Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Water-Utility Honeynet Illuminates Real-World SCADA Threats

After a researcher constructs a fake water-utility network and puts it online, attackers quickly target the systems

BLACK HAT USA -- LAS VEGAS -- For five months, online attackers have been trying to compromise a water utility's network, attempting to change the settings of pumps and stealing documents. The utility isn't real, however, but a fake put online by a security researcher attempting to gauge attackers' interest in breaching critical infrastructure.

The network, which consisted of 12 different servers in eight different countries, came under attack 74 times from Internet addresses in Russia, China, the U.S., and Palestine, Kyle Wilhoit, a threat researcher with security firm Trend Micro, said in a presentation here yesterday. While Wilhoit classified 85 percent of the attacks as noncritical, 11 of the attacks were serious, including a basic spearphishing attack that appeared to come from the Comment Crew, also known as APT-1, a Chinese espionage group.

Wilhoit, who presented his research at Black Hat Europe in March, said that he had detected more attacks during the five months he has had the systems running and had developed better profiles of the attackers.

"A lot of the attacks were opportunists, but they are out there looking for this stuff," Wilhoit said, adding that the utilities he has audited have had abysmal security that would likely not dissuade attackers. "The [utility] networks that I've been exposed to have been lacking firewalls and access control lists, and have been lacking intrusion detection systems."

As espionage groups -- many likely funded by national governments -- continue to attack global corporations and government agencies, security experts are increasingly worried that utilities and critical infrastructure will come under attack. While the government has added regulations for energy firms and financial networks to boost their ability to protect against cyberattacks, many industrial control networks are designed for reliability, not to defend against a quickly evolving attacker.

To gauge the threat, Wilhoit created the Auburn Water utility, a fake company that had very insecure systems online. He set the network up to have very little security: no firewall, no stateful packet inspection, and loads of vulnerabilities, including security issues with the SCADA software, the human-machine interface (HMI), and vulnerable implementations of the two major industrial-control system (ICS) protocols, Modbus and the distributed network protocol version 3 (DNP3).

[Lack of security in remote oil drilling stations and other similar environments vulnerable to rudimentary but potentially disastrous attacks. See SCADA Experts Simulate 'Catastrophic' Attack.]

Attackers found the systems mainly using search engines, such as Google and SHODAN, but also found some of the information that Wilhoit seeded in places such as Twitter and Pastebin.

The Trend Micro researcher did not count attacks of the automated probes of his network and systems, of which there were 32,000 from 1,200 IP addresses in the five months that he collected data.

The 63 noncritical attacks included those that could have compromised the future integrity of the network by gaining access to credentials. The 11 critical attacks included a number of compromises that could have affected a real water utility, Wilhoit said. In addition to the Chinese data exfiltration attempt, Wilhoit detected attackers' attempts to modify a CPU fan speed, modify the control traffic on the Modbus, gain HMI access, and change the operation of critical water components.

"I actually saw an attacker go in and modify the water temperature," he said. "I was also watching individuals go in and lower the pump pressure to where it would not be able to pump water to homes and businesses."

Wilhoit did not rely on Internet addresses to attribute the attack, but used a browser exploitation kit to gain information on the attackers in his network. Reasoning that any attacker who had access to his protected network was essentially agreeing to the necessary steps to defend that network, he gathered information on registry keys, their physical location, their system, and some internal information.

The counterintelligence actions identified 58 percent of the attackers were from Russia, and single-digit percentages from China, the U.S., Germany, and Palestine.

Exploiting attackers' systems is a source of controversy, and Wilhoit joked that he may have crossed a line.

"I'm probably losing my job after this presentation," he said. "If anyone is hiring, let me know."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8220
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .