Jesse William McGraw, who pleaded guilty to two counts of transmitting malicious code to systems at the hospital at which he worked (including a SCADA HVAC system’s HMI), was sentenced yesterday at the U.S. District Court for Northern Texas to 110 month of custody, followed by three years of supervised release. He has also been ordered to pay restitution in the amount of $31,881.75. This is according to the latest filing on his case on PACER:

He was facing a maximum of 10 years per count, which is higher than the usual 5 years per count due to the threat to public health and safety. At one point in the case last year, he had signed a plea agreement stating that he would plead guilty in exchange for a maximum sentence of 6 years. This fell through, however, when he reneged on the deal by pleading innocent on his next appearance in court. He was then re-indicted for 14 counts, which were dropped after he agreed to (and did) plead guilty to the original two counts, outside the scope of any agreement.

On a personal note, I feel that this is a fair sentence considering the circumstances. His actions jeopardized the safety of innocent people and attempted to destroy evidence and hinder the investigation after he was taken into custody. Even after he finally pleaded guilty, he continued to blame everyone but himself, as you can see in his “cross-site scripting tunneling” story he posted, or had someone post for him, from prison three months ago.  I originally felt very sorry for him, though it’s hard to have any sympathy for someone that has continually acted against his own best interests as long as he has.

The rest of the “Electronik Tribulation Army” have gone relatively quiet. Maybe this will be a wakeup call for them to get out of this game.

UPDATE: A good post on this from the folks at the Dallas Observer:

If you’re new to the site, these are the previous posts this is a followup to:

 

Today, the US Attorney’s Office announced that Jesse “GhostExodus” McGraw, has entered a guilty plea on two charges of transmitting a malicious code.  Jesse had compromised more than 14 computers at the Carrell Clinic in Dallas, Texas, where he worked as a night-shift security guard.  This included the system running the HMI (Human Machine Interface) for the hospital’s HVAC system.  To the best of my knowledge this is the only arrest and conviction of a hacker involved in a control systems/SCADA incident in the United States.

This story began last year, when I became aware of the HVAC compromise, and gathered information about it to turn over to FBI.  Throughout the process, I have been very impressed with the technical skill and responsiveness of the FBI agents.  I am also very happy with this outcome.  This may serve to educate organizations with control systems about the threats and vulnerabilities that are possible, and put other “script-kiddie” type hackers on notice that they can be tracked down and prosecuted for their actions.

The press release for the guilty plea is not yet available on the DOJ website, but the following articles are available:

I have a large collection of PDFs of court filings for this case, which I may post with commentary at some point soon, now that he has entered a guilty plea.  The PDFs make for interesting reading and a wild ride, and I don’t know of any other resources that have good documentation of a hacker case.  I’m looking forward to going through them again.

 

Last week, Michael Farnum, of the excellent An Information Security Place podcast asked me if I would like to be interviewed for the show.  Michael’s one of my favorite folks to follow on twitter (@m1a1vet) and a really nice guy, so I agreed and we recorded on Monday afternoon.  Prior to this, I hadn’t used Skype or my headset since last year when I was on Securabit talking about DNS vulnerabilities!

Episode 25 of the podcast is Michael’s interview with me.  We discuss the GhostExodus incident, and spend some time afterwards talking about SCADA and control-systems security.  It was very casual and candid, and I had a great time.  The episode is available here:

…although I recommend subscribing to the podcast to keep up with new episodes of it.

 
Tommorow morning, I will be giving a lecture to the CS4243/6243 Information and Computer Security class at Mississippi State University.  It will cover the events that led up to, and followed from, the arrest of Jesse “GhostExodus” McGraw on charges of installing malicious code onto hospital computer systems, including a system that was the HMI (Human-Machine Interface) of the SCADA system controlling ventilation, air-conditioning, and various aspects of the surgery wing.
The purpose of the talk is to cover some of the more interesting points of evidence that was gathered, documents surrounding the arrest and indictment, and some of the aftermath.  To give the students some practical skills to take away, I’ll be discussing some of the methodology used that would be applicable when responding other incidents.  It’s difficult to fit everything into a 50-minute lecture, but I believe I’m hitting the most interesting and entertaining points, and will be happy to go into more detail with smaller groups of interested students afterwards.
I am making the slides available here, however you will notice that they mostly consist of images and screengrabs for me to use as talking points.  While they may or may not be interesting standing alone, I’ve uploaded them primarily to serve as a reference for the students that have attended the lecture.
If I’m happy with how the lecture goes, I may use it as a reference to record some narration on top of the above slides and make it available on this site.
If you are in the area and wish to drop in on this lecture, you are welcome to do so.  It will be at 9:00 AM, Monday August 31, in Butler 103.
If you are a student in the class, coming here for the slides, and are new to the site, these are the posts related to this lecture:

Tommorow morning, I will be giving a lecture to the CS4243/6243 Information and Computer Security class at Mississippi State University.  It will cover the events that led up to, and followed from, the arrest of Jesse “GhostExodus” McGraw on charges of installing malicious code onto hospital computer systems, including a system that was the HMI (Human-Machine Interface) of the SCADA system controlling ventilation, air-conditioning, and various aspects of the surgery wing.

The purpose of the talk is to cover some of the more interesting points of evidence that was gathered, documents surrounding the arrest and indictment, and some of the aftermath.  To give the students some practical skills to take away, I’ll be discussing some of the methodology used that would be applicable when responding other incidents.  It’s difficult to fit everything into a 50-minute lecture, but I believe I’m hitting the most interesting and entertaining points, and will be happy to go into more detail with smaller groups of interested students afterwards.

I am making the slides available here, however you will notice that they mostly consist of images and screengrabs for me to use as talking points.  While they may or may not be interesting standing alone, I’ve uploaded them primarily to serve as a reference for the students that have attended the lecture:

If I’m happy with how the lecture goes, I may use it as a reference to record some narration on top of the above slides and make it available on this site.

If you are in the area and wish to drop in on this lecture, you are welcome to do so.  It will be at 9:00 AM, Monday August 31, in Butler 103.

If you are a student in the class, coming here for the slides, and are new to the site, these are the posts related to this lecture:

 

Nicholas Leali at the Cisco Security Community blog has posted an excellent summary of the security lessons that can be learned from the control systems incident at Carrell Clinic:

Nicholas was kind enough to contact me for comments in the process of writing this article, as well as link back to this site.  He has done an excellent job of summarizing the precautions an organization can take to minimize the risk of a similar compromise, including physical access control, more careful vetting of employees, and rotating guards.

It’s a good article, and I recommend anyone following the incident on this site to check it out.

 

Just found out via the Dallas Observer’s blog that Jesse “GhostExodus” McGraw has been indicted by a federal grand jury, and has been charged with two counts of “transmitting a malicious code”, in reference to the malicious code he allegedly installed on computer systems at a hospital in the Dallas area:

If convicted, he faces up to 10 years in prison, and $250,000 in fines and restitution.

Meanwhile, the remaining members of ETA are a lot more quiet than they used to be.  XXxxImmortalxxXX, now also known as “system666″, is still a member of ETA, according to his signature on this forum, despite being the one that inadvertently tipped me off to GhostExodus’ activities:

The Fixer, a member, or at least former member, is confused about the difference between the script kiddie hacker group ETA and the Basque seperatist group ETA (“Euskadi Ta Askatasuna”):

If you’d like to catch up, here are the previous posts in this series:

 

Previous parts (Pre-requisite information.  There will be a pop quiz at the end.):

  • Part 1 – Definitely read the criminal complaint.
  • Part 2 – Watch some videos

In this post I will be displaying and discussing some screenshots that Jesse “GhostExodus” McGraw posted online.  These screenshots were taken on the PC controlling Carrell Clinic’s HVAC system, uploaded to a photobucket account owned by GhostExodus, and linked to in posts on anarchistcookbook.com and warezscene.org (still available there).  When XXxxImmortalxxXX initially bragged to me about hacking this HVAC system himself, he linked the same photobucket images directly, which led me to discover the forum posts that linked the same images.

What you’re looking at in these screenshots, if you’re not familiar with control systems, is Human-Machine Interface (HMI) software.  HMI software represents what would have once been a physical control panel with switches, dials, gauges, and other similar elements.  The software displays the status of various elements of the system, and allows the operator to make changes, either directly (by flipping a switch, for example), or by modifying a parameter that the system automatically tries to maintain or use as a boundary.

Since the HMI for a control system is very specific to that system, HMI software is typically distributed as a combination of IDE (for developing the custom interface) and a runtime (for running the developed system).  HMI systems also implement access control and auditing, features that often serve as a last line of defense for a control system.  While I cannot speak for BACtalk’s security (I have no experience with it yet), a combination of misconfiguration and vulnerabilities in HMI products’ security features can lead to this layer of defense being weak.  Until HMI software security improves, it’s very important to layer defenses around them, with strict control over who can access the systems physically or over a network.

Let’s take a look at the shots (click them to see them at full resolution):

Photobucket

In this shot, you can see what appears to be a “main menu” for the control system, with buttons that take you to other screens that control different sections of the hospital.  The most interesting thing here is the dialog box, “BACtalk Alarm”.  The “Acknowledge” buttons allow an operator to record that he or she has seen the alarm, which should go in an audit log that can be reviewed if there are problems in the future.  An attacker with access to these systems and the associated logs could “acknowledge” alarms that were meant to be seen by operators, and potentially even modify the audit logs.  The criminal complaint against GhostExodus made reference to problems with alarms this specific HVAC system was having after being compromised.

Photobucket

Here, we see a floorplan for an area of the hospital containing some operating rooms (OR 2 through OR 5).  Among other things, you can see the open/closed status of the vents in various rooms.  The buttons to the right of these status could be controls to toggle the status.  I’m not really sure what the weird gray graphic between/overlapping the status of “AHU 7 OA Alarm” and “AHU 4 OR Alarm” is.  If you have a guess, leave a comment. (Nevermind, glitch in GIMP.)

Note that since HMI interfaces are custom-designed in an IDE for the purposes of each control system, that the user interfaces are not always self-explanatory.  Operators have to be trained to understand the elements of each system.  This one’s not really that bad compared to a lot of them, though.

Photobucket

This is the scary one.  It’s a list of parameters for systems in a “Surgery Center” or operating room.  Here, an operator (or attacker) can modify the temperatures and levels at which pumps kick in, or shut things on and off.  I’m not familiar with hospital control systems, and especially not with those involved in surgery, but I imagine that changes made to these systems could wreak some havoc.

These screenshots were posted by GhostExodus on the warezscene and anarchistcookbook forums with the following text:

Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor. Like this you see below. An HVAC server. An HVAC is: HVAC (pronounced either “H-V-A-C” or “H-vak”) is an initialism or acronym that stands for “heating, ventilating, and air conditioning”. HVAC is sometimes referred to as climate control and is particularly important in the design of medium to large industrial and office buildings such as skyscrapers and in marine environments yay for wiki

In reality, GhostExodus compromised the system with physical access as a night security guard.  It is not known if this HMI was “legitimately” accessible remotely with RDP or similar protocols.  It was revealed in the criminal complaint that malicious software allowing for remote access was confirmed to be installed on the system.

GhostExodus followed up in the same thread on warezscene with this post:

nice. You almost can’t help it ya know. It must be done!

Hopefully this isn’t something many people feel compelled to do.

 

If you haven’t read Part 1 of this story, then you really ought to take a look at it first.  It serves as a good overview, and the criminal complaint filed by the FBI is a good read.

Yesterday afternoon was GhostExodus’ detention hearing.  I’m not very familiar with the process one goes through after being arrested for something like this, so I had to look up what this meant.  I found the following site which, I believe, explains detention hearings well:

(Looks like a cool site beyond this, even.  Kind of a legal equivalent to the blog I run here.)

I was informed yesterday afternoon that the Judge in this case found that there was probable cause to detain Jesse McGraw while the case is pending.

Here are some links to the coverage this is getting.  I’m linking articles that I think my readers would enjoy, especially those where the reporters were thorough enough to contact me personally to get the stories:

The members of the press I’ve talked to on the phone and over IM have been very nice.  There are many more stories than this, you can poke around on Google News if you like, but your best source of technical information for fellow security and control-systems folks is going to be right here, of course :)

Now, time to break out the popcorn.  Here are two of the most interesting videos that were posted to GhostExodus’ youtube accounts.  It’s my understanding that these videos were played in court yesterday.  After each video, I’ve summarized some points of interest in each video:

  • “Post July 4th” is a strange choice of title here, as it’s before July 4th, and in preparation for the attacks scheduled for the 4th
  • He’s recording this by holding his laptop in front of him (reflections in elevator)
  • Claims to have infiltrated corporate offices, but it’s obviously a medical facility
  • Watch for medical charts and such on the walls when he sits down
  • Appears to be the collar of a security guard uniform peeking out of the top of the hoodie
  • The FBI identified this computer at the clinic by the toy flamingo on top of the monitor

  • This was recorded at a desk at the hospital where McGraw was a security guard.
  • I thought about buying one of those camera pens until I saw this.  Not inconspicuous.
  • Showing off your fake FBI credentials on youtube isn’t very smart.

I will continue this series with more posts, discussing the HVAC compromise, how I came to be aware of it, and the techniques I used to gather information on the suspect.  Still pooped from talking to so many people about this, but I’m enjoying spreading the gospel of control-systems security ;)

 

My phone has been blowing up most of the day about this. To sum it up: On the evening of the 18th, a script kiddie that was involved in a previous post on this site (“Perl Hacking is Dead”), XXxxImmortalxxXX, contacted me and began to brag about hacking a hospital’s HVAC system. Upon further googling, it became apparent that XXxxImmortalxxXX was lying to me, and that it was the leader of the group Immortal had joined that allegedly carried out the attack. This attacker went by the name of “GhostExodus”.

As most of my readers here know, my research area is control systems/SCADA, specifically human-machine interface (HMI) software. Being involved in a field that involves elements of our critical infrastructure, I know how serious an incident involving a hospital’s HVAC system can be. Screenshots taken by the attacker showed an HMI that gave the user control over many elements of the hospital, including pumps and chillers in the operating room. Messing around with a system like this can seriously impact the health and safety of the patients.

I spent a large amount of time that weekend gathering up information on GhostExodus, and his hacker group, the “Electronik Tribulation Army”. Monday, I met with my major professor at Mississippi State University’s Critical Infrastructure Protection Center, where I work as a Ph.D. research assistant. I presented the information I had found, and we contacted the Texas attorney general’s office and the Jackson, MS FBI office, where we already had contacts. For the rest of the week, I cooperated with the FBI by sharing the information that I had found. GhostExodus was picked up by the FBI on Friday night.

I plan on sharing more, because there’s a huge amount of interesting data, images, and video involved with this case. The alleged attacker uploaded many videos of his actions to Youtube and other sites, and when I put it all together into a coherent lecture, it should be pretty informative and entertaining. Until then, there’s plenty of media coverage of the arrest:

Google News shows over 170 related stories.

The best and most accurate thing to read, however, is the criminal complaint against “Jesse William McGraw”. I have been informed that this is part of public record, however I have taken the liberty of editing out SSNs, DLs, VINs and such on this copy:

(Edit: moved it offsite, because it was chewing bandwidth a lot more bandwidth than you’d expect.  You can read it online or download it from the above link)

If you’re reading the above, I’m “CW-1″.

I plan on keeping you updated on further developments and more information as this progresses. There will also likely be some very interesting multi-media talks and lectures I can give on this, so if you want me to take the show on the road, get in touch.

For now, though, I’ve had a long day, and I shall rest :)

 

Yesterday, I posted a link to the advisory in GE Fanuc’s knowledge base.  For today, here’s some more links of interest regarding these vulnerabilities:

The latter two links actually credit us with discovering and reporting the vulnerability.

© 2012 McGrew Security Suffusion theme by Sayontan Sinha