Feeds

SCADA honeypots attract swarm of international hackers

'Industrial control systems' faced attacks from US, China...and, er, Laos

Choosing a cloud hosting partner with confidence

Vulnerable internet-facing industrial systems controlling crucial equipment used by power plants, airports, factories and other critical systems are subjected to sustained attacks within hours of appearing online, according to new honeypot-based research by Trend Micro.

The security weaknesses of SCADA (supervisory control and data acquisition) industrial control systems have been a major focus of interest in information security circles for the last three years or so thanks to Stuxnet, Duqu, and other similar noteworthy attacks.

Trend Micro threat researcher and SCADA security expert Kyle Wilhoit set out to look into this phenomenon in greater depth by setting up a internet-facing honeypot and record attempted attacks. The honeypot architecture developed by Wilhoit directly mimics those of real industrial control systems and SCADA devices.

The researcher, who was once the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and persistent threats, created a total of three honeypots.

All three were internet-facing and used three different static IP addresses in different subnets scattered across the US. One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured a web server that mimicked a control interface connected to a PLC production system. The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory.

All three honeypots included traditional vulnerabilities found across the same or similar systems. Steps were taken to make sure the honeypots were easily discovered. The sites were optimised for searches and published on Google.

The researchers also made sure that that honeypot settings would be seeded on devices that were part of HD Moore’s Shodan Project, which indexes vulnerable routers, printers, servers and internet-accessible industrial control systems. Once a search latches onto a vulnerable embedded device, then Metasploit provides a library of possible attacks, which - as security strategist Josh Corman points out - can be run without any detailed knowledge or skill.

The Trend Micro security researchers excluded simple port scans and focused on recording anything that might pose a threat to internet-facing ICS/SCADA systems. This includes unauthorised access to secure areas of sites, attempted modifications of controllers, or any attack against a protocol specific to SCADA devices, such as Modbus/TCP.

They also logged any targeted attempt to gain access or take out servers running the system. Various tools including popular open-source intrusion detection package Snort, honeyd (modified to mimic common SCADA protocols), tcpdump and analysis of server log files were used to monitor and record the attacks the honeypots attracted.

Less than 24 hours later...

The researchers waited less than a day before the attacks began, as Wilhoit explains in a research paper Who’s Really Attacking Your ICS Equipment? (PDF).

It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing. The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.” All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same netback.

The attacks included attempts to spear-phish a site administrator, bids to exploit fundamental ICS protocols and malware exploitation attempts on the servers running the honeypot environment. Other hacks included bids to change the CPU fan speed on systems supposedly controlling a water pump and attempts to harvest systems information.

Four samples were collected over the four-week testing period, two of which have not been seen in the wild. Trend Micro is currently analysing these pieces of malware to determine their functionality. As well as looking at the type of attack getting thrown against the honeypot system, researchers at Trend Micro also looked at the origin of attempted attacks.

A third of attacks against the industrial control system honeypot (35 per cent) originated in China but one in five (19 per cent) originated in the US. Security researchers also found that a surprisingly high 12 per cent of attacks against a honeypot control system they had established came from the southeast Asian nation of Laos.

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.