Trend Micro: Hacker threats to water supplies are real

A security researcher has shown that hackers, including an infamous group from China, are trying to break into the control systems tied to water supplies in the U.S. and other countries.

Last December, a decoy water control system disguised as belonging to a U.S. municipality, attracted the attention of a hacking group tied to the Chinese military, according to Trend Micro researcher Kyle Wilhoit. A dozen similar traps set up in eight countries lured a total of 74 attacks between March and June of this year.

Wilhoit's work, presented last week at the Black Hat conference in Las Vegas, is important because it helps build awareness that the threat of a cyberattack against critical infrastructure is real, security experts said Tuesday.

"What Kyle is saying is really neat and important," said Joe Weiss, a security expert and consultant in industrial control systems (ICS). "What he's saying is that when people see what they think is a real control system, they're going to try and go after it. That's a scary thought."

Indeed, people behind four of the attacks tinkered with the special communication protocol used to control industrial hardware. While their motivation is unknown, the attackers had taken a path that could be used to destroy pumps and filtration systems or whole facilities.

To sabotage specific systems, attackers would need design documents. Wilhoit's research showed that there are hackers willing to destroy without knowing the exact consequences, according to Andrew Ginter, vice president of industrial security at Waterfall Security. "If you just start throwing random numbers into (control systems), the world is going to change," said Ginter, who studied Wilhoit's research. "Things are going to happen. You don't know what. It's a random type of sabotage."

The Chinese hacking group, known as APT1, is the same team that security vendor Mandiant had tied to China's People's Liberation Army. The group, also called the Comment Crew, is focused on stealing design information, not sabotage, experts said.

Because sabotage would open itself up to retaliation and possibly war, China is unlikely to mount that type of attack. Those kinds of restraints do not exist for terrorists, however.

While Wilhoit did not identify any terrorist groups, his research did show that the attackers are interested in small utilities. He created eight honeypots, each masked by Web-based login and configuration screens created to look as if they belonged to a local water plant. The decoys were set up in Australia, Brazil, China, Ireland, Japan, Russia, Singapore and the U.S.

Attackers will often start with smaller targets to test software tools and prepare for assaults on larger facilities, Weiss said. "The perception is that they'll have less monitoring, less experience and less of everything else (in security) than the big guys," he said.

While Wilhoit's honeypots showed that a threat exists, they did not reflect a real-world target. Control systems are typically not as easy to access through the Internet, particularly in larger utilities.

Buried within a company's infrastructure, a control system would not be accessed without first penetrating a company's defensive perimeter and then finding the IP address of the hosting computer, said Eric Cosman, vice president of standards and practices for the International Society of Automation.

None of the attackers in Wilhoit's research showed a high level of sophistication, which wasn't surprising. That's because hackers typically use only the technology needed to succeed, nothing more.

"(Advanced attackers) are known to have many cards in their pockets, and they pull out the cheapest card first," Ginter said. "If they can win the game with a two of hearts, then that's the card they'll play."

Wilhoit's research is seen as one more step toward building public awareness of the threats to critical infrastructure. In addition, such reports are expected to have an impact on regulators.

"You're going to have public utilities commissions reading this report and asking the utilities questions," Ginter said. "In a sense, this is a good thing. The awareness level needs to go up."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | Malwaretrend microblack hatlegalwater suppliessoftwaredata protectioncybercrimeChinese military

More about Andrew Corporation (Australia)Trend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts