Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Water-Utility Honeynet Illuminates Real-World SCADA Threats

After a researcher constructs a fake water-utility network and puts it online, attackers quickly target the systems

BLACK HAT USA -- LAS VEGAS -- For five months, online attackers have been trying to compromise a water utility's network, attempting to change the settings of pumps and stealing documents. The utility isn't real, however, but a fake put online by a security researcher attempting to gauge attackers' interest in breaching critical infrastructure.

The network, which consisted of 12 different servers in eight different countries, came under attack 74 times from Internet addresses in Russia, China, the U.S., and Palestine, Kyle Wilhoit, a threat researcher with security firm Trend Micro, said in a presentation here yesterday. While Wilhoit classified 85 percent of the attacks as noncritical, 11 of the attacks were serious, including a basic spearphishing attack that appeared to come from the Comment Crew, also known as APT-1, a Chinese espionage group.

Wilhoit, who presented his research at Black Hat Europe in March, said that he had detected more attacks during the five months he has had the systems running and had developed better profiles of the attackers.

"A lot of the attacks were opportunists, but they are out there looking for this stuff," Wilhoit said, adding that the utilities he has audited have had abysmal security that would likely not dissuade attackers. "The [utility] networks that I've been exposed to have been lacking firewalls and access control lists, and have been lacking intrusion detection systems."

As espionage groups -- many likely funded by national governments -- continue to attack global corporations and government agencies, security experts are increasingly worried that utilities and critical infrastructure will come under attack. While the government has added regulations for energy firms and financial networks to boost their ability to protect against cyberattacks, many industrial control networks are designed for reliability, not to defend against a quickly evolving attacker.

To gauge the threat, Wilhoit created the Auburn Water utility, a fake company that had very insecure systems online. He set the network up to have very little security: no firewall, no stateful packet inspection, and loads of vulnerabilities, including security issues with the SCADA software, the human-machine interface (HMI), and vulnerable implementations of the two major industrial-control system (ICS) protocols, Modbus and the distributed network protocol version 3 (DNP3).

[Lack of security in remote oil drilling stations and other similar environments vulnerable to rudimentary but potentially disastrous attacks. See SCADA Experts Simulate 'Catastrophic' Attack.]

Attackers found the systems mainly using search engines, such as Google and SHODAN, but also found some of the information that Wilhoit seeded in places such as Twitter and Pastebin.

The Trend Micro researcher did not count attacks of the automated probes of his network and systems, of which there were 32,000 from 1,200 IP addresses in the five months that he collected data.

The 63 noncritical attacks included those that could have compromised the future integrity of the network by gaining access to credentials. The 11 critical attacks included a number of compromises that could have affected a real water utility, Wilhoit said. In addition to the Chinese data exfiltration attempt, Wilhoit detected attackers' attempts to modify a CPU fan speed, modify the control traffic on the Modbus, gain HMI access, and change the operation of critical water components.

"I actually saw an attacker go in and modify the water temperature," he said. "I was also watching individuals go in and lower the pump pressure to where it would not be able to pump water to homes and businesses."

Wilhoit did not rely on Internet addresses to attribute the attack, but used a browser exploitation kit to gain information on the attackers in his network. Reasoning that any attacker who had access to his protected network was essentially agreeing to the necessary steps to defend that network, he gathered information on registry keys, their physical location, their system, and some internal information.

The counterintelligence actions identified 58 percent of the attackers were from Russia, and single-digit percentages from China, the U.S., Germany, and Palestine.

Exploiting attackers' systems is a source of controversy, and Wilhoit joked that he may have crossed a line.

"I'm probably losing my job after this presentation," he said. "If anyone is hiring, let me know."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
Telegram Desktop through 2.1.13 allows a spoofed file type to bypass the Dangerous File Type Execution protection mechanism, as demonstrated by use of the chat window with a filename that lacks an extension.
PUBLISHED: 2020-08-11
Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by visiting manage/control.php and ignoring 302 Redirect responses.
PUBLISHED: 2020-08-11
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attac...
PUBLISHED: 2020-08-11
SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in the web configuration interface that permits an authenticated user to execute arbitrary Python commands on the underlying operating system.
PUBLISHED: 2020-08-11
SOPlanning 1.46.01 allows persistent XSS via the Project Name, Statutes Comment, Places Comment, or Resources Comment field.