Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Water-Utility Honeynet Illuminates Real-World SCADA Threats

After a researcher constructs a fake water-utility network and puts it online, attackers quickly target the systems

BLACK HAT USA -- LAS VEGAS -- For five months, online attackers have been trying to compromise a water utility's network, attempting to change the settings of pumps and stealing documents. The utility isn't real, however, but a fake put online by a security researcher attempting to gauge attackers' interest in breaching critical infrastructure.

The network, which consisted of 12 different servers in eight different countries, came under attack 74 times from Internet addresses in Russia, China, the U.S., and Palestine, Kyle Wilhoit, a threat researcher with security firm Trend Micro, said in a presentation here yesterday. While Wilhoit classified 85 percent of the attacks as noncritical, 11 of the attacks were serious, including a basic spearphishing attack that appeared to come from the Comment Crew, also known as APT-1, a Chinese espionage group.

Wilhoit, who presented his research at Black Hat Europe in March, said that he had detected more attacks during the five months he has had the systems running and had developed better profiles of the attackers.

"A lot of the attacks were opportunists, but they are out there looking for this stuff," Wilhoit said, adding that the utilities he has audited have had abysmal security that would likely not dissuade attackers. "The [utility] networks that I've been exposed to have been lacking firewalls and access control lists, and have been lacking intrusion detection systems."

As espionage groups -- many likely funded by national governments -- continue to attack global corporations and government agencies, security experts are increasingly worried that utilities and critical infrastructure will come under attack. While the government has added regulations for energy firms and financial networks to boost their ability to protect against cyberattacks, many industrial control networks are designed for reliability, not to defend against a quickly evolving attacker.

To gauge the threat, Wilhoit created the Auburn Water utility, a fake company that had very insecure systems online. He set the network up to have very little security: no firewall, no stateful packet inspection, and loads of vulnerabilities, including security issues with the SCADA software, the human-machine interface (HMI), and vulnerable implementations of the two major industrial-control system (ICS) protocols, Modbus and the distributed network protocol version 3 (DNP3).

[Lack of security in remote oil drilling stations and other similar environments vulnerable to rudimentary but potentially disastrous attacks. See SCADA Experts Simulate 'Catastrophic' Attack.]

Attackers found the systems mainly using search engines, such as Google and SHODAN, but also found some of the information that Wilhoit seeded in places such as Twitter and Pastebin.

The Trend Micro researcher did not count attacks of the automated probes of his network and systems, of which there were 32,000 from 1,200 IP addresses in the five months that he collected data.

The 63 noncritical attacks included those that could have compromised the future integrity of the network by gaining access to credentials. The 11 critical attacks included a number of compromises that could have affected a real water utility, Wilhoit said. In addition to the Chinese data exfiltration attempt, Wilhoit detected attackers' attempts to modify a CPU fan speed, modify the control traffic on the Modbus, gain HMI access, and change the operation of critical water components.

"I actually saw an attacker go in and modify the water temperature," he said. "I was also watching individuals go in and lower the pump pressure to where it would not be able to pump water to homes and businesses."

Wilhoit did not rely on Internet addresses to attribute the attack, but used a browser exploitation kit to gain information on the attackers in his network. Reasoning that any attacker who had access to his protected network was essentially agreeing to the necessary steps to defend that network, he gathered information on registry keys, their physical location, their system, and some internal information.

The counterintelligence actions identified 58 percent of the attackers were from Russia, and single-digit percentages from China, the U.S., Germany, and Palestine.

Exploiting attackers' systems is a source of controversy, and Wilhoit joked that he may have crossed a line.

"I'm probably losing my job after this presentation," he said. "If anyone is hiring, let me know."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...