More Problems with the Capitol Cyber Attack

A brief press release from the office of the Capitol Buildings Services Manager reported early this morning that while the servers and system control computers had been decrypted overnight, attempts at restarting the various systems had failed because the system components that operated the various building systems had been wiped of all programing during the attack. Lights, power, ventilation and security control systems were all affected. Yesterday, at about 9:30 am EDT the building control system computers for the Capitol Building and six Congressional Office Buildings were shut down by a ransomware attack. A previously unidentified group, DL76, signed the ransom screen demanding a 10-bitcoin ($370,000) ransom to unlock the system. A joint statement by the leaders of both parties of both the House and Senate yesterday afternoon, firmly reported that no ransom would be paid. Late last night the National Critical Infrastructure Security Operations Center (CI-SOC) announced that an incident response team from that organization was working with the CBSM to restore the servers and control system computers from the most recent backups. Unofficial word came out at 2:00 am this morning that the restoration process was completed and that a system restart was imminent. This morning’s press release stated that the Senate session and all Congressional hearings scheduled for today were canceled until further notice. All attempts to contact congressional leadership were met with a uniform ‘no comment at this time’ response. A joint press conference is scheduled for 9:00 am at the White House. A technical expert working with Dragonfire Cyber on the restoration process told me this morning that they had discovered that the attackers used the same version of the “SMASHINGCOCONUT” wiper program that was used in the recent attack on NACL Industries. “While an ecoterrorist group was responsible for that attack,” the expert told me under condition of anonymity as they were not authorized to talk to the press, “There is no indication that the current attack on the Capitol was conducted by that group. The wiper program is available for rent on the dark web.” When I asked this expert why backups were not being used to restore the components that were affected by the wiper program, she told me that while backups were available for the operational programming for most of the devices, the operating software was not locally backed up. Various vendors were being contacted for copies of the appropriate software and firmware. Restoration of all of the affected devices could take a couple of days. CAUTIONARY NOTE: This is a future news story –Future ICS Security NewsRead More