Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant

holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

Re:InSANE -- why...?!!!

Plants nowadays always have some kind of remote SCADA. The network between sites may be isolated, but somewhere along the line there is often an internet-connected computer that will also have a connection to the isolated network for client-side monitoring and control software.

All that it takes it to hack one of these. They pretty much always exist, even if they shouldn't. Someone will connect a cable so they can browse Facebook while monitoring sites.

Now how to prevent it?

[MavEtJu]

As somebody who left the network / sysadmin business before the attacks started from the inside (send enough malware to everybody inside a company and you will get lucky at a certain moment), how would you protect it best?

Airgap it (or properly firewall it), and people will complain about the costs of duplicate infrastructure, remote support from vendors will be a pain etc.

Monitor the network and spot anomalies, it's a hard task but could be the way to go. Except that you need skilled people there (not saying that there aren't, my experiences in a TAC shows that there aren't many).

Letting the attackers waste time in a honey-pot while your own network is isolated? At least you learn from it and you give them a false sense of victory.

What is wisdom, any thoughts?

Re:Why are critial systems hooked into the net?

[evilviper]

Why are critial systems hooked into the net?

Because exchanging information with other systems is necessary.

Because people off-site want or need to monitor the status.

Because routinely plug a USB flash drive into a net-connected computer, and then into the air-gapped network (to update software or exchange other info/data) isn't actually much more secure.

Because there are varying degrees of "critical".

Because if it's really a "critical" system, you don't want to wait for tech support to arrive on-site to get problems fixed.

Because "the internet" itself happens to be a "critical" system.

Because the old days of connecting systems to the PSTN (eg. dial-in modems) wasn't actually any more secure than connecting them to the internet.

Because having an air-gapped network provides a false sense of security, that can fall apart in a big way.

This just one more example of why critical systems should never be connected to the internet.

Platitudes are oh-so-easy to spout off, no matter how ignorant you are of the issue, but don't offer any insight or solutions to the root cause of the problems.

Re:Actually...

[sumdumass]

Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.

Forcing a door open is not the same as sophisticated lock picking. But nonetheless, the point about sophistication seems to be what they did once they got access. Most did menial tasks while 4 meddled with a specific communication protocol.

He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?

I'm not sure your reading comprehension is up to speed here. The web interface that was hacked embedded an exploit framework called BeEF so the researcher could gain access to the attackers system through the browser. What he likely did was query the networks detected by the wifi cards then crossed them to data from sites like WiGLE or perhaps something even more specific.

This is more then enough to get a Geographical location of a person and narrow it down to not only country, but city and even neighborhoods within the city.

Oh, and the triangulation isn't on where the wifi car itself accesses a router, but with the names of the specific networks the wifi cards can see. If you see several distinctly different named networks, the odds of them being in more then one location is low so you know it has to be a location close enough to all of them to be seen at the same time. For instance, if I see the SSIDs duck_butter, shoreline, bbangsoon, and linksys, I can find that I am near the Chicago Water Commissioner's office at Pfc Milton Olive park, near the Chicago harbor. Go ahead and look it up.

Somewhere there are some people chuckling at this guy.

I think that happens to all of us every once in a while. I was laughing pretty good earlier at someone too.

Re:Maybe...

[sumdumass]

Lets explore this concept a bit.

Lets say that each unionized employee that would be on site cost the utility $150,000 a year and you need 3 of them at each site to achieve disconnection from the internet. That's only $450K a year per site and lets say it covers 20 sites per company or utility type (lets examine Columbus Ohio which charges a sewage fee based on water usage so the 20 sites would cover both aspects). That's about $900 million a year. A big amount or is it. This is taxes, benefits and all connected with the employment of the people.

Columbus, in their 2012 consumer confidence report (under the power and water reports section) claimed they provide 51 billion gallons of water to 1.1 million people per year. Of course this is all measured in cubic feet x 100 (100 cubic feet) when billing (noted by ccf). 1 ccf of water is equal to 748 gallons of water according to their site. So if we divide the 51 billion gallons by 748, we should get the ccf being billed. What we now have is 68,181,818 ccf or we could shorten that to about 68.1 million ccf. Now, to reach that $900 million/ year, it would take a rate increase of $13.50 per ccf which brings in $920,454,543 extra.

According to Columbus' website, the high side of the charges currently is $1.56 per ccf for water (this is without sewage fees added). The example they give for a non-industiral user shows about 16 ccf per month. This is an increase in a bill for this amount of usage of $216.00 per month or $2,592 per year over what they pay now.

Someone please check my math for errors as it's been a while. I went into this thinking it would only be a couple cents per unit increase and was surprised at how much extra it actually would be.