Network News

X My Profile
View More Activity

Report: China, Russia Top Sources of Power Grid Probes

Last week, blogs and the mainstream press alike were abuzz with reports that Chinese and Russian hackers had penetrated the U.S. power grid and left behind secret back doors. The original story, a piece in the Wall Street Journal, was light on details, and many readers have asked me if I uncovered additional nuggets of knowledge about the existence of these back doors. I have not.

But I have discovered some interesting data published recently, which seems to support the notion that China and Russia are quite interested in locating digital control systems connected to our nation's power grid and other complex critical infrastructures.

The data comes from a white paper released late last month by Team Cymru, a group of researchers who try to discover who is behind Internet crime and why. That document sought to provide empirical evidence to show which nations were most active in probing our networks for the presence of highly specialized systems designed to control large, complex systems.

These so-called "supervisory control and data acquisition" (SCADA) systems help engineers monitor, communicate with, and control equipment used for energy generation and distribution (SCADA systems also help manage other complex systems, such as water networks, transportation switching systems, etc.).

Most of these SCADA systems communicate over proprietary communications protocols that were never designed with security in mind. To make matters worse, Cymru notes, "many of these older communications methods (fiber, radio transmission, dedicated modem, satellite, microwave, PSTN, cellular, wireless, powerline carrier) are increasingly being replaced by the public Internet," which provides considerable cost savings.

The report continues: "The communication protocols and implementation details of the various proprietary SCADA protocols are generally not available to researchers, and a wide variety of ports and methods are used amongst the various vendors. This does not significantly hinder the miscreants, who will simply scan for wide ranges of well-known SCADA-related ports, and tailor their attacks to the results they find."


So, Team Cymru started gathering information about the location of computers that were scanning the Internet for specific communications channels used by these SCADA systems. The group did this passively, by monitoring SCADA-specific scans coming in to so-called "darknet" space, or clusters of Internet addresses in which no active services or servers reside. The graphic above indicates the aggregate sources, with red and white areas indicating high activity levels, and blue areas indicating lesser levels of scanning.

Steve Santorelli, director of investigations at Team Cymru, said most traffic entering a darknet is malicious to some extent, since nothing legitimate should be routed there. In fact, he said, most traffic entering a darknet comes from scans generated by automated tools and malware looking for vulnerable systems.


Santorelli combed through the darknet data for 2008, looking at the apparent source of the scans for the most common SCADA communications channels. Perhaps not suprisingly, the data showed systems in China responsible for the overwhelming majority of scans. Taiwan and Russia also were major sources. The pie chart to the right breaks it down by country.

"What we found is that this kind of scanning really is massively skewed towards China," Santorelli said.

Of course, correctly attributing the source of any Internet attack is always a dicey affair, and requires more sleuthing than merely tracing the origin of a single Internet address that appears to be doing the hacking and probing. If one wanted to trace the true source of an attack, one would need to win the cooperation of an ISP over in China who could look to see if the traffic coming from a particular Chinese system indeed originated there or was merely redirected through the Chinese system from another point on the Internet.


But that approach probably wouldn't scale to tracking large numbers of attacks, and in any case it is unlikely the authorities there would be willing to provide that kind of access to investigators.

"It could just mean there is a significantly higher concentration of unlicensed Windows PCs in China and Russia, and therefore a lot more machines that are less likely to be patched and more likely to be infected" and be remotely controlled by cyber criminals, Santorelli said. "The people behind these machines could be in Virginia, Belize or Beijing. There's no way of knowing. It's guesswork."

The full white paper is available here.

By Brian Krebs  |  April 14, 2009; 9:30 AM ET
Categories:  From the Bunker , U.S. Government  | Tags: attribution challenge, china, power grab, russia, scada, scanning  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Conficker Worm Awakens, Downloads Rogue Anti-virus Software
Next: Microsoft Fixes 23 Software Security Flaws


I sure hope we are doing the same thing, or are we behind the rest of the world in this too?

Posted by: TrarJ | April 14, 2009 11:25 AM | Report abuse

With the recent flurry of activity by our administration with respect to more robust cyber security protection initiatives, including rollout of the Smart Grid, many organizations are stepping in to capitalize on timing and increase revenue. Yet when one specific organization’s security flaws are exposed and competitors seek to benefit—how is the greater good ultimately accomplished? One potential solution is the designation of DOE funds to create a cyber heat map that would provide transparent visibility into the current cyber security threats the nation faces, as well as supply access to detailed information on each specific threat occurrence. This undertaking would involve not only private/public sector cooperation, but further collaboration between privately owned vendors, allowing for recognized cyber security threats to be aggregated and directly elevated to the federal government.

Posted by: bahern | April 14, 2009 11:54 AM | Report abuse

My own experience in China tells that most Chinese are extremely clueless or unconcerned about computer security, so a lot of this malicious activity is just run-of-the-mill worms and viruses.

Posted by: bokamba | April 14, 2009 11:56 AM | Report abuse


So either the chinese are cyber-criminals, or, because they are property-rights criminals and run stolen software without security updates ....They are providing a platform for other cyber criminals to probe global information systems of critical infrastructure.

Really great, guys.

Posted by: onestring | April 14, 2009 12:36 PM | Report abuse


If your grandparents were illiterate peasants and you yourself could barely afford a computer, I doubt you would be so concerned with foreign intellectual property law. That's the situation of most Chinese Internet users.

Posted by: bokamba | April 14, 2009 1:26 PM | Report abuse

I am very glad that people are identifying the fact that there are weaknesses in our systems. That is the first step towards fixing the problem.

We cannot change historical actions [yet], but we do have the opportunity to fix code, allocate more eyeballs and brains to these challenges and hopefully come up with an updated and more secure grid management system.

One of the disturbing items from another Security Fix post ( described how various infrastructure enterprises were playing host to botnets and compromised machines. That is simply unacceptable in this day and age. If an organization isn't 100% on top of the machines that it owns, then it must steps to:

a) assess its inventory and clean up the infected hosts.

b) bare minimum, lock down the infected hosts so that they have little-to-no impact on the rest of the internet community.

c) create both policy and technical hurdles to keep such infiltrations from happening in the future.

Posted by: CB12 | April 14, 2009 4:15 PM | Report abuse

According to this Nationl Journal article from May 2008 there may have already been 2 major blackouts in the US caused by Chinese hackers:
I'm surprised with this new story going around I haven't seen references to these incidents in the various blogs and media...

Posted by: boboran | April 14, 2009 4:46 PM | Report abuse

There is a whole wing of the Chinese military dedicated to information warfare.
Do not be complacent...they are actively seeking targets.

Posted by: davidc5 | April 14, 2009 5:15 PM | Report abuse

This is a bunch of malarkey being spun by someone who stands to make a few bucks by scaring us silly. Do any of you happen to remember Y2K? Fool me twice...

Posted by: jerkhoff | April 14, 2009 7:53 PM | Report abuse

It would be interesting to know what's being scanned in other countries, and how intensely it's being scanned. There are stories from time to time - for example, the information warfare against Estonia that seems to have originated in Russia - but I haven't seen anything in the MSM that tries to pull this together into a larger picture. Anyone have any sources?

Posted by: apn3206 | April 15, 2009 12:08 AM | Report abuse

I find the article in the WJ a bit suspicious, but I think overall the electrical industry has a poor security posture so anything that brings a bit of light to the topic is worthwhile.

I had previously read the paper you cited in the recent article and found it lacking. First, the authors do not explicitly define the configuration and behviour of their "darknet" or describe the sort of traffic they observed.

The abovet leads to several problems:
1. If their configuration is to simply setup a darknet and listen, why would a sophisticated attacker scan them? They're not a power company so if they get scanned it's random and likely not a state sponsored sort of event. Russia and China have publicly equated cyber warfare to kinetic war -- Russia has even claimed it's similar to WMD. That's not to say those nations aren't conducting operations, but scanning some random IP addresses with no reason to be associated with a power company or to have a service listening seems incautious for a nation state.

2. A simple tcp scan isn't indicative of a attack. Stray packets happen due to user error, sometimes network error (given a large enough data set and time), and other factors.

3. There's no categorization of the scan. Does it look like an nmap scan? Nessus? Some custom code? Again this would provide more detail on what actually was happening.

4. There's no details about the types of organizations discovered scanning. Are the IPs associated with the government, universities, businesses, or home users?

5. There's no information on follow up activities by the supposed attacker. Therefore, it's unclear if the observation was of an attacker.

6. There's no information on the hosts. Are they known botnets? Are they infected with Conficker?

It's quite possible that the researchers carefully vetted their work, but for whatever reason didn't include it in the paper. As written, the paper only really announces that unused IP addresses, probably associated with a small business, see network scanning on some ports that are used by SCADA, and the scanning generally correlates well with countries of origin with large botnet infections.

It would be much more interesting to hear details from the Wall Street Journal, or get inside information from penetration testers/auditors of utilities that can provide more substance.

Posted by: mwollenweber | April 15, 2009 11:24 AM | Report abuse

The comment about these computers being nothing more than hubs is a higher possibility than most people probably realize. Review the stats on the Conficker infections, 45% Asia for instance. I've lived in China for a couple months at a time several times over the last few years. Even in a big city like Shanghai people are in general about as knowledgeable as we were 10 years ago on these security issues. Eventually they will be exposed to the information we have like the digital security site

Posted by: funkmasterflex57 | April 21, 2009 12:54 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company