Mysterious safety-tampering malware infects a second critical infrastructure site

Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents. There had been compromises of critical infrastructure sites before. What was unprecedented in this attack—and of considerable concern to some researchers and critical infrastructure operators—was the use of an advanced piece of malware that targeted the unidentified site’s safety processes. Such safety instrumented systems (SIS) are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, a SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents. By focusing on the site’s SIS, the malware carried the threat of physical destruction that, depending on the site and the type of accident, had the potential to be serious if not catastrophic. The malware was alternately named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric. Its development was ultimately linked to a Russian government-backed research institute.

Not an isolated incident Now, researchers at FireEye—the same security firm that discovered Triton and its ties to Russia—say they have uncovered an additional intrusion that used the same malicious software framework against a different critical infrastructure site. As was the case in the first intrusion, the attackers focused most of their resources on the facility’s OT, or operational technology, which are systems for monitoring and managing physical processes and devices.

“After establishing an initial foothold on the corporate network, the Triton actor focused most of their effort on gaining access to the OT network,” FireEye researchers wrote in a report published Wednesday. “They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.” Once the attackers in the new attack gained access to the site’s SIS controllers, they appeared to focus solely on maintaining this control. This focus involved strategically limiting other activities to lessen the chances of being discovered.

The discovery has unearthed a new set of never-before-seen custom tools that shows the attackers have been operational since as early as 2014. The existence of these tools, and the attackers' demonstrated interest in operational security, lead FireEye researchers to believe there may be other sites beyond the two already known where the Triton attackers were or still are present.

Wednesday’s report omits key details about the additional intrusion. It makes no mention, for example, when the attack occurred, how long it lasted, if it resulted in any unsafe conditions, and whether the malware targeted the same Triconex system as before. A FireEye spokeswoman declined to answer those questions. The report does include a wealth of technical details about the newly discovered tool set and ways the attackers used them to remain hidden inside the infected network. The report also contains indicators of compromise that help identify intrusions. FireEye is urging researchers and network defenders to see if the data matches previously seen attacks.

https://arstechnica.com/information-technology/2019/04/mysterious-safety-tampering-malware-infects-a-2nd-critical-infrastructure-site/

US and China agree to establish trade deal enforcement offices, says US Treasury Secretary Steven Mnuchin

Mnuchin said that a call with Chinese Vice-Premier Liu He on Tuesday night was productive and that discussions would resume on Thursday

US Treasury Secretary Steven Mnuchin said on Wednesday that US-China trade talks continue to make progress and that the two sides have basically settled on a mechanism to police any agreement, including new enforcement offices.

Mnuchin, speaking on CNBC television, said that a call with Chinese Vice Premier Liu He on Tuesday night was productive and that discussions would resume on Thursday. “We’ve pretty much agreed on an enforcement mechanism; we’ve agreed that both sides will establish enforcement offices that will deal with the ongoing matters,” Mnuchin said, adding that there were still important issues to be addressed. Mnuchin declined to comment on when or if US tariffs on US$250 billion worth of Chinese goods would be removed.

Although US President Donald Trump said recently that a deal could be ready around the end of April, Mnuchin declined to put a time frame on the negotiations, adding that Trump was focused on getting the “right deal”. US Treasury Secretary Steven Mnuchin. Photo: BloombergUS Treasury Secretary Steven Mnuchin. Photo: Bloomberg

US Treasury Secretary Steven Mnuchin. Photo: Bloomberg

US Treasury Secretary Steven Mnuchin said on Wednesday that US-China trade talks continue to make progress and that the two sides have basically settled on a mechanism to police any agreement, including new enforcement offices.

Mnuchin, speaking on CNBC television, said that a call with Chinese Vice Premier Liu He on Tuesday night was productive and that discussions would resume on Thursday.

“We’ve pretty much agreed on an enforcement mechanism; we’ve agreed that both sides will establish enforcement offices that will deal with the ongoing matters,” Mnuchin said, adding that there were still important issues to be addressed.

Mnuchin declined to comment on when or if US tariffs on US$250 billion worth of Chinese goods would be removed.

Although US President Donald Trump said recently that a deal could be ready around the end of April, Mnuchin declined to put a time frame on the negotiations, adding that Trump was focused on getting the “right deal”.

“As soon as we’re ready and we have this done, he’s ready and willing to meet with President Xi (Jinping) and it’s important for the two leaders to meet and we’re hopeful we can do this quickly, but we’re not going to set an arbitrary deadline,”Mnuchin said.

Washington is demanding that China implement significant reforms to curb the theft of US intellectual property and end forced transfers of technology from American companies to Chinese firms. Washington also wants Beijing to curb industrial subsidies, open its markets more widely to US firms and vastly increase purchases of American agricultural, energy and manufactured goods.

https://www.scmp.com/news/china/article/3005636/us-china-agree-establish-trade-deal-enforcement-offices-says-us-treasury

2 people found dead at prominent Minnesota businessman's home

"We don’t see this very often,” the police chief in the lakeside city said. "In any of our communities, this doesn’t happen. So we’re taking this seriously."

Two people were found dead at the home of prominent Minnesota businessman Irwin L. Jacobs, according to authorities and public records. The bodies of a man and a woman were discovered at the home after a call came in at 8:30 a.m. local time, the Orono Police Department said Wednesday. Both bodies were found on a bed, according to NBC affiliate station KARE in Minneapolis. The Hennepin County Medical Examiner’s Office is working to determine the two people’s identities and their causes of death.

Property records list Jacobs and and his wife, Alexandra Jacobs, as the owners of the house in Orona, a city on the shore of Lake Minnetonka, KARE reported. A handgun was found on the bed, Orono Police Chief Correy Farniok told reporters at a press conference. Farniok said he could only release limited information on the active investigation, but he emphasized there is no threat to the community. "We don’t see this very often,” he said. "In any of our communities, this doesn’t happen. So we’re taking this seriously. We’re looking at this from every aspect."

Jacobs, 77, was billed a "Minneapolis takeover artist" by Fortune magazine in 1985, according to KARE. He made a fortune as a corporate raider who bought and liquidated failing companies at a profit, according to the Minneapolis Star-Tribune. His Genmar Holdings became one of the country's biggest builders of boats but filed for bankruptcy in 2009, KARE reported. Jacobs still owns several businesses.

Muslim Migrants Bomb Minister Matteo Salvini’s Party Office

Migrants Investigated Over Bombing of Populist Salvini Party Office

A pair of Moroccan migrants in Italy are under investigation in connection with the bombing of an office of populist Interior Minister Matteo Salvini’s League party.

The attack occurred in January and saw the front door of the League office in San Valentino Torio damaged following an explosive blast that was downplayed by left-wing politicians as “Christmas fireworks,” Il Giornale reports. Prosecutors say that the two main suspects in the attack are 41-year-old Abderrahim S. and 37-year-old Moktar J. who are being investigated under suspicion of detonating explosives. The pair were identified with the help of CCTV footage.

Mariano Falcone, regional deputy coordinator for the League in Salerno, said that while the damage to the building was not extensive, “It is an attack against Matteo Salvini and against the League” and called the attack “disturbing.” “We must not let our guard down,” Falcone said and warned of new groups behaving like the far-left terrorists who committed acts of violence in Italy in the 1970s.

One such far-left terrorist, Cesare Battisti, recently admitted to murdering several people during that era after being deported from Brazil by populist president Jair Bolsonaro. The incident is not the first time Salvini’s party offices have been attacked with explosives. In August last year, an office in Treviso was attacked with far-left Antifa anarchists later taking responsibility for the bombing online. The attack consisted of two separate explosive devices, one meant to attract police and others to the area where a second one, filled with nails and metal fragments, would then go off. Police were able to disarm the second device before it exploded. While it is mostly far-left groups behind attacks or calls for attacks on Salvini, the Salerno case is different in that the suspects appear to be migrants. It also comes after another migrant, 47-year-old Senegalese national Ousseynou Sy, attempted to set a bus full of children on fire, citing revenge against Salvini and his anti-mass migration policies.

https://gellerreport.com/2019/04/migrants-bomb-italy-salvini.html/