Chinese Hackers Exposed by U.S. Water Control System Decoy

August 5, 2013

A notorious hacking group from China, known as APT1 or Comment Crew, potentially affiliated with the Chinese military, has been caught infiltrating a simulated United States water control system, also referred to as a honeypot. Kyle Wilhoit, a researcher from Trend Micro, disclosed the findings at the BlackHat Conference this past Wednesday.

Back in December, the hackers targeted a water control system for a U.S. municipality, unaware it was a ruse set up by Wilhoit. The decoy utilized a Word document embedded with malicious software, allowing for complete access.

These honeypots closely resembled the ICS/SCADA devices employed in critical infrastructure for power and water facilities. The setup, which employed cloud software, produced realistic web-based login and configuration screens for local water plants, making them look as though they were based in various countries, including Ireland, Russia, Singapore, China, Japan, Australia, Brazil, and the U.S. Researchers have traced the activity back to the APT1 Group, which was previously linked to by the security firm Mandiant.

Chinese Hackers Compromised by Deceptive U.S. Water Control System Honeypots

August 5, 2013

In a recent revelation, a prominent hacker group from China, identified as APT1 or the Comment Crew, has been implicated in an attempted breach of a simulated United States water control system that was, in fact, a sophisticated honeypot. This critical development was disclosed by Kyle Wilhoit, a researcher from Trend Micro, during his presentation at the BlackHat Conference.

The incident dates back to December of the previous year when the hackers targeted what they believed to be a genuine water control system belonging to a U.S. municipality. However, this system was a meticulously crafted decoy engineered by Wilhoit, featuring a Word document embedded with malicious software designed to extract sensitive information. The honeypot effectively recreated the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) technologies integral to the operations of numerous critical infrastructure facilities, including power and water plants.

The simulation employed cloud-based software to generate convincing, web-based login and configuration interfaces that mimicked real water management systems situated in multiple countries, including Ireland, Russia, Singapore, China, Japan, Australia, Brazil, and the U.S. This level of detail underscores the sophistication of the setup intended to lure potential intruders into revealing their tactics and techniques.

Research conducted by security firm Mandiant has traced the cyber activities back to the APT1 group, which has been linked to the Chinese military. This connection suggests that the motivations behind such breaches may extend beyond mere financial gain and could be rooted in broader geopolitical interests.

In the context of the MITRE ATT&CK framework, several tactics and techniques may have been employed during this breach attempt. Initial access likely came through phishing, given the method of delivery using a malicious Word document. Persistence might have been achieved by utilizing backdoor access created through the exploit. Privilege escalation techniques could also have been employed to gain deeper access to the systems, had they not been traps.

The implications of this incident are significant, particularly for business owners responsible for protecting critical infrastructure. The tactics demonstrated in this breach highlight the importance of robust cybersecurity measures, especially in sectors dealing with vital public utilities. As hackers continue to evolve and adapt their strategies, understanding these techniques is imperative for mitigating risk and safeguarding against future intrusions.

Source link

Related Posts

Pakistani Hackers Target Thousands of Israeli Websites in Support of Palestine

August 14, 2013

A widespread cyber attack is currently underway, with thousands of Israeli websites being compromised by Pakistani hackers in solidarity with the Palestinian people. Reports indicate that around 650 Israeli websites have already been infiltrated, with the hackers posting their messages on these sites. One hacker, known by the alias “H4x0r HuSsY,” communicated with The Hacker News to announce upcoming releases of additional hacked websites. The attacker’s message included slogans such as “LONG LIVE PALESTINE – PAKISTAN ZINDABAD HAPPY INDEPENDENCE DAY TO & FROM TEAM MADLEETS.”

The affected sites include semi-government, personal, and corporate Israeli domains. At the time of this report, many of these websites continue to display defaced pages. This cyber offensive follows a recent declaration of a “cyber war” on Israel by global hacker collectives, including the Anonymous group, after the Israeli Defense Forces threatened to cut off internet access in Gaza.

FBI Collaborated with Anonymous and LulzSec Hackers to Target Foreign Governments

August 28, 2013

Sentencing for former LulzSec leader Hector Xavier Monsegur, also known as “Sabu,” has been postponed again. Monsegur, who pleaded guilty to multiple criminal charges two years ago, faces a maximum sentence exceeding 124 years. Additionally, fellow LulzSec hacker Jeremy Hammond has alleged that the FBI utilized Sabu to orchestrate attacks against foreign governments, leveraging the efforts of Anonymous and other hackers.

The ongoing delays suggest that the FBI may not be fully extracting information from Monsegur, hinting at the possibility that he is assisting with other covert operations as claimed by Hammond. In a recent statement, Hammond accused the U.S. government of directing Monsegur to motivate fellow hacktivists to breach foreign government entities. “What many don’t realize is that Sabu was also used by his handlers to orchestrate hacking activities targeting government-selected entities, including multiple foreign government websites,” Hammond stated.

Zero-Day Exploit in Internet Explorer Used for Targeted Watering Hole Attacks on Japanese Users

Sep 24, 2013

Attackers are leveraging a zero-day vulnerability, CVE-2013-3893, in Microsoft’s Internet Explorer browser to target Japanese users through compromised popular news websites. According to FireEye, at least three major Japanese media outlets fell victim to these watering hole attacks, part of an operation dubbed “DeputyDog,” which appears to focus on manufacturers, government entities, and media organizations within Japan. The compromised sites experienced over 75,000 page views before the exploits were detected. This vulnerability in Internet Explorer versions 8 and 9 enables the covert installation of malware on users’ devices, granting hackers remote access. Typically, these attackers deploy Trojans tailored for targeted operations aimed at stealing intellectual property. Researchers identified a payload disguised as an image file hosted on a Hong Kong server that was used against a Japanese target. The attacks were uncovered just two days after Microsoft disclosed the vulnerability.