Decoy water plant attracts hackers, Chinese APT1 crew
Posted on 06 August 2013.
A Trend Micro researcher that has lately concentrated on finding out just how often industrial control systems are attacked and from where has shared the latest findings of his research involving decoy systems as honeytraps, and says that one of them has been targeted by the infamous APT1 Chinese hacking crew.

At the Black Hat conference held last week in Las Vegas, researcher Kyle Wilhoit has revealed that he has set up twelve honeypots posing as water control systems in local water plants in the US, Brazil, Ireland, Australia, Singapore, Russia, China and Japan.

With the help of cloud software, he created realistic access and configuration screens and control panels that correspond to those used by typical plants of this kind, and waited for the attacks.

The attack by APT1 (also known as Comment Crew) began last December, and was initiated via a booby-trapped Word document hiding malware that, along with other things, pointed to the group being the perpetrator.

“I actually watched the attacker interface with the machine,” Wilhoit shared with MIT Technology Review. “It was 100 percent clear they knew what they were doing."

Between March and June this year, the honeypots were intentionally attacked 74 times. Not all attacks were sophisticated, but 10 were sophisticated enough to gain complete control of the mosck systems.

By using the Browser Exploitation Framework he managed to locate the attackers' systems, and has discovered that they came from 16 different countries.

The majority of the non-critical attacks originated in Russia, and half of the critical ones in China. The rest of them were effected from systems in the UK, Germany France, Japan and Palestine.

It's also interesting to note that some of the attackers were clearly knowledgeable about things like distinct communication protocols used to control industrial hardware.

Once again, Wilhoit has successfully proven that even "insignificant" systems like those of a local water authority are interesting to attackers, and has pointed out that those owning and/or operating industrial control systems (ICS) should be aware of that fact and should look into hardening them.


Implementing an effective risk management framework

How do we balance the benefit of the free flow of information with the risk of inappropriate access and/or disclosure? What are the consequences of not doing so?

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Mar 26th