Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant

← Back to Stories (view on slashdot.org)

Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant

Posted by Unknown on Friday August 2, 2013 @12:12PM from the bad-movie-plot dept.

holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

39 of 214 comments (clear)

Min score:

Reason:

Sort:

Actually... by djupedal · 2013-08-02 12:16 · Score: 5, Funny

The plant is real and the headline is a cover up/reverse sneak - because panic. But hey, if it turns out to be a honeypot, don't expect it to work twice :)
1. Re:Actually... by icebike · 2013-08-02 15:36 · Score: 2, Insightful
  
  The honeypot plants may have been more real than real plants. Chances are real plants have nothing this sophisticated.
  (Some of these honeypots were designed to look like they were "located" in China, Russia, Australia, and Brazil. Did they think the attackers would be fooled by these things? Not all of those places would be running the same model of water plant.).
  Then it says:
  
  None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems. Four of the attacks displayed a high level of knowledge about industrial systems, using techniques to meddle with a specific communication protocol used to control industrial hardware.
  Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.
  
  He was able to access data from their Wi-Fi cards to triangulate their location.
  He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?
  Somewhere there are some people chuckling at this guy.
  
  --
  Sig Battery depleted. Reverting to safe mode.
2. Re:Actually... by sumdumass · 2013-08-02 16:39 · Score: 5, Interesting
  
  Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.
  Forcing a door open is not the same as sophisticated lock picking. But nonetheless, the point about sophistication seems to be what they did once they got access. Most did menial tasks while 4 meddled with a specific communication protocol.
  
  He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?
  I'm not sure your reading comprehension is up to speed here. The web interface that was hacked embedded an exploit framework called BeEF so the researcher could gain access to the attackers system through the browser. What he likely did was query the networks detected by the wifi cards then crossed them to data from sites like WiGLE or perhaps something even more specific.
  This is more then enough to get a Geographical location of a person and narrow it down to not only country, but city and even neighborhoods within the city.
  Oh, and the triangulation isn't on where the wifi car itself accesses a router, but with the names of the specific networks the wifi cards can see. If you see several distinctly different named networks, the odds of them being in more then one location is low so you know it has to be a location close enough to all of them to be seen at the same time. For instance, if I see the SSIDs duck_butter, shoreline, bbangsoon, and linksys, I can find that I am near the Chicago Water Commissioner's office at Pfc Milton Olive park, near the Chicago harbor. Go ahead and look it up.
  
  Somewhere there are some people chuckling at this guy.
  I think that happens to all of us every once in a while. I was laughing pretty good earlier at someone too.
InSANE -- why...?!!! by Anonymous Coward · 2013-08-02 12:20 · Score: 5, Insightful

Why are critical systems on the 'net?
They functioned perfectly 30 years ago without the internet...
CAPTCHA = 'yourself'
1. Re:InSANE -- why...?!!! by Jeng · 2013-08-02 12:27 · Score: 2
  
  Remote access for people who don't want to be physically at the plant.
  IE: Management
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
2. Re:InSANE -- why...?!!! by AHuxley · 2013-08-02 12:49 · Score: 3, Insightful
  
  Re: "Why are critical systems on the 'net?"
  So one lower cost, union free, engineer can be contracted to look over many subsystems from a great distance.
  vs having local technical staff who need paying and pensions. Local staff over time may get to know their legal rights and fight for their wages - state and federal.
  You also had heavy commercial lobby efforts to update State control systems to 'save' cash long term.
  Products using industrial "solutions" created for secure site networks where spread over vast state or regional networks via the 'internet' or 'wireless'.
  ie States trying to get rid of on site long term union staff and great sales reps moving around cities and states with networks to sell.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:InSANE -- why...?!!! by Anonymous Coward · 2013-08-02 12:54 · Score: 4, Interesting
  
  Plants nowadays always have some kind of remote SCADA. The network between sites may be isolated, but somewhere along the line there is often an internet-connected computer that will also have a connection to the isolated network for client-side monitoring and control software.
  All that it takes it to hack one of these. They pretty much always exist, even if they shouldn't. Someone will connect a cable so they can browse Facebook while monitoring sites.
4. Re:InSANE -- why...?!!! by plopez · 2013-08-02 13:17 · Score: 2
  
  Nah. Just send in the drones. There have to be drones.
  
  --
  putting the 'B' in LGBTQ+
5. Re:InSANE -- why...?!!! by plopez · 2013-08-02 13:19 · Score: 4, Insightful
  
  you forgot "Based in Bangalor" in regards to the low cost engineer
  
  --
  putting the 'B' in LGBTQ+
6. Re:InSANE -- why...?!!! by plopez · 2013-08-02 13:21 · Score: 2
  
  You don't get it dude. It's the Internet, a whole new paradigm. It' different this time. Now your workers can work from home 24/7 BYOD through a cloud enabled clustered virtual remote systems management tool.
  
  --
  putting the 'B' in LGBTQ+
7. Re:InSANE -- why...?!!! by interval1066 · 2013-08-02 13:40 · Score: 4, Informative
  
  There are a lot of upsides to putting controls systems on the net. Not applauding it, just sayin'. I wrote a blog article about it; here 'tis.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
8. Re:InSANE -- why...?!!! by chill · 2013-08-02 14:03 · Score: 4, Funny
  
  I swear that last sentence was copied verbatim out of a PowerPoint slide our CIO sent around...
  
  --
  Learning HOW to think is more important than learning WHAT to think.
9. Re:InSANE -- why...?!!! by postbigbang · 2013-08-02 14:06 · Score: 4, Insightful
  
  Yeah! Fun! Saves money!
  Here are the downsides: you're attacked at every IPv4 address about 100x a day by the bots, and much more densely if you look interesting. Without an air gap, you expose all your stuff to a bunch of hackers ranging from script-kiddies to those with power tools. None of them wants your PLC to run after they tweak a few knobs.
  Multiple authentication and encryption methods (see the https attacks 'announced' at Black Hat) are becoming child's play. All of the incredible engineering that these things have gone through haven't had the funds needed/expended towards making them brutally difficult to crack. It's always an afterthought after the sales guy leaves.
  It's also my biggest problem with the IEEE-- lots of wonderful protocols. Security is an afterthought, rather than being built from the onset into each platform. Look at the ludicrousness of WEP and WPA1. Tell me these guys were thinking. Sure, glorious and fast, and with security as paper-thin as can be.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
10. Re:InSANE -- why...?!!! by lightknight · 2013-08-02 14:23 · Score: 2
  
  Random guess?
  TCP/IP is less expensive than developing your own network protocol. Using public data lines (the Internet) is less expensive than using your own private, leased lines. Using no encryption is less expensive than mediocre encryption, and a hell of a lot less expensive than serious encryption (you are either paying for developer time, or a library, or both).
  
  --
  I am John Hurt.
11. Re:InSANE -- why...?!!! by Jeremy+Erwin · 2013-08-02 14:29 · Score: 2
  
  "Vent radioactive gas?" [types] Y E S.
  "Sound alertness horn?" Y E S. [it sounds in the distance]
  "Decalcify calcium ducts?" Well, give me a Y, give me a...Hey!
12. Re:InSANE -- why...?!!! by evilviper · 2013-08-02 15:24 · Score: 2
  
  Why are critical systems on the 'net?
  They functioned perfectly 30 years ago without the internet...
  RIGHT! Having a dial-in modem on the PTSN was OH-SO-MUCH MORE SECURE!
  Has absolutely NOBODY here ever seen the movie "War Games"?
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
13. Re:InSANE -- why...?!!! by AK+Marc · 2013-08-02 17:30 · Score: 2
  
  I've worked with engineers. The only other group worse is doctors. Lawyers are bad, but not as bad. Engineers think "that's not that hard" and do things like bring in a home router to work as a wireless access point because they can't be bothered to follow the IT rules for safe wireless. Turns out, they plug the "LAN" port on the router in, handing out DHCP and with the LAN address on the router 192.168.1.1 (the same as the corporate default gateway - picked long before I started working there), we also used 192.100.1.1 and 192.200.1.1 for subnets. I pointed out the stupidity of that (they aren't private addresses), and was laid off in the next round of layoffs, the guy who picked the ranges was previously promoted to manager and had a saw in the layoffs). Back to the engineers. I tracked down the MAC conflicting with the gateway, and was yelled at for keeping him from doing his job. My boss and his boss later had a talk with him, and he was more apologetic.
  
  --
  Learn to love Alaska
14. Re:InSANE -- why...?!!! by AK+Marc · 2013-08-02 20:11 · Score: 2
  
  Well, this was in 2001, so 12 years ago (more than your 10). The switches all supported 802.1x (yes, it was wired security first, before wireless), but nobody would pay for it. It would have also fixed the problem. A MAC joins that doesn't authenticate? Into the sandbox for you. I proposed it, but it was declared (shortly before this) that the users could all be trusted, so I was told to unplug the ports in public areas (previously, the unsecured areas of the lobby had live ports on the network), but we'd trust our employees 100%. Shortly after this incident, there was a merger, and all resources were thrown into that. No idea if they ever did anything that would fix rogue DHCP, though that wasn't the problem. The problem was "arp spoofing" as an undesired MAC responded as 192.168.1.1, taking down a good bit of the users.
  
  --
  Learn to love Alaska
15. Re:InSANE -- why...?!!! by mwvdlee · 2013-08-02 20:14 · Score: 2
  
  Next time you think of posting a comment like that, could you please use a quill to write it on a piece of parchment and have it delivered by horse drawn mail carriage to the slashdot offices?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
16. Re:InSANE -- why...?!!! by umghhh · 2013-08-03 03:02 · Score: 2
  
  I always thought that the stories about managers being worthless shitbags etc are overblown. Then I learned about managers in one of the customer systems my company was maintaining. The systems were isolated from internet orginaly and there was no need for them to be directly connected besides corporate vpn systems deemed secure enough for O&M stuff to access the sites remotely. Now manager of one of the sites complained about some problem with storage capacity (in modern times???) - the closer inspection of the site systems revealed that the storage capacity was properly dimensioned for the task but filled up with pr0n and it was site manager that was responsible. This is an anecdote of course but as it is not the only one I know I would imagine that this happens quite often. Which means any site with humans around need urgently internet access and enough bandwidth to provide for good pr0n watching experience.The design of internal IT systems must be able to cope with this of course - you cannot tell customer that s/he should not watch pr0n at work - after all it is their time and money and pay for maintenance not for advice on pr0n consumption. I do not thing water plant are much different. Boring places where pr0n is good for keeping spirits high especially of people that have not much to do anyway i.e. managers.
Next Steps by FarField12 · 2013-08-02 12:31 · Score: 5, Funny

Spoof the interface to make the attackers believe they are attacking a foreign industrial plant.
In reality, they are attacking the utility plant located down street based on WiFi location.
The main purpose of the honeypot system is to obfuscate the true location of the target (the attackers own infrastructure).
Then watch hilarity ensue.
Defense systems would be great. You could get countries to nuke themselves using their own cyber ops team.
Bull by WGFCrafty · 2013-08-02 12:36 · Score: 5, Insightful

"The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
Uhhhhhh Stuxnet was an exploit of Siemen's industrial control systems which regulated the RPMs of centrifuges....
1. Re:Bull by CriminalNerd · 2013-08-02 13:12 · Score: 4, Insightful
  
  His point was that industry systems in the US (and outside of Iran) are also prone to attack, and that it's not just some security paranoia that the site manager could just brush off so he can get to the admin controls via Remote Desktop.
Why are critical systems on the 'net? by ridgecritter · 2013-08-02 12:57 · Score: 4, Insightful

In part, perhaps because 30 years ago the advantages of/needs for large scale efficiency and coordination weren't so great as today? Isolated systems may have higher operations costs and may not efficiently integrate into big systems, but they tend to have few or no remote attack vulnerabilities. Bottom line: economics favor connected systems, and anything on the net can be pwned.
1. Re:Why are critical systems on the 'net? by Ol+Olsoc · 2013-08-02 13:50 · Score: 4, Funny
  
  It's understandable that those systems need to be connected to each other, but in that case they should have their own, completely isolated network to do so, preferably one that is utterly incapable of connecting to the Internet at large.
  But DUDE!, If we did this, we'd like, have to connect all those power grids with, like - wires! Where we gonna get that?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
2. Re:Why are critical systems on the 'net? by jon3k · 2013-08-02 15:20 · Score: 3, Insightful
  
  Which is why MPLS exists and we build private WANs. The REAL answer here is because Pointy-Haired-Boss wants to be able to login from home,
3. Re:Why are critical systems on the 'net? by AK+Marc · 2013-08-02 17:04 · Score: 3, Insightful
  
  MPLS exists to economically sell VLANs over shared networks. You put your security in the hands of a 3rd party. Just hope they built a good network.
  
  The PHB is often not a manager, but a clueless engineer who spends $10,000,000 to build a SCADA network air-gapped from the IT's LAN, then sets up a computer on the LAN and SCADA with remote login enabled, and AAA managed by local user accounts on an XP system. Then, when a problem happens, goes to the COO and complains that IT is not letting him do his job.
  
  Don't laugh, I've seen it multiple times. Every time with oil drillers, one of which owned the Deepwater Horizon, the others in Alaska.
  
  --
  Learn to love Alaska
4. Re:Why are critical systems on the 'net? by plover · 2013-08-02 19:17 · Score: 4, Insightful
  
  So you would have the city leasing expensive lines between plants? I've not met too many people who complained their taxes and water rates were too low, and that they wanted the same service with more security and were willing to pay extra for it. I do, however, see a constant parade of talking heads on TV who bitch incessantly about how high taxes are, how they'll cut taxes when they get in office, or that government budgets should be cut by 10%. Well, their budgets were cut and so the cities cut their corners, and saved whatever money they could, and now their water system is in the hands of hackers. They got exactly what the taxpayers told them they were willing to pay for. We have the exact systems we deserve.
  Could they and should they beef up their security? Of course. But does each water system owner even know if they have a problem? These guys are civil engineers in sleepy little towns, not security wonks. They probably didn't install the ICS themselves, they probably contracted all that out, and among the site survey forms they filled out was "choose your system password (minimum 6 characters)" and trusted the vendor to provide the rest of the security (back in 1993 when they installed it.) They might not even know they can change it, or how to change it. or that they need to do something different. Even if they did, the first rule of ICS configuration is "DON'T TOUCH IT!" So don't expect them to get all excited about the chance to make a change.
  They would likely learn a lot more about these problems at their state's annual public works conference, if their city can afford to send them this year, and if their state can afford to hold one.
  
  --
  John
Why are critial systems hooked into the net? by NobleSavage · 2013-08-02 13:20 · Score: 2

This just one more example of why critical systems should never be connected to the internet. The should always be an air gap.
1. Re:Why are critial systems hooked into the net? by Skapare · 2013-08-02 14:49 · Score: 2
  
  These systems get their tech support and vendor updates via ... the internet (and most likely not encrypted). Oh, I agree. The air gap needs to be mandated.
  
  --
  now we need to go OSS in diesel cars
2. Re:Why are critial systems hooked into the net? by evilviper · 2013-08-02 15:21 · Score: 4, Interesting
  
  Why are critial systems hooked into the net?
  Because exchanging information with other systems is necessary.
  Because people off-site want or need to monitor the status.
  Because routinely plug a USB flash drive into a net-connected computer, and then into the air-gapped network (to update software or exchange other info/data) isn't actually much more secure.
  Because there are varying degrees of "critical".
  Because if it's really a "critical" system, you don't want to wait for tech support to arrive on-site to get problems fixed.
  Because "the internet" itself happens to be a "critical" system.
  Because the old days of connecting systems to the PSTN (eg. dial-in modems) wasn't actually any more secure than connecting them to the internet.
  Because having an air-gapped network provides a false sense of security, that can fall apart in a big way.
  
  This just one more example of why critical systems should never be connected to the internet.
  Platitudes are oh-so-easy to spout off, no matter how ignorant you are of the issue, but don't offer any insight or solutions to the root cause of the problems.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Laugh by koan · 2013-08-02 13:24 · Score: 2

"The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
The first eh? I guess he hasn't heard of the tools included in such common distros as Back Track, why do you suppose SCADA exploitation apps are in there?

--
"If any question why we died, Tell them because our fathers lied."
Re:hacked by chinese by Endovior · 2013-08-02 13:52 · Score: 5, Informative

RTFA. Yes, IP addresses are easily spoofed, and provide essentially no information on the target. That is, in fact, why more information than that was gathered, using the nature of the honeypot in question to gather additional data from the attacking machines. I suspect that it would be possible to configure your system and network in such a way as to spoof the nature of your own local network configuration so that a counterattack of this nature would reveal misleading information about your locality... but the nature of the attacks, and the response to them, make this exceedingly unlikely. tldr; yeah, it was people in China and Russia, and there's proof. Still doesn't mean that their governments were involved, of course.
Re:Well color me shocked by Culture20 · 2013-08-02 14:02 · Score: 5, Funny

Pooh sets up a honeypot; finds most attacks come from himself and bees. Oh bother.
Now how to prevent it? by MavEtJu · 2013-08-02 14:42 · Score: 4, Interesting

As somebody who left the network / sysadmin business before the attacks started from the inside (send enough malware to everybody inside a company and you will get lucky at a certain moment), how would you protect it best?
Airgap it (or properly firewall it), and people will complain about the costs of duplicate infrastructure, remote support from vendors will be a pain etc.
Monitor the network and spot anomalies, it's a hard task but could be the way to go. Except that you need skilled people there (not saying that there aren't, my experiences in a TAC shows that there aren't many).
Letting the attackers waste time in a honey-pot while your own network is isolated? At least you learn from it and you give them a false sense of victory.
What is wisdom, any thoughts?

--
bash$ :(){ :|:&};:
1. Re:Now how to prevent it? by satuon · 2013-08-02 21:36 · Score: 2
  
  Non-text attachment automatically scrubbed.
  Non-intranet hyperlink automatically censored.
  Text looking like a non-intranet hyperlink automatically censored.
  ^^^
  Secure corporate intranet email client.
Re:Lets see ... by slick7 · 2013-08-02 14:50 · Score: 2

... how many people file insurance claims for water damage to their homes when the fictitious pumps were commanded to full power.
How many people have been damaged by the acts of out of control politicians who answer to anyone that has the price to pay? When do the voters get their chance to be heard?

--
The mind conceives, the body achieves, the spirit manifests.
US Chamber of Commerce Supports Hackers by Required+Snark · 2013-08-02 15:27 · Score: 4, Informative

Nice to know that the Republicans and the US Chamber of Commerce are supporting Chinese and Russian hackers testing cyber-warfare against our critical infrastructure. Because we all know that left to their own devices corporations always put public welfare ahead of short term profit.
http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803
U.S. Chamber of Commerce leads defeat of cyber-security bill

Gen. Keith Alexander, head of the National Security Agency, and Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, were among those who pressed for a White House-backed cyber-security bill to regulate privately owned crucial infrastructure, such as electric utilities, chemical plants and water systems.
If the senators didn't act, they argued, it would make it harder to stop hackers, criminals and hostile nations from wreaking unimaginable havoc, such as knocking out sections of New York City's electrical grid for days during a summer heat wave. But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.
Democrats overwhelmingly supported the legislation, but for Republicans, it meant a stark choice between competing constituencies: national security officials and business leaders. Even after the bill's backers made the standards voluntary, the Chamber of Commerce, which spends more on lobbying than any other trade group, opposed it.
On Thursday, the Senate cyber-security bill failed to overcome a Republican-led filibuster. Analysts say the bill couldn't breach a wall of anti-regulatory sentiment that proved resistant to the dire warnings.
The measure fell short of the 60-vote threshold needed to end debate, 52 to 46, with 40 Republicans joined by six Democrats voting in support of the filibuster.
"Rarely have I been so disappointed in the Senate's failure to come to grips with a threat to our country," said Sen. Susan Collins, the ranking Republican on the Senate Homeland Security Committee and one of the bill's chief sponsors, who had tried in vain to sway her GOP colleagues. Just four sided with her.
But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.

--
Why is Snark Required?
Re:Not working well outside US by sumdumass · 2013-08-02 20:27 · Score: 2

I'm not trying to defend WiGLE but it isn't really identifying by IP or any other stock measure. I understand about the geolocation data based on IP addresses but the WiGLE site is mostly user generated by war drivers along with GPS data built by programs like Kismet and netstumbler. It refines the locations by averaging the latitudes and longitudes of the SSIDs gathered using the signal strength (squared) as a weight.
In other words, it relies on users- not out dated published materials who have visited the field and location. Try it yourself and see how accurate it is. Click on the map page, zoom out enough until you can click and drag it to your area, look at the available networks to your computer and then try to zoom in to where you are at and see if they are listed. Someone, or more likely several people, have been at or near your neighborhood and posted their finds. There are aps that run on phones and people can turn them on while driving home from work, riding the bus or subway or while doing anything else too. Imagine the Google street view car mapping access points and making all the information searchable.
Well, it looks like their site might have been slashdoted. It's not showing the SSID's any more and has replaced it with a plot error message. It might take a while for them to get it back up properly. I found my area and it was accurate within football field range. The Chicago example I posted was a random look up trying to be as neutral as possible.