Critical Infrastructure Daily Brief

Statewide Terrorism & Intelligence Center

Critical Infrastructure Daily Brief

September 22, 2021



(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.


Situational Awareness

The FBI announced Tuesday a person has been arrested in connection with two explosive devices found last week outside two northern Michigan cellphone stores. The explosive devices were found Thursday, Sept. 16 with threatening notes outside cellphone stores in Cheboygan and Sault Ste. Marie in Michigan’s Upper Peninsula. Law enforcement officers and bomb technicians from the Michigan State Police and the FBI responded to the locations and rendered the devices safe, the FBI said. Both devices were packaged inside USPS Priority Mail boxes, sealed with black duct tape, and placed outside the cellphone stores. There were threatening notes addressed to Verizon and AT&T on the top of each box. The notes were signed either “HJ” or “Handcuff Johnny.” The letters “CMT” were written on each box. Moreover, authorities believe these devices are related to a series of letters found in the Upper Peninsula last month. The letters, claiming to be from the “Coalition for Moral Telecommunications” (CMT) were found at multiple telecommunications tower sites across the UP. The letters made specific demands to the telecommunications companies, the FBI said. An arrest was made Monday night, the FBI announced Tuesday. Charges are pending.


The US Treasury Department announced on Tuesday that it was going after Russia-based cryptocurrency exchange Suex for facilitating ransomware payments in some of the first public, concrete action taken against ransomware groups. Last week, the Wall Street Journal reported that the Treasury Department was planning some sort of ransomware-related sanctions but US officials explained its plans in detail on Tuesday.  The Department of the Treasury's Office of Foreign Assets Control's (OFAC) said Suex was being sanctioned for its role in facilitating "transactions involving illicit proceeds from at least eight ransomware variants." Data showed that more than 40% of Suex's transactions involved "illicit actors" according to the Treasury Department, which added that virtual currency exchanges like Suex are "critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity." US officials said it was the first sanctions designation against a virtual currency exchange and was done in coordination with the FBI.  They noted that not all virtual currency exchanges are working with ransomware actors and explained that some are often exploited by malicious actors. But a number of exchanges work directly with ransomware gangs to increase profits. "As a result of today's designation, all property and interests in property of the designated target that are subject to US jurisdiction are blocked, and US persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50% or more owned by one or more designated persons are also blocked," the Treasury Department said of Suex. "In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. Today's action against Suex does not implicate a sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or variant."



Cybersecurity researchers on Tuesday disclosed details of an unpatched zero-day vulnerability in macOS Finder that could be abused by remote adversaries to trick users into running arbitrary commands on the machines. "A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user," SSD Secure Disclosure said in a write-up published today. Park Minchan, an independent security researcher, has been credited with reporting the vulnerability which affects macOS versions of Big Sur and prior. The weakness arises due to the manner macOS processes INETLOC files — shortcuts to open internet locations such as RSS feeds, Telnet connections, or other online resources and local files — resulting in a scenario that allows commands embedded in those files to be executed without any warning.


VMware warns customers to immediately patch a critical arbitrary file upload vulnerability in the Analytics service, impacting all appliances running default vCenter Server 6.7 and 7.0 deployments. vCenter Server is a server management solution that helps IT admins manage virtualized hosts and virtual machines in enterprise environments via a single console. "This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server," said Bob Plankers, Technical Marketing Architect at VMware. "In this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible."



Illinois communities that have long depended on coal industry jobs won’t be left empty-handed under the state’s massive new clean energy law. A “just transition” for coal mine and power plant workers is a central component of the legislation signed last week by Gov. J.B. Pritzker. The law will close all fossil fuel plants by 2045, though most of the state’s coal plants were already slated to close within a decade. Municipal leaders and advocates had envisioned fossil fuel companies paying to replace lost tax dollars, retrain workers, and fund community-driven projects to transform the sites of fossil fuel plants — including by developing renewable generation or other clean projects on-site. What ended up in the new law are scaled-down versions funded by ratepayers, with the state Department of Commerce and Economic Opportunity — a long-time backer of the state’s coal industry — deciding how much funding is needed and for what projects. There are incentives for energy storage at the site of five specific coal plants, and for solar on the site of coal plants or mines. While the programs are not all that advocates had hoped for, many are still lauding the provisions as promising parts of a historic law. Now much depends on the implementation, from rule-making in a state administrative body to outreach and participation by local leaders. As this process unfolds, advocates say it is crucial to ensure communities have a real say in the commerce department’s decisions.



The Federal Trade Commission (FTC) issued a policy statement emphasizing that health apps and connected device companies must comply with the Health Breach Notification Rule. The rule requires vendors that collect sensitive health data to notify consumers when they experience a data breach. The FTC issued the Health Breach Notification Rule in 2009 in order to strengthen security protections for web-based businesses. While HIPAA covered entities are required to comply with data breach notification rules, vendors who collect protected health information (PHI) often get overlooked. “The Rule was issued more than a decade ago, but the explosion in health apps and connected devices makes its requirements with respect to them more important than ever,” the policy statement explained. “The FTC has advised mobile health apps to examine their obligations under the Rule, including through the use of an interactive tool. Yet the FTC has never enforced the Rule, and many appear to misunderstand its requirements.” The rule applies to vendors of personal health records that contain identifiable health information created or received by healthcare providers. The FTC explained that under this definition, health app develops are healthcare providers because they furnish healthcare services. As such, they are obligated to comply with the Health Breach Notification Rule. The FTC emphasized that its definition of “personal health record” is “an electronic record that can be drawn from multiple sources.” “The Commission considers apps covered by the Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (‘APIS’).”



Iowa-based farm services provider NEW Cooperative Inc said on Monday its systems were offline to contain a “cybersecurity” incident just as the U.S. farm belt gears up for harvest. The cooperative operates grain storage elevators in the top U.S. corn producing state, buys crops from farmers, sells fertilizer and other chemicals needed to grow crops, and owns technology platforms for farmers that provide agronomic advice on the way to maximize their harvests. “We have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained,” NEW Cooperative Inc said in a statement. “We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation.” Several grain storage elevators operated by NEW Cooperative contacted by Reuters were open. The timing of the attack is making it crucial that NEW gets their systems back online as soon as possible as many farmers will start their combines this week and begin delivering crops to NEW’s elevators across Iowa, said Don Roose, president of U.S. Commodities in West Des Moines, Iowa. “They have got you boxed into a corner,” Roose said. “Harvest is right now. This is the week that we are just starting to ramp up harvest, particularly for soybeans.” Cybersecurity has risen to the top of the agenda for the Biden administration after a series of high-profile attacks on network management company SolarWinds Corp, the Colonial Pipeline’s oil network, meat processing company JBS, and software firm Kaseya. The attacks hurt the United States far beyond just the companies hacked, affecting fuel and food supplies.



Getting Around Illinois is a web-based interactive mapping site that provides the ability to search and display several sources of transportation data. You can find information on winter road conditions, annual average daily traffic, road construction, trucking routes, and planned road projects.


A bus driver shortage forced a suburban school district to switch some of its schools to remote learning Tuesday, closing multiple schools down to students. Community Unit School District 308 in Oswego wrote in an "urgent message" early Tuesday that "due to a large number of bus driver absences today, we cannot accommodate transportation for all students." The shortage forced the district's high school and junior high into remote learning, with officials saying the school buildings are not open for student attendance. Staff would still need to report to classrooms, however. Early learning classes were also canceled Tuesday, except for the district's Deaf and Hard of Hearing program. Elementary schools would remain open for in-person attendance and busses would still run, though "large delays" were expected. Bus driver shortages have been reported across Illinois and the country. More than 2,000 Chicago Public Schools students and their families faced a major disruption as the school year began last month when approximately 10% of bus drivers contracted to work for the district resigned the week of Aug. 23, a sharp increase driven by COVID-19 vaccination requirements. CPS is offering affected families stipends of $1,000 for the first two weeks and $500 the following months. The city is also exploring the possibility of creating partnerships with rideshare companies, such as Uber or Lyft, to offer transportation for students when buses aren't available. Amid a national school bus driver shortage, the Massachusetts National Guard is being activated to help get kids to schools at the start of the new year.



Illinois’ latest COVID-19 numbers suggest most of the state may have gotten through the worst of the Delta variant storm — for now — but downstate hospitals are still being stretched thin. The Illinois Department of Public Health on Tuesday reported 3,002 new cases of the disease were diagnosed among almost 74,000 tests, lowering the average statewide case positivity rate to 3.4%, its lowest point since late July. After two months of exponential increases, daily caseloads now have been on the decline since Labor Day weekend. New hospital admissions have trended downward, too, with the 2,039 COVID-19 patients hospitalized Monday night marking a 10% decrease since last week. In Chicago, the improvement has been even more pronounced. The city’s positivity rate is down to 3%, with average daily cases down 8% since last week and hospital admissions down 50%.

Back to index