A security researcher has shown that hackers, including an infamous group from China, are trying to break into the control systems tied to water supplies in the U.S. and other countries.
Last December, a decoy water control system disguised as belonging to a U.S. municipality, attracted the attention of a hacking group tied to the Chinese military, according to Trend Micro researcher Kyle Wilhoit. A dozen similar traps set up in eight countries lured a total of 74 attacks between March and June of this year.
Wilhoit's work, presented last week at the Black Hat conference in Las Vegas, is important because it helps build awareness that the threat of a cyberattack against critical infrastructure is real, security experts said Tuesday.
"What Kyle is saying is really neat and important," said Joe Weiss, a security expert and consultant in industrial control systems (ICS). "What he's saying is that when people see what they think is a real control system, they're going to try and go after it. That's a scary thought."
Indeed, people behind four of the attacks tinkered with the special communication protocol used to control industrial hardware. While their motivation is unknown, the attackers had taken a path that could be used to destroy pumps and filtration systems or whole facilities.
To sabotage specific systems, attackers would need design documents. Wilhoit's research showed that there are hackers willing to destroy without knowing the exact consequences, according to Andrew Ginter, vice president of industrial security at Waterfall Security. "If you just start throwing random numbers into (control systems), the world is going to change," said Ginter, who studied Wilhoit's research. "Things are going to happen. You don't know what. It's a random type of sabotage."
The Chinese hacking group, known as APT1, is the same team that security vendor Mandiant had tied to China's People's Liberation Army. The group, also called the Comment Crew, is focused on stealing design information, not sabotage, experts said.
Because sabotage would open itself up to retaliation and possibly war, China is unlikely to mount that type of attack. Those kinds of restraints do not exist for terrorists, however.
While Wilhoit did not identify any terrorist groups, his research did show that the attackers are interested in small utilities. He created eight honeypots, each masked by Web-based login and configuration screens created to look as if they belonged to a local water plant. The decoys were set up in Australia, Brazil, China, Ireland, Japan, Russia, Singapore and the U.S.
Attackers will often start with smaller targets to test software tools and prepare for assaults on larger facilities, Weiss said. "The perception is that they'll have less monitoring, less experience and less of everything else (in security) than the big guys," he said.
Sign up for CIO Asia eNewsletters.