Ransomware Class Action Suit

The City of Los Angeles filed a class action lawsuit against Hodes Automation for damages related to the recent ransomware attack against the City’s traffic light control system. Harry R. Haldeman announced the lawsuit this morning along with district attorneys from 25 other Southern California cities. “Not only was Hodes negligent in the design of their system, but they published a list of their customers on their web site,” Haldeman told reporters; “That list provided the hackers easy targets for publicly available exploits.”

Dean Hodes, owner of Hodes Automation, had no comment, referring reporters to his lawyer, Eunice Rivers. Rivers’ office issued a statement this morning; “We are looking at the details of the filing by the District Attorney and cannot comment on the facts of the case at this time, but Mr. Haldeman is clearly overreaching in trying to collect expenses the city incurred in their recovery from an incident from my client.” Rivers noted that Hodes had published an updated version of their software two weeks before the vulnerability was announced by Robert Lightman, the researcher who discovered the vulnerability.

Lightman published his report two months ago on the security bypass vulnerability in the TL Control program used by Los Angels and thirty other municipalities in Southern California. “I discovered the vulnerability while doing some work for the city of Montecito,” Lightman told reporters; “And I worked closely with Hodes to help them correct the problem.” Lightman explained that he had a disclosure agreement with Hodes that allowed him to publish his research two weeks after Hodes made their update available on their web site.

The City of Los Angeles installed the TL Control system two years ago after the hack of the Robotron system that the City had been using was discovered. Doug Wilson, the Los Angeles City Manager told reporters this morning that the city had decided to work with a local vendor after having problems working with Robotron. “We felt that a local vendor would be more responsive to our needs,” Wilson said.

When asked when the city became aware of the vulnerability in the TL Control product, Wilson told reporters that he was not able to comment on ongoing litigation. “All questions about the lawsuit should be referred to Haldeman’s office,” Wilson said.

A technician working with the Traffic Department who was not authorized to talk to the press told me that the city never received notification about the vulnerability from Hodes. “We read about the vulnerability in a newspaper article about the ransomware attack,” she said.

The Hodes web site announced the availability of a new version of the TL Control product on December 2^nd. There was no mention of security vulnerability on the web site. The TL Control web page was taken down early this afternoon, after the lawsuit was announced.

The lawsuit is seeking $15 million in damages.

The City Traffic department announced a request for bids on a new traffic light control system. The bid request includes new requirements for cybersecurity notifications, including notifying the Department when vulnerabilities are reported to the vendor and reporting when the vendor has mitigation measures available for reported vulnerabilities.

CAUTIONARY NOTE: This is a future news story - 

Robotron Drones Phone Home to China

This morning the Security and Applied Science (SAS) Directorate and the Federal Bureau of Inquiry announced this morning that they had shut down an automated espionage operation being conducted by the PRK’s UGG (Uilyo Gong-Gyeog) advanced persistent threat group. Their latest activity utilized hacked Robotron drones to collect photographic and electronic information about critical infrastructure. “The UGG effectively turned the fleet of Robotron BF 109 drones into a data collection bot,” Nelson E. R. Donally, SAS spokesperson told reporters.

An analyst with the SAS who is not authorized to speak to the press noted that: “While we were focusing on removing Chinese made drones from US airspace, the UGG was targeting the largest non-Chinese uncrewed aircraft manufacturer, Robotron Aero, to turn their aircraft into Chinese data collection tools.”

Johnathan Quest, FBI spokesperson, told reporters: “We have arrest warrants for three members of the UGG leadership, but we do not expect that Chinese authorities will cooperate in their apprehension and extradition. We do, however, have a programmer in custody who worked on the Robotron project for UGG. He was arrested on a federal warrant in Singapore and has been extradited.”

Donally told reporters that SAS became aware of the use of Robotron drones when Barkhorn Aviation of Dothan, AL approached the agency with communications logs from one of their BF 109’s. They noted a large block of data being transmitted to an unknown phone number after operations near Fort Novosel. We were able to track those communications through a number of links to a small server farm two blocks away from the Chinese mission in Atlanta. “We were able to seize those servers and use that access to track information back to an additional 150 BF 109 drones in use across the United States,” Donally explained.

A technician with Dragonfire Cyber who was not authorized to speak with reporters told me that the UGG chip was a communications control chip. The Robotron Aero design allows the drone to communicate via FM radio, cell phone and Bluetooth and encrypts all communications. UGG added additional communications monitoring capabilities and a separate encryption method for selected data.

The SAS Technical Division was able to isolate a single chip found in the BF 109 control system that allowed UGG to establish a physical backdoor in that control system. That chip was made in Taiwan by a manufacturer that was controlled by UGG. Quest told reporters that law enforcement personnel in Taiwan were helping the FBI in their investigation. “They seized customer records from that company,” Quest said; “We are currently tracking down locations where similar chips are in use in this country.”

Robotron Aero issued a statement that reported: “We are working in partnership with SAS and the FBI to try to determine how the electronic systems on our aircraft were compromised. We will have a team available to customers to remove the offending chip once the FBI or other regional law enforcement agencies have completed their forensic examination of each aircraft. The BF 109 fleet is currently grounded pending completion of those efforts.”

CAUTIONARY NOTE: This is a future news story –

Security Researcher Exonerated

Delano, GA lawyer, Junior Butts announced this morning that the Department of Justice had dropped all charges against his client, David Lightman, for the ransomware attack on Bliechen Chemicals last December. Butts told reporters: “My client is a diligent white-hat hacker who found a vulnerability in the Robotron SK-1a safety system and reported that defect to the manufacturer. It was hardly his fault that Robotron was unable to control access to their site.”

Lightman has been in federal custody in Atlanta since January 2^nd. He was released this morning. Lightman was arrested on December 31^st and all of his research computers and equipment were seized on that day. Lightman referred all questions from the press today to his lawyer.

Della Street, spokesperson for the DOJ confirmed that Barlow was no longer a suspect in the case. “Mr. Lightman’s story checked out in all particulars after we were able to convince his lawyer to provide us access to the unencrypted contents of his research computer,” Ms. Street said this morning; “We are now on the trail of the team that hacked the Robotron web site that allowed them to intercept David’s vulnerability disclosure.”

The Federal Bureau of Inquiry is reportedly on the trail of AssaB, a notorious environmental hacker, thought to be working with Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER). Johnathan Quest, FBI spokesperson, confirmed that AssaB was a person of interest in the case. “Anyone with information about the whereabouts of AssaB, should contact the FBI or their local law enforcement personnel,” Quest told reporters.

A reliable source at the National Critical Infrastructure Security Operations Center (CI-SOC) who is not authorized to talk to the press confirmed that someone had hacked the Robotron web site and substituted the links to their ‘Security.txt’ listing on the main page that pointed at a web site controlled by SFINCTER. That allowed the hacker collective to intercept Lightman’s vulnerability report which included proof-of-concept code. That vulnerability, along with at least one other zero-day vulnerability allowed SFINCTER to install ransomware on the Bleichen Chemical safety controller.

Carl Scheele, the Bleichen Delano Plant Manager, told reporters in December that the company was forced to shut down production at the plant for five days while they negotiated a final ransom payment to unblock the safety controller. “There was no way that we were going to run our chlorine production unity without that safety controller in place,” Scheele told reporters at the time; “We had to pay the ransom as we had no other way to restart that controller.” Bleichen has not disclosed how much ransom was paid to SFINCTER. Sources report that it was certainly less than the 100 bitcoin asked for in the initial ransom demand.

Kate Libby, security researcher at Dragonfire Cyber, provided background information on the ‘Security.Txt’ exploit used by the attackers. She explained that industry has been settling on using a standardized link on their web pages to allow independent security researchers like Lightman to reach out to the appropriate folks at a company to report cyber vulnerabilities. The ‘Security.txt’ link takes the researcher to a brief message that provides contact information, including an encryption key, to allow them to securely send information about vulnerabilities to teams at the company that are responsible for fixing such vulnerabilities.

“In this case,” Libby said; “Poor web site security allowed hackers to substitute their own contact information for those of the company’s security team.” That allowed SFINCTER to utilize the good work of Lightman for their own nefarious ends.

Erich Mielke, spokesperson for Robotron refused to take questions from reporters after issuing the following statement:

“Robotron thanks Mr. Lightman for his efforts to help us maintain our high standards of security. Researchers like Mr. Lightman are an important part of our security program. We are happy to see him vindicated and look forward to working with him in the future.”

CAUTIONARY NOTE: This is a future news story –

FlottSoft Hack Paralyses Federal Government

This morning, shortly after news broke about hundreds of stalled vehicles blocking traffic in Washington and its suburbs, the Federal Fleet Management Service announced that the entire federal motor vehicle fleet had been paralyzed by ransomware. “This morning at six-thirty Washington time, each of our FlottSoft terminals across the country flashed a red screen and then announced that every non-electric vehicle in our fleet would not be able to start until a ransom of 10,000 Bitcoin was paid,” Terry Ragozine, spokesperson for the FFMS told reporters. Vehicles in transit when the ransomware struck shutdown the next time that the vehicle came to a stop.

Shortly after that announcement, a brief announcement was made by Regina Louis Ziegler, White House spokesperson, that the President was working with his national security advisors on a solution to this problem. “It remains the policy of the United States that we will not pay ransoms, nor will we deal with terrorists,” she announced. Ziegler refused to answer questions about how many of the President’s advisors were still stuck in stalled vehicles in Washington.

General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), announced that the CI-SOC was working on the problem. “Fortunately, we have four vehicles here at out headquarters in Delano, GA that are affected by the stoppage to work with,” Turgidson explained. “We have confirmed that the malware is acting at the vehicle level, somewhere within the vehicle CAN bus network, the FlottSoft terminals are working normally after the ransomware announcement is disabled.”

An FFMS background document on FlottSoft explains that the software was adopted by the federal government about ten years ago to manage the ever expanding fleet of motor vehicles. The software allows FFMS managers to track vehicle use and maintenance. Just two years ago, the vendor added anti-theft protections that allowed stolen vehicles to be shutdown by managers.

Late Breaking News: According to a variety of sources, at 8:30 EST all of the shut-down vehicles in the federal inventory began systematically flashing their lights on and off. Multiple sources noticed that the lights were flashing in Morse Code, repeating “Pay Me”. This affected electric vehicles that were previously excluded from the effects of the attack.

CAUTIONARY NOTE: This is a future news story –