Chinese hackers thought to be linked to the country’s government were caught breaking into a United States water plant — without realising it was a decoy set up by a security researcher.
The MIT Technology Review said the project by Trend Micro security researcher Kyle Wilhoit shows the attacks, which took place in December last year by means of an infected Word document, represent “the most significant proof” of people actively trying to exploit vulnerabilities in industrial control systems (ICS).
According to Wilhoit who observed the attackers taking over the honeypot, “it was 100 per cent clear that they knew what they were doing.”
Known as APT1 or the Comment Crew, Wilhoit believes it is the same group of attackers based in Shanghai with links to the Chinese government that has purloined terabytes of corporate data from at least 141 companies since 2006.
Wilhoit has found that roughly half of the criticial attacks on his honeypots come from China, with Germany, UK, France, Palestine and Japan also making the list.
Overall, sixteen countries were involved in the attacks.
Between March and June this year Wilhoit’s 12 honeypots attracted 74 attacks, 10 of which took complete control over the dummy ICS.
The findings were presented at the at the annual Black Hat security conference in Las Vegas over the weekend.
Attacks on networked and Internet connected industrial control systems are said to have become more commonplace in recent years.
Earlier this year, the United States Department of Homeland security released a report saying 198 attacks on infrastructure facilities were documented in 2012, many of which were classified as serious.
Most of the attacks in the US were on energy utilities, followed by water companies.
There are now calls for engineers to receive formal training in protecting against infrastructure attacks.
Queensland University of Technology researchers put forward a proposed Australian industrial control systems security curriculum (pdf) at the 2013 46th Hawaii international conference on system sciences, saying ” successful cyber attack has the ability to disrupt and even damage critical infrastructure.”
The supervisory control and data acquisition (SCADA) security curriculum aims to provide greater awareness of infrastructure threats, and a five-day vulnerability analysis and system audit course.
Penetration testing and forensic analysis and incident response would also be part of the SCADA security curriculum with full lab facilities available under the proposal.