The US Department of Homeland Security confirmed that a public utility was hacked by a “sophisticated hacking group,” compromising the control system network without affecting the utility’s operations.
The agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a report stating that the utility system had employed a simple password mechanism vulnerable to “brute force” attack.
“While unauthorized access was identified, ICS-CERT was able to work with the affected entity to put in place mitigation strategies and ensure the security of their control systems before there was any impact to operations,” a DHS official said.
According to the DHS, the hacking group has gained access to the unidentified utility’s control system via Internet-facing hosts by brute-forcing, a technique in which the hackers use a variety of password combinations to force their way through the system. The report also points out that the utility had likely been a victim of intrusions even before this attack.
“It was determined that the systems were likely exposed to numerous security threats, and previous intrusion activity was also identified,” ICS-CERT wrote in the report.
DHS also described a second cyber attack involving a control system server connected to “a mechanical device,” but did not elaborate on the details. In this case the attacker had gained access to the system using a SCADA (supervisory control and data acquisition) protocol for an extended period, yet there were no attempts of manipulating the system.
“The device was directly Internet accessible and was not protected by a firewall or authentication access controls,” read the report.
ICS-CERT also warned that it is easy to find Internet-connected control systems “that were not intended to be internet facing,” using search engines, which has turned out to be “a serious concern over the past few years.”
