Cases
TRACK-B — DOE-417 Cyber Incident Report (5941450-1585693)
Track: B (cybersecurity / regulatory disclosure form)
Domain separation: This artifact contains Track B material only. No relationship to TRACK-A-DOE-NE-2026-05-02 — that is an unrelated multi-agency national-security referral that happens to touch DOE. This folder concerns Form DOE-417 electric-emergency-incident reporting.
Role: Filer / registrant of Form DOE-417. Not "original CVE discoverer" — this is a regulator-form filing, not a coordinated vulnerability disclosure. Any technical claim made on the form is preserved here as the filer's narrative, not as adjudicated fact.
Status: 🟢 Strong on the agency-receipt anchor — DOE Emergency Operations Center (NA-40) acknowledgement .eml now on file, double-DKIM-signed by doe.gov (selector q2-2024-pp) and hq.doe.gov (selector selector1), both 2048-bit. 🟡 Filer-claim only on the substantive technical narrative — the Schedule-1 K/L/M narrative remains explicitly un-adjudicated. See Tier framing below.
Case Summary (one paragraph, neutral)
On 2025-12-25 16:50:15 UTC the user submitted Form DOE-417 (Electric Emergency Incident and Disturbance Report) to the U.S. Department of Energy under the working name "Intergalactic Auditing Systems" (a working name / operating pseudonym used for filings; not a registered legal entity). The submission ID printed on the form is 5941450-1585693. The filing checks Schedule-1 criterion #2 ("Reportable Cyber Security Incident as defined in the NERC Glossary of Terms") and criterion #14 ("Cyber Security Incident that was an attempt to compromise a High or Medium Impact Bulk Electric System Cyber System or their associated Electronic Access Control or Monitoring Systems"), Alert Status = Emergency Alert. The Schedule-1 K/L/M lines describe the filer's belief in an active operational-technology cyber event with an asserted hardware-anchored cause, asserted control-center monitoring/communication impact, and asserted forensic-isolation action. Schedule-1 Line B asserts FOIA exemption for "Privileged or confidential information, e.g., trade secrets, commercial, or financial information."
Artifacts (this folder)
| # | File | SHA-256 (short) | Type | Notes |
|---|---|---|---|---|
| 1 | DOE-417-5941450-1585693-2025-12-25.pdf |
d203750ddb65… |
Submitted-to-DOE timestamp header 12/25/2025, 4:50:15 PM UTC. Submission ID 5941450-1585693. Page-footer confirms DOE-received state. |
|
| 2 | DOE-EOC-NA40-acknowledgement-2025-12-25.eml |
5a8ff29de877… |
Inbound .eml |
DOE Emergency Operations Center acknowledgement. Double-DKIM-pass: doe.gov selector q2-2024-pp (2048-bit) and hq.doe.gov selector selector1 (2048-bit). Body: "Watch Office acknowledges your message, thank you very much. Team 3, Emergency Operations Center (NA-44), Office of Emergency Management (NA-40)." |
Note: the DOE-417 PDF was duplicated under filename a49b1637-207a-4f99-a89d-708f6da078cd-12.pdf in an earlier drop — identical bytes (d203750ddb65…), de-duplicated.
Full SHA-256 recorded in master INTAKE-LEDGER.md.
Tier framing — what is anchored vs. what is filer-claim
Anchored (Tier-1 cryptographic strength):
- DOE Emergency Operations Center (NA-40 / Team 3) acknowledgement
.emlis double-DKIM-signed bydoe.govandhq.doe.gov. This is a Tier-1 anchor confirming DOE received and acknowledged the filing. - DNS verification targets:
q2-2024-pp._domainkey.doe.govandselector1._domainkey.hq.doe.gov. - The DOE-417 PDF itself carries DOE-side submission metadata: the "Submitted to DOE" timestamp header on every page (
12/25/2025, 4:50:15 PM UTC), the printed submission ID5941450-1585693, and the OMB form metadata. - Together: the form was filed, DOE received it, DOE's Emergency Operations Center acknowledged receipt on 2025-12-25 under a cryptographically signed agency reply.
Filer-claim only (NOT anchored, even with the DOE acknowledgement on file):
- All Schedule-1 K/L/M narrative content, including the asserted hardware-anchored cause, the asserted codename, the asserted exfiltration volume, and the asserted scope across third-party vendor hardware.
- The DOE EOC acknowledgement confirms receipt and routing, not endorsement of the technical narrative. "Watch Office acknowledges your message" is an intake acknowledgement, not a technical validation.
- This README does not endorse those narrative claims. It documents what was filed and that DOE acknowledged it.
- No CVE has been assigned, no vendor advisory has been issued, no third-party reproduction is on file. Until corroborated, narrative claims are explicitly labeled filer-claim-only.
What this artifact does NOT claim
- It does not claim that DOE has accepted, validated, or acted on the filing.
- It does not assert any CVE / CWE assignment, vendor confirmation, NIST-NVD entry, CISA-KEV listing, or independent reproduction.
- It does not assert that the Schedule-1 narrative is factually correct. It documents that the narrative was submitted to DOE on the date shown.
- It does not publish operational exploitation detail, key material, or any technical instruction that could enable abuse.
- It does not characterise any named vendor (Broadcom, Cisco, Google, Samsung) as compromised; named vendors appear because the filer's narrative names them on the form. Vendor advisories speak for themselves.
- It does not claim "Intergalactic Auditing Systems" is a registered legal entity. It is a working name used by the user for filings.
Why this is Track B (not Track A)
DOE-417 is a mandatory cyber-incident reporting form under Public Law 93-275. Its forum of resolution is DOE's emergency-response posture and (for NERC-registered entities) NERC's incident-reporting regime — both are operational/technical regulators, not whistleblower-jurisdictional offices. The matter therefore lives in Track B.
If/when this technical claim acquires independent corroboration (CVE assignment, vendor advisory, third-party PoC) the case can be split: a sanitized Track B coordinated-disclosure write-up under the strict no-payload rule, and this regulator-form record kept here as the original filing-of-record.
Cross-references
- Not related to
TRACK-A-DOE-NE-2026-05-02(different DOE office, different subject matter, different statutory basis). Track A / Track B separation strictly enforced. - If a CVE later issues for any element of the Schedule-1 narrative, that CVE gets its own Track B case folder; this DOE-417 folder is preserved as the original regulator filing.
Validation steps (run locally)
sha256sum evidence/DOE-417-5941450-1585693-2025-12-25.pdf
sha256sum evidence/DOE-EOC-NA40-acknowledgement-2025-12-25.eml
# DKIM verification of the DOE EOC acknowledgement (anyone can run)
grep -iE "^(From|To|Date|Subject|Message-Id|DKIM-Signature|Authentication-Results):" \
evidence/DOE-EOC-NA40-acknowledgement-2025-12-25.eml | head -30
# Expected:
# Authentication-Results: ... dkim=pass (2048-bit) header.d=doe.gov header.s=q2-2024-pp
# Authentication-Results: ... dkim=pass (2048-bit) header.d=hq.doe.gov header.s=selector1
# OpenTimestamps (run locally with user's own ots client)
ots stamp evidence/DOE-417-5941450-1585693-2025-12-25.pdf
ots stamp evidence/DOE-EOC-NA40-acknowledgement-2025-12-25.eml
Open follow-ups
- Open question to resolve: is "Intergalactic Auditing Systems" used on all of the user's Track B filings, or only on this DOE-417? If used on multiple filings, document it once in
canonical/index.mdrather than per-case. - Address line "1472 N Pole Drive Atlanta, Georgia 30301" reads as a placeholder; the user should confirm whether the filing should be amended with a corrected address-of-record.
- Hold any republication of the Schedule-1 K/L/M narrative until corroboration exists. Do not quote the technical narrative in any public artifact, journalist briefing, or social post originating from this system.
This README is part of the JGoyd Verifiable Evidence System. Strict Track A / Track B domain separation enforced. Filer-claim ≠ adjudicated fact. No relationship to TRACK-A-DOE-NE-2026-05-02.