Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant

holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

InSANE -- why...?!!!

Why are critical systems on the 'net?
They functioned perfectly 30 years ago without the internet...

CAPTCHA = 'yourself'

Re:InSANE -- why...?!!!

[AHuxley]

Re: "Why are critical systems on the 'net?"
So one lower cost, union free, engineer can be contracted to look over many subsystems from a great distance.
vs having local technical staff who need paying and pensions. Local staff over time may get to know their legal rights and fight for their wages - state and federal.
You also had heavy commercial lobby efforts to update State control systems to 'save' cash long term.
Products using industrial "solutions" created for secure site networks where spread over vast state or regional networks via the 'internet' or 'wireless'.
ie States trying to get rid of on site long term union staff and great sales reps moving around cities and states with networks to sell.

Re:InSANE -- why...?!!!

[plopez]

you forgot "Based in Bangalor" in regards to the low cost engineer

Re:InSANE -- why...?!!!

[postbigbang]

Yeah! Fun! Saves money!

Here are the downsides: you're attacked at every IPv4 address about 100x a day by the bots, and much more densely if you look interesting. Without an air gap, you expose all your stuff to a bunch of hackers ranging from script-kiddies to those with power tools. None of them wants your PLC to run after they tweak a few knobs.

Multiple authentication and encryption methods (see the https attacks 'announced' at Black Hat) are becoming child's play. All of the incredible engineering that these things have gone through haven't had the funds needed/expended towards making them brutally difficult to crack. It's always an afterthought after the sales guy leaves.

It's also my biggest problem with the IEEE-- lots of wonderful protocols. Security is an afterthought, rather than being built from the onset into each platform. Look at the ludicrousness of WEP and WPA1. Tell me these guys were thinking. Sure, glorious and fast, and with security as paper-thin as can be.

Re:InSANE -- why...?!!!

but all this cybersecurity nonsense the government wants to impose is part of the cost of putting everything online. and if it's going to cost us our freedoms and if it's going to cost all this taxpayer money then it's not really saving us any money.

"So one lower cost, union free, engineer can be contracted to look over many subsystems from a great distance.
vs having local technical staff who need paying and pensions. "

and do you really think having someone remotely monitor the system is going to reduce or eliminate the need for local staff? Is that how it ever works in reality? Or is that some fantasy land you made up. You still need local staff.

Re:InSANE -- why...?!!!

[RocketRabbit]

You're such a fuckin' commie with your labor union speak.

This has nothing to do with unions, and everything to do with modernization of systems, and the Siemens company.

Bull

[WGFCrafty]

"The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

Uhhhhhh Stuxnet was an exploit of Siemen's industrial control systems which regulated the RPMs of centrifuges....

Re:Bull

[CriminalNerd]

His point was that industry systems in the US (and outside of Iran) are also prone to attack, and that it's not just some security paranoia that the site manager could just brush off so he can get to the admin controls via Remote Desktop.

Why are critical systems on the 'net?

[ridgecritter]

In part, perhaps because 30 years ago the advantages of/needs for large scale efficiency and coordination weren't so great as today? Isolated systems may have higher operations costs and may not efficiently integrate into big systems, but they tend to have few or no remote attack vulnerabilities. Bottom line: economics favor connected systems, and anything on the net can be pwned.

Re:Why are critical systems on the 'net?

[jon3k]

Which is why MPLS exists and we build private WANs. The REAL answer here is because Pointy-Haired-Boss wants to be able to login from home,

Re:Why are critical systems on the 'net?

[AK+Marc]

MPLS exists to economically sell VLANs over shared networks. You put your security in the hands of a 3rd party. Just hope they built a good network.

The PHB is often not a manager, but a clueless engineer who spends $10,000,000 to build a SCADA network air-gapped from the IT's LAN, then sets up a computer on the LAN and SCADA with remote login enabled, and AAA managed by local user accounts on an XP system. Then, when a problem happens, goes to the COO and complains that IT is not letting him do his job.

Don't laugh, I've seen it multiple times. Every time with oil drillers, one of which owned the Deepwater Horizon, the others in Alaska.

Re:Why are critical systems on the 'net?

[rtb61]

More sensibly under law, all remote control system for essential infrastructure should be banned unless they can be guaranteed (as in you 'WILL' go to prison) secure. Can't secure it to that level, then don't do it because you do not have the right to privatise the minimal gain profits whilst socialising the huge cost of failure (including lives lost).

Quite simply this provides only two things. First, honey pots are really good at attracting a focusing attention and should be inserted on all high security systems, to draw attacks and allow investigatory follow up. Second, it is really bad idea to put high risk of life infrastructure under across the internet remote control, if you do, you should pay the full criminal penalty for when your security is broken.

Re:Why are critical systems on the 'net?

[plover]

So you would have the city leasing expensive lines between plants? I've not met too many people who complained their taxes and water rates were too low, and that they wanted the same service with more security and were willing to pay extra for it. I do, however, see a constant parade of talking heads on TV who bitch incessantly about how high taxes are, how they'll cut taxes when they get in office, or that government budgets should be cut by 10%. Well, their budgets were cut and so the cities cut their corners, and saved whatever money they could, and now their water system is in the hands of hackers. They got exactly what the taxpayers told them they were willing to pay for. We have the exact systems we deserve.

Could they and should they beef up their security? Of course. But does each water system owner even know if they have a problem? These guys are civil engineers in sleepy little towns, not security wonks. They probably didn't install the ICS themselves, they probably contracted all that out, and among the site survey forms they filled out was "choose your system password (minimum 6 characters)" and trusted the vendor to provide the rest of the security (back in 1993 when they installed it.) They might not even know they can change it, or how to change it. or that they need to do something different. Even if they did, the first rule of ICS configuration is "DON'T TOUCH IT!" So don't expect them to get all excited about the chance to make a change.

They would likely learn a lot more about these problems at their state's annual public works conference, if their city can afford to send them this year, and if their state can afford to hold one.

Re:Actually...

[icebike]

The honeypot plants may have been more real than real plants. Chances are real plants have nothing this sophisticated.

(Some of these honeypots were designed to look like they were "located" in China, Russia, Australia, and Brazil. Did they think the attackers would be fooled by these things? Not all of those places would be running the same model of water plant.).

Then it says:

None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems. Four of the attacks displayed a high level of knowledge about industrial systems, using techniques to meddle with a specific communication protocol used to control industrial hardware.

Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.

He was able to access data from their Wi-Fi cards to triangulate their location.

He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?

Somewhere there are some people chuckling at this guy.