Hacker swarm attacks dummy critical infrastructure honeypot

Hacker swarm attacks dummy critical infrastructure honeypot

Summary: Fake industrial control systems set up test the vulnerability of internet connected critical national infrastructure came under sustained attack, with the majority of attacks originating in China.

TOPICS: Security

Fake industrial control systems set up to test threats against internet-connected critical national infrastructure came under repeated attack from hackers.

Internet-connected systems that mimicked the ICS/Scada devices used to help run many power and water plants were set up by security firm Trend Micro. Over the course of the 28 days that the honeypot systems were active Trend Micro detected 25 attacks from 11 different countries, according to research presented at the Black Hat 2013 conference in Amsterdam on Friday.

Out of the attacks, 12 were targeted, and 13 were repeated several times by the same actor, indicating they could have been automated.

The actions carried out during the attacks ranged from attempts to change the CPU fan speed on systems purporting to control a water pump to gathering systems information.

These attacks were not automated 'drive-by' attacks targeting any internet-connected system, such as SQL injection, but were rather specific attempts to compromise internet-facing ICS/Scada systems, the researchers said.

"This includes unauthorised access to secure areas of sites, modifications on perceived controllers, or any attack against a protocol specific to ICS/SCADA devices like Modbus," Trend Micro researcher Kyle Wilhoit wrote in the report.

The majority of the attacks stemmed from China and the US.

"In sum, China accounted for the majority of the attack attempts at 35 percent, followed by the US at 19 percent," Wilhoit wrote.

Country breakdown indicating the number of attack attempts. Image: Trend Micro

The subject of ICS/SCADA vulnerability became high profile following the exposure of the Duqu and Stuxnet malware that targeted such systems. According to recent research conducted by ICS-CERT, in 2012 alone, 171 unique vulnerabilities affecting 55 different ICS vendors were found.

The fake systems were given a range of vulnerabilities typically found across similar systems. To maximise the exposure the three honeypot systems used three different static internet IP addresses in different subnets in the US.

Researchers simulated three types of ICS/Scada systems. A programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2. This was configured as a web page that mimicked a control station for water pressure station.

A web server that mimicked a human machine interface connected to a PLC production system, hosted on a Dell DL360.

The final machine was an actual PLC device called a 'Nano-10' from Triangle Research. It was set up to mimic temperature controllers in a factory and had temperature, fan speed, and light settings that could be modified.

As part of the research the firm also carried out Google searches to indentify ICS/Scada systems exposed to internet that did not have security mechanisms to prevent unauthorised access.

Topic: Security


Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Do these statistics really mean anything?

    When you say "The majority of the attacks stemmed from China and the US", do you really mean that the IP address appeared to come from these locations? How do you know that these locations weren't merely zombies hosting proxy servers?
  • Percentages instead of raw counts

    There were 25 attacks from 11 countries. The chart lists *percentages*, so for example, Japan is credited with 2% which is 1/2 of an attack... To me this implies that many of the attacks 'originated from' multiple countries.

    In reality, these were probably compromised systems that a black hat somewhere else was using. Attributing an attack to a country of origin is fraught with peril.

  • Graphics don't match the article

    The article states that the attacks came from 11 countries but the pie chart key lists 14 countries. Add this to dbucciar's comments about 2% being half an attack and I wonder what the pie chart actually represents. Or is it that the figures quoted in the article are incorrect?
  • Intresting

    Swarm of many of one or few looking like many?
  • why are critical industrial systems even ON the Internet at all?

    What purpose is served in having critical infrastructure on the Internet, and exposed to hackers? This is foolhardy and dangerous...
    • yup it is good question

      if you do not use this honeypot systems how do u know that someone hacking u and playing around with our real systems so it is the test to improve the security on real sysetems
      Mansour Abdullah