Chinese Hacking Team Caught Taking Over Decoy Water Plant
A hacking group accused of being operated by the Chinese army now seems to be going after industrial control systems.
A Chinese hacking group accused this February of being tied to the Chinese army was caught last December infiltrating a decoy water control system for a U.S. municipality, a researcher revealed on Wednesday.
The group, known as APT1, was caught by a research project that provides the most significant proof yet that people are actively trying to exploit the vulnerabilities in industrial control systems. Many of these systems are connected to the Internet to allow remote access (see “Hacking Industrial Systems Turns Out to Be Easy”). APT1, also known as Comment Crew, was lured by a dummy control system set up by Kyle Wilhoit, a researcher with security company Trend Micro, who gave a talk on his findings at the Black Hat conference in Las Vegas.
The attack began in December 2012, says Wilhoit, when a Word document hiding malicious software was used to gain full access to his U.S.-based decoy system, or “honeypot.” The malware used, and other characteristics, were unique to APT1, which security company Mandiant has claimed operates as part of China’s army (see “Exposé of Chinese Data Thieves Reveals Sloppy Tactics”).
“You would think that Comment Crew wouldn’t come after a local water authority,” Wilhoit told MIT Technology Review, but the group clearly didn’t attack the honeypot by accident while seeking another target. “I actually watched the attacker interface with the machine,” says Wilhoit. “It was 100 percent clear they knew what they were doing.”
Wilhoit went on to show evidence that other hacking groups besides APT1 intentionally seek out and compromise water plant systems. Between March and June this year, 12 honeypots deployed across eight different countries attracted 74 intentional attacks, 10 of which were sophisticated enough to wrest complete control of the dummy control system.
Cloud software was used to create realistic Web-based login and configuration screens for local water plants seemingly based in Ireland, Russia, Singapore, China, Japan, Australia, Brazil, and the U.S. If a person got beyond the initial access screens, they found control panels and systems for controlling the hardware of water plant systems.
None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems. Four of the attacks displayed a high level of knowledge about industrial systems, using techniques to meddle with a specific communication protocol used to control industrial hardware.
Wilhoit used a tool called the Browser Exploitation Framework, or BeEF, to gain access to his attackers’ systems and get precise data on their location. He was able to access data from their Wi-Fi cards to triangulate their location.
The 74 attacks on the honeypots came from 16 different countries. Most of the noncritical attacks, 67 percent, originated in Russia, and a handful came from the U.S. About half the critical attacks originated in China, and the rest came from Germany, U.K., France, Palestine, and Japan.
The results lead Wilhoit to conclude that water plants, and likely other facilities, around the world are being successfully compromised and taken control of by outside attackers, even if no major attack has been staged. “These attacks are happening and the engineers likely don’t know,” he told MIT Technology Review.
Wilhoit previously published the first research that proved some people were actively trawling the Internet with the intention of compromising industrial control systems (see “Honeypots Lure Industrial Hackers Into the Open”). He now plans to put honeypots inside real industrial facilities to attempt to capture details of targeted attacks.
Joe Weiss, managing partner at Applied Control Solutions and an expert in industrial control system security, told MIT Technology Review that he hoped Wilhoit’s findings can convince industrial control system owners and operators to take the threat of attacks more seriously. “The community needs to know there are people explicitly targeting these systems,” said Weiss. “I hope people can understand how valid and real it is, what he’s finding.”