Categories: HackingSecurity

Chinese Comment Crew caught taking over a fake Water Plant

Chinese Hacking Team Comment Crew caught taking over a honeypot simulating a Water Plant, the infinite offensive of Chinese Cyber Units linked to PLA.

The Comment Crew group of hackers has been identified during an attack to a fake US control system of a water facility. The researchers deployed a honeypot to collect evidences on the attackers that resulted linked to linked to the popular group of hackers Comment Crew also described by the Mandiant Intelligence firm as APT1.

According the data provided by the security firm the collective Comment Crew is directly linked to the cyber units of Chinese PLA.

The news about the operation has been issued by Kyle Wilhoit, researchers at Trend Micro, during the last Black Hat Conference.

Chinese hackers are considered most insidious persistent collector for US Intelligence, they represent a serious menace also for the numerous critical infrastructures within US.

Many studies found the control systems of these infrastructures vulnerable to cyber attacks with a high risk of sabotage, it is not first time that attackers target a water control, last December was hit control system for a US municipality, fortunately it was a decoy set up by Kyle Wilhoit using a Word document hiding malicious software to gain full access. Wilhoit used a the Browser Exploitation Framework to obtain the access to the hackers’s systems and establish with high precision their location also thanks to data from their WiFi cards.

The security expert analyzed the behavior of the attackers and data they searched for noting that the hackers have a deep knowledge of the category of targets they hit.

“You would think that Comment Crew wouldn’t come after a local water authority,”  “I actually watched the attacker interface with the machine. It was 100 percent clear they knew what they were doing.” Revealed Wilhoit.

The honeypots are typically an exact copy of real devices or part of networks, they are used to detect, mitigate, or counteract attempts a cyber attack, for this reason it is usually isolated and monitored by the owners. In the specific case the honeypot reproduces the Internet interface for the ICS/Scada system deployed various critical infrastructure such as power and water facilities.

The researcher created a fake network of plants thanks Cloud computing, in this way attackers were convinced that the system were located in various part of the globe including Australia, Brazil, China, Ireland, Russia, Singapore and the U.S. of course.

From March to June 2013 Wilhoit counted nearly 74 cyber attacks against his 12 honeypots and more that 50% of them were originated from China, Germany, UK, France, Palestine and Japan. Ten attacks resulted high sophisticated and according security experts they were able to destroy the control system of the honeypots.

The results are very concerning, they are the proof that groups like Comment Crew operate under control of central governments and are increasing to target critical infrastructures of foreign states.

“The 74 attacks on the honeypots came from 16 different countries. Most of the noncritical attacks, 67 percent, originated in Russia, and a handful came from the U.S. About half the critical attacks originated in China, and the rest came from Germany, U.K., France, Palestine, and Japan. The results lead Wilhoit to conclude that water plants, and likely other facilities, around the world are being successfully compromised and taken control of by outside attackers, even if no major attack has been staged. “These attacks are happening and the engineers likely don’t know,” he told MIT Technology Review.

Many other control systems around the world may have already compromised with serious consequences, China is considered by the almost totality of the countries as the primary source of cyber attacks.

Pierluigi Paganini

(Security Affairs – Cyberespionage, Critical Infrastructures)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

8 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

12 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

20 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

1 day ago

This website uses cookies.