Chinese Comment Crew caught taking over a fake Water Plant

Chinese Hacking Team Comment Crew caught taking over a honeypot simulating a Water Plant, the infinite offensive of Chinese Cyber Units linked to PLA.

The Comment Crew group of hackers has been identified during an attack to a fake US control system of a water facility. The researchers deployed a honeypot to collect evidences on the attackers that resulted linked to linked to the popular group of hackers Comment Crew also described by the Mandiant Intelligence firm as APT1.

According the data provided by the security firm the collective Comment Crew is directly linked to the cyber units of Chinese PLA.

The news about the operation has been issued by Kyle Wilhoit, researchers at Trend Micro, during the last Black Hat Conference.

Chinese hackers are considered most insidious persistent collector for US Intelligence, they represent a serious menace also for the numerous critical infrastructures within US.

Many studies found the control systems of these infrastructures vulnerable to cyber attacks with a high risk of sabotage, it is not first time that attackers target a water control, last December was hit control system for a US municipality, fortunately it was a decoy set up by Kyle Wilhoit using a Word document hiding malicious software to gain full access. Wilhoit used a the Browser Exploitation Framework to obtain the access to the hackers’s systems and establish with high precision their location also thanks to data from their WiFi cards.

The security expert analyzed the behavior of the attackers and data they searched for noting that the hackers have a deep knowledge of the category of targets they hit.

“You would think that Comment Crew wouldn’t come after a local water authority,”  “I actually watched the attacker interface with the machine. It was 100 percent clear they knew what they were doing.” Revealed Wilhoit.

The honeypots are typically an exact copy of real devices or part of networks, they are used to detect, mitigate, or counteract attempts a cyber attack, for this reason it is usually isolated and monitored by the owners. In the specific case the honeypot reproduces the Internet interface for the ICS/Scada system deployed various critical infrastructure such as power and water facilities.

The researcher created a fake network of plants thanks Cloud computing, in this way attackers were convinced that the system were located in various part of the globe including Australia, Brazil, China, Ireland, Russia, Singapore and the U.S. of course.

From March to June 2013 Wilhoit counted nearly 74 cyber attacks against his 12 honeypots and more that 50% of them were originated from China, Germany, UK, France, Palestine and Japan. Ten attacks resulted high sophisticated and according security experts they were able to destroy the control system of the honeypots.

The results are very concerning, they are the proof that groups like Comment Crew operate under control of central governments and are increasing to target critical infrastructures of foreign states.

“The 74 attacks on the honeypots came from 16 different countries. Most of the noncritical attacks, 67 percent, originated in Russia, and a handful came from the U.S. About half the critical attacks originated in China, and the rest came from Germany, U.K., France, Palestine, and Japan. The results lead Wilhoit to conclude that water plants, and likely other facilities, around the world are being successfully compromised and taken control of by outside attackers, even if no major attack has been staged. “These attacks are happening and the engineers likely don’t know,” he told MIT Technology Review.

Many other control systems around the world may have already compromised with serious consequences, China is considered by the almost totality of the countries as the primary source of cyber attacks.

Pierluigi Paganini

(Security Affairs – Cyberespionage, Critical Infrastructures)