Robotron Ransomware Hits ICS Phones

Robotron announced today that the latest ransomware attack on their corporate networks has apparently spread to it Betriebstelefon product. Erich Mielke, CTO of Robotron, told reporters this morning that they have received numerous reports from customers that their phones began showing ransomware messages at midnight GMT. “We are negotiating with the attackers to get our systems, and our customer’s phones released,” Mielke announced, “It appears to be the same organization that was behind the BlockKopieren attack on Robotron earlier this year.” Kate Libby, Senior Researcher with Dragonfire Cyber, explained that the Robotron Betriebstelefon was introduced two years ago to provide cellphone service in chemical facilities and other production areas where there was need for intrinsically safe devices. “The Robotron phone is rated for service in Class 1, Div 1 areas where a spark could ignite flammable atmospheres. They added industrial services to the phone that allowed secure communications with Rockwell control systems.” Robotron’s web site explains that owners of their industrial phones can receive control system alarms and access data from the company’s data historian. The phones are keyed to specific installations to allow for encrypted communications. That earlier attack cost Robotron €6 million in ransom and caused a 30% drop in share price. The companies stock price had just about returned to the pre-attack price last Friday before trading was stopped at 4:00 GMT when Robotron announced the most recent attack. General Buck Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), told reporters this morning that they have received notifications from a number of their covered facilities about the problems with the Robotron phones. “The data diodes used in the phone system ensure that problems in the phones cannot be transmitted into the supported control systems,” Turgidson explained, “But facilities with the phones have expressed their concerns about the problems with the phones to both the CI-SOC and Robotron.” Dade Murphy, CTO of Dragonfire Cyber, confirmed that his organization had teams at each of the facilities affected by the phone attacks. “While we have no indications that the attacks have spread to the facility control systems, we are taking extra precautions,” Murphy explained. Dragonfire has previously vetted the phone system for use in secure facilities. An unnamed security researcher at Robotron has been quoted as saying that the recent ransomware attack was apparently set up in the earlier attack. The company has found indications the previous attack placed a backdoor into the corporate system. The attacker was present in the systems for a much shorter time period during this attack, indicating that the previous reconnaissance data was used in the latest ransomware attack. CAUTIONARY NOTE: This is a future news story –Future ICS Security NewsRead More