Decoy water plant attracts hackers, Chinese APT1 crew

A Trend Micro researcher that has lately concentrated on finding out just how often industrial control systems are attacked and from where has shared the latest findings of his research involving decoy systems as honeytraps, and says that one of them has been targeted by the infamous APT1 Chinese hacking crew.

At the Black Hat conference held last week in Las Vegas, researcher Kyle Wilhoit has revealed that he has set up twelve honeypots posing as water control systems in local water plants in the US, Brazil, Ireland, Australia, Singapore, Russia, China and Japan.

With the help of cloud software, he created realistic access and configuration screens and control panels that correspond to those used by typical plants of this kind, and waited for the attacks.

The attack by APT1 (also known as Comment Crew) began last December, and was initiated via a booby-trapped Word document hiding malware that, along with other things, pointed to the group being the perpetrator.

“I actually watched the attacker interface with the machine,” Wilhoit shared with MIT Technology Review. “It was 100 percent clear they knew what they were doing.”

Between March and June this year, the honeypots were intentionally attacked 74 times. Not all attacks were sophisticated, but 10 were sophisticated enough to gain complete control of the mosck systems.

By using the Browser Exploitation Framework he managed to locate the attackers’ systems, and has discovered that they came from 16 different countries.

The majority of the non-critical attacks originated in Russia, and half of the critical ones in China. The rest of them were effected from systems in the UK, Germany France, Japan and Palestine.

It’s also interesting to note that some of the attackers were clearly knowledgeable about things like distinct communication protocols used to control industrial hardware.

Once again, Wilhoit has successfully proven that even “insignificant” systems like those of a local water authority are interesting to attackers, and has pointed out that those owning and/or operating industrial control systems (ICS) should be aware of that fact and should look into hardening them.

Don't miss