Capitol Attack Spread from Control Systems to IT Network

Last night the number of investigators working on the Capitol Hill cyberattack jumped drastically as computer systems in congressional offices began displaying ransomware notices. Investigators from the Federal Bureau of Inquiry and the National Critical Infrastructure Security Operations Center (CI-SOC) were joined by private security personnel hired by House and Senate chiefs of staff trying to get their systems back online. Gen Buck Turgidson, Director of the CI-SOC told reporters this morning that investigators from Dragonfire Cyber working for his agency had confirmed that the ransomware infection had moved from the building services computer systems, through administrative networks in the Capitol, to individual computers in congressional offices. “This is the first time that we have seen a major cyber attack move from OT networks to IT networks.” Turgidson told reporters. Unconfirmed reports from personnel close to the investigation seem to indicate that the initial attack on the building controls systems was initiated through a Bluetooth connection in the building access control system. A technician from Dragonfire Cyber, who is not authorized to talk to the press, told me that a Bluetooth connection between metal scanning wands used by Capitol Police and the security control station at the Cannon House Office Building has been identified as the route of entry into building services network. Early yesterday afternoon, William Thornton, Capitol Building Services Manager, had announced that power had been restored to the Capitol Building and each of the six congressional office buildings. While HVAC systems and building security systems were still off-line, the decision was made at 6:00 pm to allow staffers back into their offices so that they could prepare for the emergency joint session of Congress scheduled for this afternoon. At about 8:00 pm, reports started coming in about ransomware demands on office computer systems. While each of the congressional office computer systems are linked to the Capitol IT network, investigators quickly determined that the yet unidentified attackers are treating each congressional office as a separate target, demanding 1-Bitcoin (about $36,000) for the decryption code for each office. Turgidson reported to the Congressional Leadership last night that the CI-SOC did not have enough people available to respond to each office in a timely manner. The decision was made to have Dragonfire Cyber teams look at the offices of the top two leaders of the House and Senate, and allow each of the remaining offices to address the issues with private contractors if they so desired. “We will review each congressional office’s computers before we close out the investigation.” Turgidson promised Congressional leaders. The House and Senate are scheduled to meet in a rare joint legislative session at 4:00 pm EDT today. They are scheduled for a limited debate and subsequent vote on HR 10, the Respond, Evaluate, and Counter Terrorism (REACT) Act. Details of the bill are still being ironed out, but sources say the bill will authorized and require the CIA, NSA and Cyber Command to provide intelligence assistance and material support to the investigation by CI-SOC and the FBI into the cyber attack on the US Capitol. Apparently still being debated by the Congressional leadership is the extent of the military response that will be authorized against the perpetrators of the attack. Rumors have it that there are loud calls for expanded response authority after the attack spread to congressional office systems.The White House has announced that the President will sign HR 10 when it reaches his desk. CAUTIONARY NOTE: This is a future news story –Future ICS Security NewsRead More