey Canyon told reporters: “In 20 years of operations in ocean going tankers I have never seen a ship fail so completely to respond to commands from the Bridge. It was quite disconcerting.”

Captain Na Dae-yong of the Ulsan Master added: “I did not appreciate losing control of my vessel, but hopefully we will be able to ensure that such actions could not be undertaken by an enemy during a wartime operation.”

Owners of the two vessels had been informed prior to their participation in the exercise that cyberattacks would be employed against the two vessels during the exercise to determine their susceptibility to such attacks. “These types of attacks would be expected against fleet assets involved in wartime operations,’ Porter explained; “And we expected that the civilian operators would not be as experienced as active fleet personnel in preparing for or responding to such attacks.”

The Navy plans on sharing the results of these attacks with the owners of the two vessels as well as the other owners of vessels in the TSF. Owners will be able to use the information gleaned from these attacks to upscale the cyber defenses for all of their vessels, a major incentive for owners of other fleet capable tankers to sign up for participation in the Tanker Security Program.

Cpt Berny McCollough, spokesperson for Fleet Cyber Command, refused to comment on reports that CYBERCOM detected another party participating in the exercise. “I cannot confirm or deny public reports that a foreign nation state was receiving information from the two ships.” There have been two reports quoting unofficial comments from naval cyber personnel that communications between the ships and a Chinese server had been detected during the operation. One unnamed Navy Lieutenant has been quoted as saying: “We found communications logs showing that the vessel (referring to Torrey Canyon) had been hacked prior to the start of the exercise and had been reporting vessel position and status to a foreign operator.”

McCollough also refused to comment on reporting by the naval blog, Kings Island, that purported to show tracking information of the maneuvers of the two ships under control of the Navy’s hackers. “We will not discuss operational details about the exercise.” The Kings Island tracking data shows the two tankers conducting right and left 180 degree turns and heading back in the direction from which they came.

 

CAUTIONARY NOTE: This is a future news story – 

Pipeline SCADA System Hacked in Texas

Pipeline Safety, Security and Operations Office (PSSOO) announced today that the recent crude oil leak near Tyler, Texas was due to a sophisticated cyberattack on the pipeline control system. “The attackers manipulated valves and pumps to create a local overpressure situation,” Michael E Thane, spokesperson for the PSSOO; “This caused pressure relief systems to open and begin pouring crude oil out at the remote location near the Neches River.”

The pipeline, owned by the Friendly Morning Pipeline Company, apparently started leaking just after sundown and was not stopped until a fisherman reported seeing the crude pouring into the Neches River near his favorite fishing spot the next morning. The sour crude being pumped through the pipeline contained high levels of hydrogen sulfide, a toxic gas. A major fish kill has been reported along a 20-mile stretch of the river.

The National Critical Infrastructure Security Operations Center (CI-SOC) is working with PSSOO and the Federal Bureau of Inquiry and the Texas Environmental Commission to investigate this incident. Local law enforcement has been told that this may be an environmental terrorist attack, but none of the federal agencies involved in the investigation are willing to use the T word publicly.

George Friendly, President and Owner of the affected pipeline company talked with reporters this morning. He noted that the company was using a pipeline SCADA system that was specifically designed for secure monitoring and controlling of pipeline operations. “We worked closely with Albert Foxborough, the founder of Flintstone Tech in his development of their pipeline secure automation system.” Friendly explained.

A source, who must remain nameless because they are not allowed to talk to the press, with the CI-SOC explained that the Flintstone PSAS was a complete supervisory control and data acquisition system that was designed for secure communications between the various parts of the pipeline automation system. “This system was designed in early 2016 before people generally started talking about zero trust systems,” she explained; “And certainly before people started to talk about it in industrial control systems.”

Friendly agreed that the PSAS had a zero trust architecture, but explained that: “Albert started employing what is now called zero trust architecture back in 2015 when he started the design of his new operating system”. Security was built into the operating system as one of the core principles of its design. This meant that there was no need for add on security appliances or applications.

The CI-SOC technician said that Flintstone was recently disbanded when its parent company was sold. “The new owners apparently did not want to offend their customers who were manufacturers and vendors of more conventional control system and security systems.” Flintstone shutdown operations and customer support on very short notice. The last thing the company did was issue a mandatory software upgrade for their systems that effectively reduced the security communications controls of the system.

Friendly told reporters: “We had the most secure pipeline control system the world has seen to prevent just this sort of incident. We had to reduce the security to keep the control system functioning. Now this happens. Where are all of the federal cybersecurity folks now?”

CAUTIONARY NOTE: This is a future news story –

Car Swatting

The California Highway Patrol is currently investigating three instances of car swatting in the Bay Area this weekend. According to Francis L. Poncherello, CHP spokesperson, the latest incident occurred when a car was stopped in San Francisco at about noon today when a CHP officer noticed an Amber Alert notice on the vehicle digital license plate. Patrol cars from three different jurisdictions participated in the stop of the vehicle. Malcom Reynolds and his wife Jayne were forced from their car at gunpoint and handcuffed before the offices realized that Amber Alert on the tag was part of an ongoing cyber attack on the State’s new RiPlate, digital license plates.

Derrail Book, CEO of Reaver Electronics, explained that the RiPlates produced by his company had included the Amber Alert notice as an option on their digital license plates as a way to help police agencies locate and identify vehicle being used by kidnappers. “We have strong software controls designed into the system that only allow police departments equipped with an RiTerminal to activate the Amber Alert notices on our RiPlates,” Derrail explained; “This weekend’s problem must be due to inadequate administrative controls in local police terminals that can remotely access our plates.”

The first car swatting incident occurred in San Francisco early Saturday morning. A car owned by Congressman Harvey Milk was surrounded by a police tactical squad in the parking garage of the Muir Marriott Hotel. The license plate on the vehicle matched a plate that was reported to be involved in the recent theft of explosive from a construction site in San Mateo on Friday. The Congressman was upstairs receiving an award from the San Francisco Retired Police Organization (SFRPO) for his support for families of police officers wounded in the line of duty. When Milk returned to his car 30-minutes later he found that the trunk and doors had been forced open and the car was undergoing a detailed search for explosives. A digital license plate reader at the Hotel captured a picture of the license plate on the Congressman’s car, it matched the number of the car that was being looked for in the San Mateo case.

In theory, once the Department of Motor Vehicles assigned a license plate number to the RiPlate, it can only be changed by order of the DMV. Reaver Electronics actually makes the change, but only when ordered by the DMV. Book told reporters this morning that there is no record of a change being made to the RiPlate on Milk’s car.

When asked if there could have been a cyber attack on his company’s computer systems, Book replied: “We have very strong cybersecurity controls in place on our corporate networks. We have promised the Governor and the DMV that our systems will not allow unauthorized access to the RiPlates or their supporting technology.”

The National Critical Infrastructure Security Operations Center (CI-SOC) is helping the Highway Patrol investigate these three car swatting incidents. General Buck Turgidson, CI-SOC Director, reminded reporters this afternoon that there is no such thing as an unhackable system. “We have not yet found a hackable vulnerability in the system, but we have just started looking.”

 

CAUTIONARY NOTE: This is a future news story –

Cloud Server Farm Taken Offline by Drone Attack

Eniac Cloud confirmed that yesterday’s interruption in their cloud service was due to a remotely piloted aircraft being flown into the substation supplying power to their Delano Datacenter. “All systems switched over to alternative routings within minutes and our customers were only momentarily discomforted,” Richard Brathwait, spokesperson for the company told reporters. “We expect to resume full service in the Delano Center within a couple of weeks.” Two transformers at the company leased substation will have to be replaced.

Johnathan Quest, Federal Bureau of Inquiry spokesperson, confirmed that the FBI was working with the Federal Airline Administration in investigating the incident. “We have identified the owner of the aircraft, Barkhorn Aviation, but they lost control of the aircraft when it was almost 75 miles away from the Delano facility.” Quest told reporters.

Oscar Holmes, spokesperson for the FAA, confirmed that the agency had seized the controller used by Barkhorn Aviation, an agricultural sprayer company, but that it was apparent that the controller did not have the range necessary to conduct the attack in Delano.

A spokesperson for Barkhorn told reporters that they lost control of their BF 109 drone about 8:00 am yesterday. “The operator saw the aircraft take a left turn from its last spraying run on a cotton field outside of Dothan, AL,” Erich Hartmann told reporters; “It was last seen flying over the trees to the east of the field that we were spraying.”

A technician at Eniac who is not authorized to speak to the press told me that there was some small amount of data lost in the attack that had not yet been backed up, but the system worked as it was designed. “We have contingencies for power outages, and the plan worked well,” she said.

Brathwait said that the prolonged outage at the Delano Center would slow some of the data flow through their cloud network, but that customers would not be able to notice the difference. “Temporary loss of a single facility in our cloud network is not a problem,” he explained.

CAUTIONARY NOTE: This is a future news story –

Mini-Crime Wave Cover for Jewelry Stores Heist

A sophisticated gang of crooks cleaned out three jewelry stores in downtown Delano, GA yesterday morning while the police were responding to nonexistent emergencies around the city’s outskirts Chief S. James Butts told reporters this morning. “Not only did the thieves disable the store silent alarm systems,” Butts said; “They also were responsible for three automated alarms, two bomb threats at schools and four auto accidents with reports of injuries that tied up all of our patrol units well away from the downtown area.

Butts also reported that the Delano Police Department had requested assistance from the Federal Bureau of Inquiry in the conduct of the investigation. “Too many of cyberattacks were involved in this series of events for our Department to investigate,” Butts explained, “We only have one cyber-investigator on the force and she is already working on two other cases.” According to the Georgia Bureau of Inquiry, the State cyber-investigators are still tied up on the continuing attacks on vehicle charging stations in the Atlanta area and are not available to help the Delano investigation.

Johnathan Quest, spokesperson for the FBI, confirmed this morning that the FBI was working with the Delano Police Department on the investigation. “We have some indications that the criminals used an internet connection to hack the building security system,” Quest explained; “This means that they could be charged with computer fraud, which is, of course, a federal crime.”

Employees at all three of the jewelry stores reported that they had just finished putting jewelry on display when the thieves entered through the front door of each store. The doors had not yet been opened for the day, but the crooks apparently remotely manipulated the electronic locks on the doors. One of the store managers that asked not to be identified because of insurance concerns said that opening those doors before they were unlocked through the store security system should have immediately triggered an alarm to the Delano Police Department.

The three store owners refused to discuss the value of merchandise stollen from their stores because of ongoing negotiations with insurance companies. 

CAUTIONARY NOTE: This is a future news story –

Farbenhack Tool Being Sold on Dark Web

The ECS-CERT announced today that, in conjunction with investigators from the Federal Bureau of Inquiry, it had discovered a new hacking tool being sold on the Dark Web called Farbenhack. The tool provides a suite of applications that can be used to conduct ransomware attacks on manufacturing organizations. “We have seen various combinations of the applications being used in real world attacks on small companies in the United States,” Immanuel C Securitage, spokesperson for ECS-CERT, told reporters this morning.

Johnathan Quest, spokesperson for the FBI told reporters that the earlier attacks were apparently proof-of-concept demonstrations for the new Farbenhack Tool. “The web site where the tool is being sold shows screen shots of the applications being used in those attacks,” Quest said. “The tools provide tools for conducting targeted phishing attacks on control system engineering professions, with options for using drive by attacks on an engineering web site, or the download of compromised files from look-alike web sites. The phishing tools are very sophisticated, targeted at folks who should be knowledgeable about web-surfing vulnerabilities.”

An engineer working with ECS-CERT who is not authorized to talk to the press, told me that the post-compromise tools are even more refined. “While many, maybe most, control system devices are easily compromisable when one has access to the control network,” she told me; “These tools allow simultaneous reprograming of a large set of devices on a network to shutdown processes once the ransom notice is published, both on the engineering workstation and any HMI on the network.”

Interestingly, Quest notes that the Farbenhack Tool comes complete with command-and-control networks on Russian servers. “This CC network, along with some programming conventions, raises suspicions that the tool was developed by Russian hackers. It is not clear if they are officially sanctioned by the Russian government, but disruption of manufacturing capabilities in the United States and Europe would certainly be in the interest of the Putin government.” People who buy the tool, do have the option to change to their own CC networks.

Securitage points out that a premium version of the tool provides for an enhanced option to encourage victims to pay the ransom. The tool provides applications that will brick devices, making them inoperable and requiring replacement. “The vulnerabilities that lead to bricking are well known, but require authenticated access to the devices from the engineering workstation,” Immanuel said; “So many organizations find it an acceptable risk to not patch the devices.”

Neither ECS-CERT nor the FBI have any information on how many of these tools have been sold. ECS-CERT has published on their secure web portal a list of the compromised and look-alike web sites being used by the tool. “We do expect, however, that the crafters of the tool have the capability to update the tool with new web sites,” Quest explained, “We are being forced to play whack-a-mole with these sites.”

 

CAUTIONARY NOTE: This is a future news story –

Aircraft Inflatable Lap Belts Hacked in TWA Incident

A Transportation World Airlines aircraft that was forced to return to Los Angeles International Airport yesterday when all the passenger inflatable lap belts simultaneously inflated as the aircraft crossed over the coast yesterday was the victim of a cyberattack. “We have been notified by GeschütztesDF, a notorious German hacker, that she was responsible for the activation of the lap belts,” John Frye, spokesperson for TWA, told reporters; “She has demanded that a ransom payment be paid to Stasi Ehemalige to avoid having future flights similarly attacked.”

Johnathan Quest, the spokesperson for the Federal Bureau of Inquiry, confirmed that Kate Libby, the hacker known as GeschütztesDF, was recently released from federal custody when a second federal trial on airline hacking charges based upon her part in the earlier WannaFly attacks resulted in a second hung jury. “She was released in New York just a little over a week ago and dropped out of sight within two hours of her release.”

Kate Libby (not related) from Dragonfire Cyber, reported that they were working with the FBI and the ECS-CERT on the investigation of the attack. “This morning our technicians found a vulnerability in the wireless test function of the electronics module of the lap belt system that allowed a specially crafted wireless signal to command inflate the lap belts,” Libby told reporters at a CI-SOC news conference this afternoon; “We have not confirmed that this vulnerability was exploited in the attack, but it is certainly an issue that needs to be addressed.”

Robotron Aero is working with Dragonfire to identify and fix the source of the vulnerability that was exploited in the attack. “Our technical staff is working on a fix for the vulnerability identified by Dragonfire,” Fritz Schmenkel, the Robotron manager for Aero division, “And we continue to look for other potential routes for yesterday’s attack.”

“Pending a solution to this problem, TWA is taking all seats that use the inflatable lap belts out of commercial service,” Frye told reporters this morning, “Fortunately, they are only currently being used in side facing seats in First Class on most of our aircraft, so we are not having to cancel any flights.”

Oscar Holmes, spokesperson for the Federal Airline Administration, reported that the agency has issued a safety advisory on the potential problem with the Robotron Aero lap belts. “We have told all airlines using the Robotron inflatable lap belts to stop allowing passengers in seats equipped with those lap belts. Replacements from other vendors that have been type certified for side facing seats can be used for up to 30-days without aircraft specific certification.” The FAA is continuing to monitor the investigation.

CAUTIONARY NOTE: This is a future news story –

Ransomware Attack Hits Satellite Comms

Vostok Satellite Company reports that communications services provided by their Vostok 1 satellite have been interrupted by a ransomware attack. “Our mobile satellite service has been interrupted by a new ransomware variant called SatWurm,” Valentina Tereshkova, spokesperson for Vostok Satellite, explained, “The satellite appears to be fully functional, but the transmission targeting controls are not allowing outgoing traffic to reach their intended recipient.”

The Brooklyn based company recently began offering mobile satellite service via their new software-defined satellite service. The satellite is able to use lower powered transmissions because the transmitter is more narrowly focused and targeted at the receiver’s location. Vostok 1 was launched on April 12^th, 2021.

Vostok Satellite announced that they are currently negotiating with the SatWurm controllers to return control of the satellite system. The unnamed attacker is reportedly asking 10 Bitcoin ($239,315) for removing the malware.

General Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), confirmed that they were working with Vostok Satellite. “We do not recommend that victims pay ransoms, but I understand why someone might take that approach to return their systems to full control,” Turgidson explained.

A technician with CI-SOC who is not authorized to talk to the press told me that the investigation as to how the attack gained control of the system would not be able to make much headway until they were able to access the control logs on the satellite. “The Vostok targeting controls are based upon information sent to the satellite by the customer ground stations,” she explained, “We suspect that the attack was initiated through those channels.”

CAUTIONARY NOTE: This is a future news story –

Chlorine Evacuations Another False Alarm

Yesterday’s evacuation of Depatman Doubs outside of Le Sel, LA was the result of alarms in the neighborhood and along the fence line at the near by ChlorAlk plant reporting a large chlorine gas release. As with the radiation alerts last week in Georgia, the alert and evacuation were based upon false information provided by the detectors, according to Sueur Hargreaves-Bird, spokesperson for ChlorAlk. “We know that we did not have even a small release of chlorine yesterday at the facility, so the alarms must have gone off in error,” Ms Hargreaves-Bird told reporters.

Kurt E Sabersky, a community organizer in Depatman Doubs, objected to the comparison with the nuclear facility incident. “There is nothing in Doubs worth stealing, so this was not a grand criminal conspiracy like that seen in Georgia,” Sabersky explained. “Doubs is a working-class neighborhood filled with 2^nd and 3^rd generation salt miners.” He has no idea why someone would have decided to attack this system.

Kurt reminded reporters that the sensors and alarms responsible for yesterday’s evacuation were the result of a 2015 chlorine release at the ChlorAlk plant that injured hundreds of Doubs residents and killed 13. “The court ordered ChlorAlk to install the network of sensors and alarms, as well as fund the quarterly evacuation drills to improve the emergency response capability of the neighborhood,” Sabersky explained.

The evacuations yesterday proceeded smoothly, with residents wearing their escape respirators and block captains with full-face respirators supervising the operations. “The evacuation was conducted in a professional manner, as you would expect with the number of neighborhood drills that have been conduct,” Sheriff Justice told reporters, “My deputies had to do little more than provide traffic direction to keep outsiders off the evacuation route.”

The National Critical Infrastructure Security Operations Center (CI-SOC) and the Federal Bureau of Inquiry are cooperating on the investigation of the incident. “Since the sensor and alarm network was mandated by a Federal Judge and overseen by the Federal Emergency Grant Administration (FEGA), the apparent attack on the system falls under federal jurisdiction,” explained Johnathan Quest, FBI spokesperson.

General Buck Turgidson, CI-SOC Director, told reporters via a video link that it does not appear that this incident was related to last weeks hack in Georgia. “Two entirely different types of sensor and monitoring platforms were used by the two system,” Turgidson said.

A technician working with Dragonfire Cyber, who is not authorized to speak to the press, told me that the sensors in yesterday’s incident did not appear to have been the source of access to the system. “All of the sensor logs show typical background chlorine readings for the facility and neighborhood,” she said, “Investigators are now looking at the monitoring station that controls the alarm network.”

CAUTIONARY NOTE: This is a future news story –

Nuclear False Alarm Was Cyberattack

The National Critical Infrastructure Security Operations Center (CI-SOC) confirmed this morning that yesterday’s nuclear evacuation alert was the result of a remote cyberattack on the nuclear radiation monitoring system near the Delano Nuclear Power Station. “While the attacker has taken efforts to hide their tracks,” General Buck Turgidson told reports this morning, “We have detected clear evidence that the sensors were compromised and directed to produce the high gamma radiation warnings that were the direct cause of yesterday’s evacuation order for Delano, GA.”

Turgidson explained that the CI-SOC was working closely with the Nuclear Power Generation Council to determine exactly how the NRMS were hacked and how to fix the underlying vulnerability in those sensors. “The US Army has deployed radiological monitoring teams in the Delano area to provide temporary background radiation coverage while we are working to remove the vulnerabilities from the installed system.”

S. James Butts, Delano Police Chief, in a separate news conference this morning discussed the looting that took place in the downtown business district during yesterday’s evacuation. He described some unorganized looting at two small grocery stores and one gun shop. “No weapons were taken, but most of the ammunition on display in the store walked out the front door,” Butts explained.

Butts went on to explain that the Delano Police Department had requested assistance from the Federal Bureau of Inquiry in investigating what appeared to be organized assaults on four jewelry stores. Everything in the display cases was removed at each store and safes were opened in three of the four stores. Video security systems showed that each store was hit by masked, three-person teams. Butts told reporters that: “The initial estimate of losses from the three stores is over a half-million dollars.”

Johnathan Quest, spokesperson for the FBI, confirmed that the agency was investigating the break ins in Delano, GA. “Jewelry store robberies are not typically high on the FBI’s crime list, but since it appears that these robberies are tied into the cyberattack on the radiation monitoring system, a federally regulated system, the FBI certainly feels that it has jurisdiction over robberies.

Mayor Arrington Carter told reporters this morning that she was disappointed with the way that the radiation warning system worked yesterday. Acknowledging that the system is an important safety measure that protects local citizens from potential accidental radiation releases from DNPS, she said: “Given their importance, the NMRS should not have been able to trigger an automatic radiation evacuation absent any indications of an actual release at DNPS. I will be working with the DNPS management team and the Energy Security Agency to see that this problem does not happen again.”

CAUTIONARY NOTE: This is a future news story –

Radiation Evacuations Ordered – False Alarm

The National Automated Alert System’s announcement of a radiation emergency around Delano Nuclear Plant this morning has been confirmed to be a false alarm, according to Gammon Frappu NAAS spokesperson. The NAAS alert this morning caused confusion and alarm at about 10:30 this morning when the Nuclear Radiation Monitors (NRMs) between the Plant and Delano, GA indicated a large gamma radiation release.

The Delano Nuclear Plant confirms reports that there have been no process upsets at the plant and none of the local radiation monitors have reported any out-of-band releases at the facility. “Our facility continues to operate safely, within all legal and safety constraints,” GT Seaborg, facility spokesperson, told reporters this afternoon.

Delano Mayor Arrington Carter, told the assembled reporters that her office has been in direct communication with DNP, NAAS and the Georgia Department of Homeland Security. “All agencies of the State and Federal government currently agree that this morning’s alert was a false alarm,” Arrington explained, “I have asked the Governor to ensure that a complete investigation is quickly done to determine the cause of today’s alert.”

A technician with DNP that is not authorized to talk to reporters told me that the NRMs used by NAAS are connected to the NAAS network by cell phone connections. cYbrg0D, an anonymous cybersecurity researcher, confirms that similar NRMs were recently hacked in Spain. She did not know if the ones actually in use in Georgia are the same model as those hacked in Spain.

S. James Butts, Delano Police Chief, confirmed that there was some looting this morning in the downtown business district. “All of our officers were working evacuation missions, so we had no one working in the area,” Butts explained, “I am very proud of how well our folks implemented the radiation response evacuation plan. We will investigate the looting and arrest the perpetrators.”

The mayor confirmed that the response form other city agencies was not as effectively done. “Once the dust settles, we will go back and relook at the response plan and how it was implemented this morning,” she said, “My main concern right now is finding out how this false alarm happened in the first place and how to prevent it from reoccurring. We do not need to cry wolf over a potentially very real problem.”

CAUTIONARY NOTE: This is a future news story –

Latimer Closes Atlanta EV Charging Centers

Today Latimer Electric announced that they were closing their thirty-one electric vehicle charging stations in the Atlanta area. “We have been consistently losing money in this operation,” explained Lewis Howard, “We believe that we have identified the cause of the problem and will reconsider our operations once a fix has been identified.”

Latimer began opening their high-speed charging stations in 2021. Their proprietary technology allows for rapid recharge of electric vehicle batteries in under ten minutes. The company’s distinctive green charging stations with covered parking have become popular destinations in the Atlanta area over the past six months. The Latimer fast charge system only charges vehicle batteries to 80%.

A technician who is not authorized to talk to the press says that the problem is that someone has figured out how to use the charging stations without paying for the service. “The company has had researchers identify a number of cybersecurity vulnerabilities in their system,” the technician said, “But no one has been able to identify how those vulnerabilities have been combined to steal power from the system.”

Rumors have been circulating in the Atlanta area that the Latimer Charging Centers have been the target of a local hacker known as RHood.

CAUTIONARY NOTE: This is a future news story –

Communications Satellite Stops Broadcasting

The East Asian Communications Company (EACC) announced this morning that their EACC-2 satellite stopped broadcasting for unknown reasons. “We lost all communications with the satellite at 03:05 JST this morning,” explained Michitaro Totsuka, EACC spokesperson, “We suspect that there has been a loss of alignment. We continue to try to establish communications with EACC-2.”

EACC-2 provides television and internet services to East Asia, including the Korean peninsula. The satellite went into service in January 2021. The North Korean government has protested the signals from the satellite, especially since organizations in South Korea have been smuggling satellite receivers into the North.

When asked about rumors circulating in Seoul that the satellite had been hacked by the North Koreans, Totsuka replied, “We do not currently have any indications that the current service interruption has been caused by actions of the North Korean government.”

There is discussion on the ProgVymo discussion board about how much should be charged for ransomware that targets communications satellites. Kate Libby, CTO at Dragonfire Cyber, confirmed that the account initiating the discussion is known to be associated with the Choi Group, a North Korean ransomware group.

Totsuka maintained that the EACC has not received any ransomware messages related to EACC-2.

CAUTIONARY NOTE: This is a future news story –

Russian Backdoors Discovered in Robotron Marine Devices

Robotron announced today that an independent cyber researcher had reported that there was a hard-coded backdoor that allowed remote command execution in their SD-1768 marine controller. According to Erich Mielke, spokesperson for Robotron, users are urged to immediately update their devices to the latest version.

A post by the Free Ukraine Cyber Kollective claims that a member of their organization found the vulnerability in the SD-1768. It reports that an update pushed to the devices in January added the backdoor access. They note that the Schiffsdiesel Division of Robotron, based out of Kaliningrad, Russia, was responsible for that update.

Grigory Spiridov, a spokesperson for the Schiffsdiesel Division, denies that there was any problem with the SD-1768 software. “We have not been able to verify the slanderous claims of the Ukrainian cybercriminals,” Spiridov told reporters at the Division Headquarters. When asked about report from Robotron headquarters about the vulnerability, Spiridov said: “This is part of the unacceptable attacks on Russian corporate interest engineered by the United States.”

Mielke told reporters that Robotron had ordered the Schiffsdiesel Division shut down as part of the EU’s sanctions against the Russian government. “The Division management, mostly Russian nationals left over from the acquisition of Chichagov Morskoy in 2015, have disregarded our shutdown orders and are currently cooperating with the Russian government.” There are unconfirmed reports that Erich Raeder, the Schiffsdiesel President and a German national, was arrested by the Russian government. Mielke refused to comment on the rumors.

Marina, a spokesperson for the Kollective, reported that they discovered the backdoor while a member was investigating an unusual failure of an SD-1768 in a Ukrainian Navy patrol boat operating in Odessa. “We were able to confirm that this was not a one-off problem when we used the backdoor to disable a Russian freighter hauling Ukrainian wheat to Syria,” Marina explained to me by telephone.

CAUTIONARY NOTE: This is a future news story –

Trucking Company Gas Pump Hackers

The Federal Bureau of Inquiry raided the headquarters of Red Ball Express Trucking this morning, arresting the CEO, Budd Boetticher, and the CIO, Taffy Smith. Police from Delano, GA assisted the operation by executing arrest warrants for sixteen truck drivers employed by the company. According to Johnathan Quest, FBI spokesperson, this combined operation was in response to a month’s long investigation into the ongoing theft of diesel fuel from the Flying A Fuel Stops chain.

Andrew Mellon, spokesperson for the Flying A chain, the company has been having large shortages of fuel at each of their truck stops located along highways across the southern tier of the United States over the last year. “More fuel was being pumped each day than sales were being recorded,” Mellon told reporters; “An internal investigation led to the detention of a driver from Red Ball who had a device that allowed him to steal about 30 gallons of diesel during a routine fill-up at one of our pumps.”

That driver cooperated with the FBI, providing information that was the basis for the search warrant and arrest warrants executed this morning. “The driver told us that each Red Ball truck was provided with a Wi-Fi device that allowed them to take 30 gallons of fuel before the pump started registering the sale,” Quest told reporters.

ECS-CERT is cooperating with the FBI’s investigation. Immanuel C. Securitage told reporters that the devices communicated with the local station system via Wi-Fi. “No hacking was done by the drivers, the corporate fuel systems had previously been compromised,” Securitage explained, “We are still trying to determine how that system was initially attacked.”

Mellon told reporters that over the last year the company had about 100,000 gallons of diesel fuel stollen, 30-gallons at a time. “The rise in fuel prices over that time period have made this a very costly theft and we are not sure that this is covered by our cyber insurance policy.” Mellon said.

CAUTIONARY NOTE: This is a future news story –

Sewer Detector Attack Responsible for COVID Lockdown

The Chinese news agency Zhōngguó Xīnwén (ZX) announced today that the recent shutdown of port facilities in Shanghai was due to a cyber attack on computer systems being used to monitor COVID-19 infections. COVID detectors in the Shanghai sewer system reported positive detection of COVID in the neighborhood where most port workers were housed last month. As part of the Chinese zero-COVID policy, the neighborhood was put into 100% lockdown, and port operations had to be shutdown.

Lin Piao, spokesperson for the Shanghai Medical Directorate, told ZX that the Chinese government had started installing electronic detectors for COVID in the wastewater systems in Shanghai as a method for more precisely targeting the lockdowns that the government was using to counter the COVID-19 pandemic. “When these detectors report the presence of COVID-19 antigens in the sewer outflow of a district,” Lin Piao was reported to have said: “We know for certain that there are individuals in that district who have been infected with the disease.”

The ZX news report does not name the source for the cyberattack, but it does note that a Chinese Army cybersecurity unit is investigating the attack. This would typically mean that the government felt that there was a possibility that the attack could have been initiated by a foreign power.

The COVID sewer detectors were developed by scientists at the Tsinghua University in Beijing. The Chinese government has been deploying these sensors in sewer systems in large cities throughout the country as a way to effectively fight the COVID pandemic while reducing the economic cost of pandemic lockdowns.

CAUTIONARY NOTE: This is a future news story –

US Cyber Firm Providing Cyber Warfare Support to Ukraine

The Department of Justice announced today that they had completed their investigation of the Russian claims of hackers in the United States conducting cyberattacks on Russian railroad. “All of the names provided by Russian Ministry of Justice (Minyust) are employees of Red Cyberteers, a company registered in Austin, TX.,” DOJ spokesperson Della Street told reporters this morning; “We have found no evidence of criminal activity by the personnel identified by Minyust.”

According to a press release from Red Cyberteers, the company is providing cyber warfare support to the government of Ukraine through the Ukrainian Consulate in Dallas, TX. Personnel operating on this contract are working through servers located in the Consulate. Reed Fleming, CEO of Red Cyberteers, confirmed that the cyber warfare operations included interfering with the operation of certain railroads in Western Russia.

Neither the Consulate in Dallas, nor the Ukrainian Embassy in Washington were willing to discuss the operations be conducted by Red Cyberteers. The Embassy did release a statement that in response to the Russian invasion of the Ukraine, the Ukrainian government was taking all available legal measures to counter the illegal Russian military incursion into their country.

A lawyer from DOJ speaking on background said that while the federal government has long rejected the issuance of letters of marque and reprisals in naval matters, there have been no laws or conventions that would prevent it from providing authority to private sector individuals for conducting cyberattacks on enemies of this country in the event of war. The lawyer explained that the main concern about the use of naval privateers has long been the lack of control over the actions of these ships under the guise of letters of marque. Stricter control of cyber operations under such grants could allow the government to conclude that such ‘cyber privateer’ activities would be an acceptable method of executing cyberattacks on our enemies. The briefer reminded the audience that the United States was no currently at war with anyone and the Federal government has not been accused of issuing any letters of cyber marque.

Fleming confirmed that Ukrainian military officers oversaw all aspects of the cyber operations being conducted by Red Cyberteers employees. “Additionally, I insisted that our contract with Ukraine specifies that we will not accept any orders to, or conduct operations designed to, kill people,” Reed said; “We are civilian employees of the Ukrainian government, working on property that is internationally recognized as territory of Ukraine, against an adversary that is conducting offensive military operations on Ukrainian soil. In short, there is no reason to consider us to be cybercriminals, and the DOJ has clearly indicated that they agree with that assessment.”

The Russian Embassy in Washington refused to provide a comment on this story.

CAUTIONARY NOTE: This is a future news story –

Russian Ministry of Justice Requests DOJ Assistance

The Department of Justice announced today that it had received a request for assistance from the Russian Ministry of Justice (Minyust) to help them identify and apprehend the hackers who have recently been attacking railroad operations in western Russian and Belarus. According to news reports in Russia, there have been cyberattacks on the railroad system that have caused intermittent shutdowns of rail traffic throughout western Russia and Belarus since last Thursday.

Della Street, spokes person for DOJ, told reporters this morning that the Attorney General was considering the request because of recent Minyust actions against Russian cybercriminals who have been conducting ransomware attacks against organizations in the United States and Europe. “We are talking with our allies in the region about this request.”

According to Nikolai Krylenko, Minyust spokesperson, the cyberattacks have disrupted key freight and passenger services thoughout Western Russia. “Our government is concerned that this criminal activity is harming the free movement of our citizens and hampering distribution of key materials throughout the region,” Krylenko said in a statement released this morning in New York.

The Free Ukraine Cyber Kollective against Russian has claimed responsibility for cyberattacks against the Russian military. A report on their web site, which was taken offline this morning, noted that they had delayed movement of military supplies and personnel to the border region with the Ukraine.

Rep. Harvey Milk (D,CA) told reporters that, while he has concerns about the use of cyber attacks against critical infrastructure any where in the world, the actions of the Kollective do not appear to be as concerning since they have been made in response to the Russian attack against the Ukraine. He said that he will be introducing legislation today prohibiting DOJ from taking any action against civilians that undertake cyberattacks against foreign military invasions of free countries. “We have a long history, reaching back to World War I, of civilians joining military action against oppressors in Europe before the United States government joins the fray,” Milk told reporters.

CAUTIONARY NOTE: This is a future news story –

 

Russians Selling Access to Critical Infrastructure on Dark Web

Dragonfire Cyber released a brief report today concerning recent offerings on the Dark Web for access to critical infrastructure computer systems. They report that the Zhukov Brigade, a Russian hackers collective sometimes loosely associated with the Russian military, had posted a long list of organizations in Europe and the United States that it had proven access to computer networks. Exclusive access was being offered to those systems individually or in related groups.

Maskirovka, the frequent spokesperson for the Zhukov Brigade on these Dark Web sites, reports that the access being sold is sufficient to allow ransomware attacks on the systems without the need for additional exploit tools. Access is being offered for 1BTC (about $35,000) and 10% of ransomware proceeds.

Dade Murphy, CTO of Dragonfire Cyber, told reporters this morning that the list of organizations includes public sector and private sector systems in power generation and transmission, ports, railroads and airports throughout the United States and Europe. “We have notified each of the organizations listed, as well as cybersecurity organizations in the respective governments,” Murphy said.

When asked if this appeared to be related to last night's invasion of the Ukraine by Russia, Dade replied: “We do not know. The Zhukov Brigade is not an agency of the Russian government, but they have been employed by the Russian military for some specific hacking operations that we know of.

General Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), was asked about the report at this morning’s CI-SOC briefing, he told reporters that they had received advanced notice of the information from Dragonfire Cyber. “We have a close working relationship with Dade and his outstanding crew,” The General explained; “And we continue to work with them to address any potential threats to organizations in this country.”

When asked about rumors of government agencies buying up the access rights on the Dark Web sites, Turgidson laughed and said: “We do not have budget authority for that type of operation. Besides, I do not think that the Zhukov Group would be interested in selling us that access.” When asked if any intelligence agency might have the necessary authority, the General replied: “No comment.”

CAUTIONARY NOTE: This is a future news story –

Insulin Pump Hack Discovers Dosing Errors

Medical device software expert FrediG announced today at BlackCap Europe that he had found a calculation error in the GerateSoft application that he uses with the Robotron IPumpe insulin pump that he used to control his blood sugar levels. The pump routinely administered 0.5% more insulin than was necessary to keep his blood sugar levels at target levels. As a result, his blood sugar levels over the last six months have routinely been on the low end of the target range for the treatment of his Type 1 diabetes.

Robotron spokesperson, Erich Mielke, told reporters at a news conference at the conference that FrediG had disclosed the problem to Robotron last week, and that Robotron was recommending that the users of its IPumpe stop using the GerateSoft application. “We are very concerned that the application is incorrectly dosing patients using our device,” Mileke said; “But we are even more concerned that it appears that this dosing error may be deliberate.”

That unusual comment by Mielke was based on a claim by FrediG that the application used two different calculation formulas, depending on which account was used. FrediG reported in his talk today that the equations used when the default account on the application was being used was the industry standard calculation. The default account would be expected to be used by regulatory agencies and companies like Robotron when testing the application.

Users are specifically warned by GerateSoft not to use the default account to protect their privacy. But when users set up their own unique account on the App, a different equation is used to calculate the insulin dosage. That calculation produces a dose that is 0.5% higher than the industry standard equation.

GerateSoft tried to get a German Court to stop FrediG’s presentation claiming that he had accessed GerateSoft’s system without permission, but lawyers for Robotron told the Court that FrediG had been a registered member of Robotron’s vulnerability discovery program and access to GerateSoft’s application was covered by that program.

Mielke noted that FrediG had reported vulnerabilities in a number of Robotron’s devices over the last two years, including a vulnerable version of OpenSSL used in the IPumpe that Robotron reported and corrected last summer.

CAUTIONARY NOTE: This is a future news story –

EF-1 Charging Stations Hacked Again

The San Francisco Transit Authority (SFTA) announced today that hackers were stealing electricity from the enroute charging stations for the City’s new electric bus fleet. The electric costs for the new charging stations were five times higher than expected during the first six months of operation according to a report released today by the SFTA. Johan Muir, a spokesperson for the SFTA reported that the federal grant supporting the e-charging system would only last another three months at this rate.

Brewster Zenneck, the Director of the City’s SF eBus System, explained this morning that the innovative new electric transit bus system was able to use smaller, lighter batteries to power their new busses because the city had installed cordless power charging stations at about half of the bus stops used by the new vehicles. This means that the busses could partially recharge their batteries while unloading and loading passengers.

Zenneck explained that the system uses inductive charging plates built into to road at the bus stop. When a bus stopped to pickup passengers, a device on the bus would signal the charging system to turn on and then turn off when the bus pulled away. The high-powered charging system would be able to provide enough electricity to the vehicles batteries to allow it to reach the next powered bus stop.

According to an article in last week’s Democratic Press, an alternative new site, not long after the EF-1 charging system was installed a free application appeared on some alternate power web sites that would operate the charging stations. These apps would allow users to charge electric vehicles equipped with cordless charging systems while parked on or near the bus stops. Other apps soon appeared that would allow cordless charging of smaller devices, including cell phones from the vehicle charging system.

Zenneck confirmed that the appearance of the apps had taken the SFTA by surprise. They were enabled by the hard-coded credentials used by the busses to control the charging stations. Once the SFTA had become aware of the problem they had worked with Robotron, the supplier of the EF-1 charging system, to update the system software to provide for unique passwords for each city vehicle that used the system.

Updates for the apps soon appeared on scene that were able to steal passwords from the vehicles when they powered on the system. Zenneck said that the SFTA was working with Robotron to solve that problem.

CAUTIONARY NOTE: This is a future news story –

NVR Ransomware Provides Network Access

The National Critical Infrastructure Security Operations Center (CI-SOC) announced today that it had discovered that the recent ransomware attacks by the Blockflötenkollektiv (BFK) on Robotron network video recorders was accompanied by the installation of a root kit utilizing the recently reported VerpfändenBausatz Linux vulnerability. “While the ransom payment for releasing the NVR’s is relatively small (0.03 bitcoin which currently equals about $1,100), the BKF is selling root access to the decrypted systems for 1 bitcoin.” Gen Buck Turgidson, CI-SOC Director, told reporters this morning.

BKF is a hacker collective loosely based out of Germany. It was started in 1990 by technical specialists connected to the East German Stasi, the group has had close ties with Russian cyber gangs.

According to a background briefing provided by an analyst working with the CI-SOC, the organization had received reports from an unnamed US intelligence agency that one of the critical infrastructure organizations protected by CI-SOC had shown up on a dark web site known to be utilized by BFK. BFK was offering to sell root access to one of the corporate networks of the unidentified company. It was one of two hundred such access rights being offered.

Other sources tell me that the intelligence agency bought the rights from BFK and provided the information to CI-SOC. While CI-SOC worked out the details of the system compromise, the intelligence agency was able to use the bitcoin information from their transaction to track back the bitcoin wallet used by BFK. The wallet was seized by the German government and two members of the organization were arrested in Berlin.

CAUTIONARY NOTE: This is a future news story –