Comment Crew Accused of Hacking Water Plant

A security researcher set up a series of dummy water control systems (honeypots) and then watched as they were attacked
A security researcher set up a series of dummy water control systems (honeypots) and then watched as they were attacked

Details were revealed by Trend Micro researcher Kyle Wilhoit in a paper presented at Black Hat last week, and now discussed in MIT Technology Review.

"The attack began in December 2012," writes Tom Simonie, "when a Word document hiding malicious software was used to gain full access to [Wilhoit's] U.S.-based decoy system, or 'honeypot.' The malware used, and other characteristics, were unique to APT1, which security company Mandiant has claimed operates as part of China’s army."

The Chinese government has always denied any involvement in hacking, and claims that Mandiant's 'proof' is circumstantial. Indeed, in a paper published by Dell Secureworks last week, the researchers noted that hackers' use of 'rendezvous servers' made it impossible to locate them. 

Nevertheless, Trend Micro's VP security research Rik Ferguson told Infosecurity, "Geographic attribution is always difficult in these cases – especially if it is based purely on IP address – but in most cases there are other factors to consider (methods, timing, regularity, code examples, reverse lookups of Ips and so on) that all offer complimentary information

The real implications of Kyle Wilhoit's research are not that China is supposedly involved (this cannot ultimately be proven), but the extent to which hackers are targeting industrial control systems. He established 12 honeypots in eight different countries, and between March and June this year he noted 74 intentional attacks, "10 of which were sophisticated enough to wrest complete control of the dummy control system."

Wilhoit used cloud software to create what would look like an ICS. "If a person got beyond the initial access screens, they found control panels and systems for controlling the hardware of water plant systems." 

Most of the attacks were unsophisticated, but four displayed a high level of knowledge  about ICS. Wilhoit used the Browser Exploitation Framework, or BeEF, to access the attackers' systems and learn more about them. He found that 67% originated from Russia, but that about half of the critical attacks originated in China.

The danger is that just as his honeypots were successfully compromised, real world ICS systems may also have already been compromised.

What’s Hot on Infosecurity Magazine?