‘We’re Back’ Ransomware Targets Chemical Facilities
The National Critical Infrastructure Security Operations
Center (CI-SOC) reported today that it was seeing an increasing number of
chemical facilities being affected by ‘We’re Back’ ransomware attacks. “This
ransomware is specifically designed to disrupt chemical manufacturing
operations,” Gen Buck Turgidson told reporters; “Instead of shutting down
equipment, it typically closes valves at non-critical points in the process and
sends a ‘We’re Back’ message to the HMI controlling that valve.”
The Federal Bureau
of Inquiry is investigating these attacks. “We have only been notified of three
attacks, so far,” Johnathan Quest, FBI spokesperson, said, “We know from anecdotal
reports that many more facilities have been affected.” The FBI is requesting
that any facilities that have been affected by this ransomware contact their
local FBI office.
Turgidson confirmed
that they have been notified of more than three attacks. “We have had some
facilities share information with us on the condition that we specifically do not
report the information to law enforcement,” Turgidson explained. CI-SOC does
not report the incident to the FBI in those cases, but they do share technical
information about the attack.
Kate Libby, a
Technical Director for Dragonfire Cyber which is working with the CI-SOC on
this investigation, told reporters that they have not yet been able to track
down how the ransomware has made its way into the systems. “The previously unidentified
attackers have apparently been in these systems for some time and have erased
their tracks well,” Libby explained. Dragonfire has been able to locate the ransomware
in the systems, it resides in programmable logic controllers (PLC’s). “We have
found multiple copies of the malware in each facility,” she reported; “We are
concerned that this may mean that the attackers may be prepared to re-demand ransom
in the future.”
“We have not yet
been able to identify the group behind the attacks, they are very sophisticated
in their security measures,” Turgidson told reporters, “We do believe that they
are operating out of Venezuela.”
According to the
FBI, efforts to track the bit coins have been unsuccessful, “The WB Group, as
we are currently calling them, transfers funds out of their initial wallets
almost immediately and closes wallets or abandons wallets once used,” Quest
said; “We need to be able to track transactions in real time if we are to have
any hope of shutting these folks down. This is why we need to be informed
immediately about any attack.”
CAUTIONARY NOTE:
This is a future news story –Future ICS Security NewsRead More