On May 15th, 2019, ransomware was deployed in la

Question

On May 15th, 2019, ransomware was deployed in large parts of the Baltimore Gas and Electric network creating a series of problems that threaten to disrupt a variety of central services provided by the firm.

Baltimore Gas and Electric

On the morning of May 15th , BGE employees in the payroll department reported their PCs and laptops were not responding. Instead, a screen demanding $52,000 in bitcoin was demanded. Initially thought to be a local issue in the payroll department, more computers in the firm have also been affected. Within 6 hours the following services have been impacted: customer service, payroll, human resources, engineering design, and at least one distribution control station’s connected human machine interface (HMI). While no power distribution has been impacted (e.g the lights are still on), we have had to shut down all admin systems until we can reliably determine if the situation is resolved. All customer service and administration functions are being done by hand. We are unable to move to manual procedures for managing the substations as they are all electronically managed. We will likely deploy humans to field stations and manage them remotely. We are attempting to mitigate the spread through changes in firewall rules and other network administrative functions, but we are not sure if these measures will result in containing the problem. We require a functioning network to maintain power distribution in large parts of the State of Maryland. We think we have it under control, but cannot guarantee it will not get worse.

Federal Bureau of Investigation

The local FBI field team in Maryland along with members of the US-CERT team are offering to help BGE. Based on samples provided by the company we have identified the initial vector of attack, a system update from a popular accounting software system. BGE forensics analysis of those machines has identified multiple pieces of malware that were installed, however we do not know how many devices in the network have been scanned. While the ransomware deployed in the system is the most visible part of the attack there are other features that point to larger problems. One specific piece of malware LateralBadger.dll allows the attacker to move from one device to another. The malware takes advantage of a vulnerability in the operating system and administrator credentials to move around a network. We are continuing to evaluate the malware samples but we don’t know what additional issues will come of it. We suspect there might be some interest in SCADA control systems, but have not been able to reliably reach that conclusion. However, it is possible that this attack might continue to evolve and lead to loss of power in some cases. The potential for this ransomware to move beyond BGE is high as we have begun to hear of other firms that might have been effected

We have identified 2 command and control servers this malware has communicated with. One is in Spain and the other is in Romania. Forensic analysis indicates there are similarities between this malware and another malware used by APT ANGRYBADGER. We do not have information about what threat actor is known to use that C2 infrastructure.

Department of Homeland Security

According to our contacts over 87% of municipalities leverage the same operating system used by BGE. There currently exists no patch to the identified vulnerability. There is no information from the ISACs on this type of problem. We are reaching out to BIGBAD OS Manufacturer to see if they can release a patch quickly.

Similar problems have been noted with other firms, but thus far seem mostly contained although our analysis has been mainly scoped to members of the electrical sector. We have yet to understand impacts to other sectors.

Director of National Intelligence

The two command and control servers found in Spain and in Romania have been used in other attacks against firms in Germany, France, and the UK. In those cases, the attacks seemed to be focused against electric companies and appear targeted. Technical analysis of the C2 highlight the use of TOR nodes to connected to the servers. The TOR exit nodes used are located in Morocco.

Additional information of LOW confidence indicates that the motivation for the attack might be due to recent sanctions levied on the state of WALRTHUS.

CIA has older information of Medium confidence notes that the leader of WALRTHUS is interested in testing cyber attack strategies as a way of getting leverage

NSA has Low Confidence that another country, might have had access to cyber tools developed by WALRTHUS

WALRTHUS is supported by several countries internationally including Russia and China, in which they have a deep and lasting military alliance. Russia is an ally of WALRTHUS, and considers an attack on WALRTHUS an attack on them.

Department of Defense

USCYBERCOMMAND has indicated that it can execute a series of DDOS attacks in response to the BGE attack, but would require Title 10 authorities to do so. It is not well positioned to engineer reciprocal/ in-kind attacks given the amount of time and lack of authority to do so. However, given more time it could generate a similar impact. The time required is approximately 6 months.

Department of State

Several WALRTHUS consulates are open in the US. Currently the delegation numbers 500 persons across the United States. Many wealthy government officials from WALRTHUS, including the defense minister and the president’s national security advisor maintain bank accounts within the United States. Several high-profile government and WALRTHUS celebrities visit the US regularly.

Department of Commerce

Annual trade with WALRTHUS tops 100 billion annually. They currently import corn, soybeans, and poultry from US farmers and are the second largest importer of agricultural products.

Questions:

1. Who was responsible and what were their motivations?

2. How confident are you in the assessment?

3. Does this materially affect your conclusion?

4. Do the events discussed in the memo constitute a public concern and justify government action?

5. If so what is the policy and/or legal authority from which you are drawing that conclusion?

6. What are the strengths and weaknesses of that approach?

7. How is the government responding to this event?

8. Who is in charge?

9. What are the legal or policies that underpin that response?

10. Should the government respond against the identified perpetrators?

11. If so, what recommendation(s) would you suggest?

12. What are the benefits and drawbacks to your approach?

13. How should the United States organize the defense of critical infrastructure sectors to reduce the probability of the worst type of events occurring?

14. What additional steps can we take with other nations to address this type of problem and ensure we reduce the probability this event happens again?

Details
Purchase An Answer Below

Have a similar question?