Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant

Posted by Unknown on from the bad-movie-plot dept.

holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

7 of 214 comments (clear)

  1. InSANE -- why...?!!! by Anonymous Coward · · Score: 5, Insightful

    Why are critical systems on the 'net?
    They functioned perfectly 30 years ago without the internet...

    CAPTCHA = 'yourself'

    1. Re:InSANE -- why...?!!! by plopez · · Score: 4, Insightful

      you forgot "Based in Bangalor" in regards to the low cost engineer

      --
      putting the 'B' in LGBTQ+
    2. Re:InSANE -- why...?!!! by postbigbang · · Score: 4, Insightful

      Yeah! Fun! Saves money!

      Here are the downsides: you're attacked at every IPv4 address about 100x a day by the bots, and much more densely if you look interesting. Without an air gap, you expose all your stuff to a bunch of hackers ranging from script-kiddies to those with power tools. None of them wants your PLC to run after they tweak a few knobs.

      Multiple authentication and encryption methods (see the https attacks 'announced' at Black Hat) are becoming child's play. All of the incredible engineering that these things have gone through haven't had the funds needed/expended towards making them brutally difficult to crack. It's always an afterthought after the sales guy leaves.

      It's also my biggest problem with the IEEE-- lots of wonderful protocols. Security is an afterthought, rather than being built from the onset into each platform. Look at the ludicrousness of WEP and WPA1. Tell me these guys were thinking. Sure, glorious and fast, and with security as paper-thin as can be.

      --
      ---- Teach Peace. It's Cheaper Than War.
  2. Bull by WGFCrafty · · Score: 5, Insightful

    "The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

    Uhhhhhh Stuxnet was an exploit of Siemen's industrial control systems which regulated the RPMs of centrifuges....

    1. Re:Bull by CriminalNerd · · Score: 4, Insightful

      His point was that industry systems in the US (and outside of Iran) are also prone to attack, and that it's not just some security paranoia that the site manager could just brush off so he can get to the admin controls via Remote Desktop.

  3. Why are critical systems on the 'net? by ridgecritter · · Score: 4, Insightful

    In part, perhaps because 30 years ago the advantages of/needs for large scale efficiency and coordination weren't so great as today? Isolated systems may have higher operations costs and may not efficiently integrate into big systems, but they tend to have few or no remote attack vulnerabilities. Bottom line: economics favor connected systems, and anything on the net can be pwned.

    1. Re:Why are critical systems on the 'net? by plover · · Score: 4, Insightful

      So you would have the city leasing expensive lines between plants? I've not met too many people who complained their taxes and water rates were too low, and that they wanted the same service with more security and were willing to pay extra for it. I do, however, see a constant parade of talking heads on TV who bitch incessantly about how high taxes are, how they'll cut taxes when they get in office, or that government budgets should be cut by 10%. Well, their budgets were cut and so the cities cut their corners, and saved whatever money they could, and now their water system is in the hands of hackers. They got exactly what the taxpayers told them they were willing to pay for. We have the exact systems we deserve.

      Could they and should they beef up their security? Of course. But does each water system owner even know if they have a problem? These guys are civil engineers in sleepy little towns, not security wonks. They probably didn't install the ICS themselves, they probably contracted all that out, and among the site survey forms they filled out was "choose your system password (minimum 6 characters)" and trusted the vendor to provide the rest of the security (back in 1993 when they installed it.) They might not even know they can change it, or how to change it. or that they need to do something different. Even if they did, the first rule of ICS configuration is "DON'T TOUCH IT!" So don't expect them to get all excited about the chance to make a change.

      They would likely learn a lot more about these problems at their state's annual public works conference, if their city can afford to send them this year, and if their state can afford to hold one.

      --
      John