China cyberspies suspected in new caper: what has experts worried
A China-based cyberespionage gang is suspected in the hacking of a major industrial control system firm in Canada. Experts warn the theft could facilitate creation of a cyberweapon.
(Page 2 of 2)
Telvent has a huge footprint in the oil and gas industry – and an important role in the emerging “smartgrid” that more efficiently coordinates energy distribution. Its software allows old and new software to speak to each other – and control critical systems. But if captured, the source code from such a product could be used to far more easily develop potent cyberweapons akin to Stuxnet, a hyper-sophisticated software weapon that experts say destroyed 1,000 Iranian nuclear centrifuges.Skip to next paragraph
Subscribe Today to the Monitor
"The attackers used their presence on the Telvent network to download the customer project files for a future attack – think future Stuxnet," Mr. Peterson writes in his blog. "If an attacker were going to attack a process in a sophisticated manner they would need time and talent to study the project files and essentially reverse engineer the process."
As to the question of who did the dirty deed, China's "Comment Group" is the leading suspect, according to an analysis by Joe Stewart of Dell Secureworks, an expert in tracking cyberespionage attacks. Data from the Telvent hack appears identical in certain key respects to digital signatures left by a Chinese cyberespionage gang many call the Comment Group, but which Mr. Stewart calls the Shanghai Group.
Stewart, however, has not yet analyzed the malware that infected Telvent and other signatures. So his opinion is based on a Telvent document listing digital signatures that was provided to him by Brian Krebs, the security blogger. Among that data are signatures Stewart has, over several years, tracked back through cyberspace to the Comment Crew.
"The file names, malware families and domains listed are related to a trojan that then maps back to the Comment group," says Elizabeth Clarke, a Dell SecureWorks spokeswoman speaking on behalf of Stewart.
Other industrial control system security companies have recently been hit by so-called “spear phishing” fake e-mail attacks that, like Telvent, used malware undetectable by ordinary antivirus screening.
In June, Digital Bond was targeted by a spear-phishing e-mail that contained malware. The firm caught it, however, before it got onto the company network. Energy Sector Security Consortium, an Oregon-based nonprofit group that supports the energy industry in securing critical technology infrastructures, was also hit, Peterson says.
"They are going after the ICS energy sector, and Telvent is almost certainly not the only vendor being targeted or compromised," Peterson says.
"In fact, I would be worried if a large asset owner or vendor in the energy sector is not detecting these attacks. Little Digital Bond and nonprofit EnergySec must be rather low on the list of energy sector ICS targets."