Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Water-Utility Honeynet Illuminates Real-World SCADA Threats

After a researcher constructs a fake water-utility network and puts it online, attackers quickly target the systems

BLACK HAT USA -- LAS VEGAS -- For five months, online attackers have been trying to compromise a water utility's network, attempting to change the settings of pumps and stealing documents. The utility isn't real, however, but a fake put online by a security researcher attempting to gauge attackers' interest in breaching critical infrastructure.

The network, which consisted of 12 different servers in eight different countries, came under attack 74 times from Internet addresses in Russia, China, the U.S., and Palestine, Kyle Wilhoit, a threat researcher with security firm Trend Micro, said in a presentation here yesterday. While Wilhoit classified 85 percent of the attacks as noncritical, 11 of the attacks were serious, including a basic spearphishing attack that appeared to come from the Comment Crew, also known as APT-1, a Chinese espionage group.

Wilhoit, who presented his research at Black Hat Europe in March, said that he had detected more attacks during the five months he has had the systems running and had developed better profiles of the attackers.

"A lot of the attacks were opportunists, but they are out there looking for this stuff," Wilhoit said, adding that the utilities he has audited have had abysmal security that would likely not dissuade attackers. "The [utility] networks that I've been exposed to have been lacking firewalls and access control lists, and have been lacking intrusion detection systems."

As espionage groups -- many likely funded by national governments -- continue to attack global corporations and government agencies, security experts are increasingly worried that utilities and critical infrastructure will come under attack. While the government has added regulations for energy firms and financial networks to boost their ability to protect against cyberattacks, many industrial control networks are designed for reliability, not to defend against a quickly evolving attacker.

To gauge the threat, Wilhoit created the Auburn Water utility, a fake company that had very insecure systems online. He set the network up to have very little security: no firewall, no stateful packet inspection, and loads of vulnerabilities, including security issues with the SCADA software, the human-machine interface (HMI), and vulnerable implementations of the two major industrial-control system (ICS) protocols, Modbus and the distributed network protocol version 3 (DNP3).

[Lack of security in remote oil drilling stations and other similar environments vulnerable to rudimentary but potentially disastrous attacks. See SCADA Experts Simulate 'Catastrophic' Attack.]

Attackers found the systems mainly using search engines, such as Google and SHODAN, but also found some of the information that Wilhoit seeded in places such as Twitter and Pastebin.

The Trend Micro researcher did not count attacks of the automated probes of his network and systems, of which there were 32,000 from 1,200 IP addresses in the five months that he collected data.

The 63 noncritical attacks included those that could have compromised the future integrity of the network by gaining access to credentials. The 11 critical attacks included a number of compromises that could have affected a real water utility, Wilhoit said. In addition to the Chinese data exfiltration attempt, Wilhoit detected attackers' attempts to modify a CPU fan speed, modify the control traffic on the Modbus, gain HMI access, and change the operation of critical water components.

"I actually saw an attacker go in and modify the water temperature," he said. "I was also watching individuals go in and lower the pump pressure to where it would not be able to pump water to homes and businesses."

Wilhoit did not rely on Internet addresses to attribute the attack, but used a browser exploitation kit to gain information on the attackers in his network. Reasoning that any attacker who had access to his protected network was essentially agreeing to the necessary steps to defend that network, he gathered information on registry keys, their physical location, their system, and some internal information.

The counterintelligence actions identified 58 percent of the attackers were from Russia, and single-digit percentages from China, the U.S., Germany, and Palestine.

Exploiting attackers' systems is a source of controversy, and Wilhoit joked that he may have crossed a line.

"I'm probably losing my job after this presentation," he said. "If anyone is hiring, let me know."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22199
PUBLISHED: 2021-06-16
SQL Injection vulnerability in phpCMS 2007 SP6 build 0805 via the digg_mod parameter to digg_add.php.
CVE-2020-22200
PUBLISHED: 2021-06-16
Directory Traversal vulnerability in phpCMS 9.1.13 via the q parameter to public_get_suggest_keyword.
CVE-2020-22201
PUBLISHED: 2021-06-16
phpCMS 2008 sp4 allowas remote malicious users to execute arbitrary php commands via the pagesize parameter to yp/product.php.
CVE-2021-20483
PUBLISHED: 2021-06-16
IBM Security Identity Manager 6.0.2 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197591.
CVE-2021-20488
PUBLISHED: 2021-06-16
IBM Security Identity Manager 6.0.2 could allow an authenticated malicious user to change the passowrds of other users in the Windows AD enviornemnt when IBM Security Identity Manager Windows Password Synch Plug-in is deployed and configured. IBM X-Force ID: 197789.