Report: China, Russia Top Sources of Power Grid Probes
Last week, blogs and the mainstream press alike were abuzz with reports that Chinese and Russian hackers had penetrated the U.S. power grid and left behind secret back doors. The original story, a piece in the Wall Street Journal, was light on details, and many readers have asked me if I uncovered additional nuggets of knowledge about the existence of these back doors. I have not.
But I have discovered some interesting data published recently, which seems to support the notion that China and Russia are quite interested in locating digital control systems connected to our nation's power grid and other complex critical infrastructures.
The data comes from a white paper released late last month by Team Cymru, a group of researchers who try to discover who is behind Internet crime and why. That document sought to provide empirical evidence to show which nations were most active in probing our networks for the presence of highly specialized systems designed to control large, complex systems.
These so-called "supervisory control and data acquisition" (SCADA) systems help engineers monitor, communicate with, and control equipment used for energy generation and distribution (SCADA systems also help manage other complex systems, such as water networks, transportation switching systems, etc.).
Most of these SCADA systems communicate over proprietary communications protocols that were never designed with security in mind. To make matters worse, Cymru notes, "many of these older communications methods (fiber, radio transmission, dedicated modem, satellite, microwave, PSTN, cellular, wireless, powerline carrier) are increasingly being replaced by the public Internet," which provides considerable cost savings.
The report continues: "The communication protocols and implementation details of the various proprietary SCADA protocols are generally not available to researchers, and a wide variety of ports and methods are used amongst the various vendors. This does not significantly hinder the miscreants, who will simply scan for wide ranges of well-known SCADA-related ports, and tailor their attacks to the results they find."
So, Team Cymru started gathering information about the location of computers that were scanning the Internet for specific communications channels used by these SCADA systems. The group did this passively, by monitoring SCADA-specific scans coming in to so-called "darknet" space, or clusters of Internet addresses in which no active services or servers reside. The graphic above indicates the aggregate sources, with red and white areas indicating high activity levels, and blue areas indicating lesser levels of scanning.
Steve Santorelli, director of investigations at Team Cymru, said most traffic entering a darknet is malicious to some extent, since nothing legitimate should be routed there. In fact, he said, most traffic entering a darknet comes from scans generated by automated tools and malware looking for vulnerable systems.
Santorelli combed through the darknet data for 2008, looking at the apparent source of the scans for the most common SCADA communications channels. Perhaps not suprisingly, the data showed systems in China responsible for the overwhelming majority of scans. Taiwan and Russia also were major sources. The pie chart to the right breaks it down by country.
"What we found is that this kind of scanning really is massively skewed towards China," Santorelli said.
Of course, correctly attributing the source of any Internet attack is always a dicey affair, and requires more sleuthing than merely tracing the origin of a single Internet address that appears to be doing the hacking and probing. If one wanted to trace the true source of an attack, one would need to win the cooperation of an ISP over in China who could look to see if the traffic coming from a particular Chinese system indeed originated there or was merely redirected through the Chinese system from another point on the Internet.
But that approach probably wouldn't scale to tracking large numbers of attacks, and in any case it is unlikely the authorities there would be willing to provide that kind of access to investigators.
"It could just mean there is a significantly higher concentration of unlicensed Windows PCs in China and Russia, and therefore a lot more machines that are less likely to be patched and more likely to be infected" and be remotely controlled by cyber criminals, Santorelli said. "The people behind these machines could be in Virginia, Belize or Beijing. There's no way of knowing. It's guesswork."
The full white paper is available here.
April 14, 2009; 9:30 AM ET
Categories: From the Bunker , U.S. Government | Tags: attribution challenge, china, power grab, russia, scada, scanning
Save & Share: Previous: Conficker Worm Awakens, Downloads Rogue Anti-virus Software
Next: Microsoft Fixes 23 Software Security Flaws
Posted by: TrarJ | April 14, 2009 11:25 AM | Report abuse
Posted by: bahern | April 14, 2009 11:54 AM | Report abuse
Posted by: bokamba | April 14, 2009 11:56 AM | Report abuse
Posted by: onestring | April 14, 2009 12:36 PM | Report abuse
Posted by: bokamba | April 14, 2009 1:26 PM | Report abuse
Posted by: CB12 | April 14, 2009 4:15 PM | Report abuse
Posted by: boboran | April 14, 2009 4:46 PM | Report abuse
Posted by: davidc5 | April 14, 2009 5:15 PM | Report abuse
Posted by: jerkhoff | April 14, 2009 7:53 PM | Report abuse
Posted by: apn3206 | April 15, 2009 12:08 AM | Report abuse
Posted by: mwollenweber | April 15, 2009 11:24 AM | Report abuse
Posted by: funkmasterflex57 | April 21, 2009 12:54 AM | Report abuse
The comments to this entry are closed.