Hackers are targeting Gas Tanks worldwide

Security experts from Trend Micro have set up a number of honeypot to study the cyber attacks on vulnerable gas tanks and worldwide.

Security researchers at Trend Micro, Kyle Wilhoit and Stephen Hilt have discovered a number of cyber attacks attempting to hack and shut down gas tanks.

The researchers have set up honeypots to study the cyber attacks against vulnerable gas tank monitoring systems.

“We found that GasPot (gas monitoring honeypot) systems deployed in the US were deemed most attractive by attackers. In fact, 44% of the attacks we saw targeted these, followed far behind by Jordan (17%). GasPots in Brazil, the UK, the UAE, and Russia were also attacked. GasPots deployed in Germany, however, were not. All these showed an ongoing interest in accessing and attacking Internet-facing ATG systems, and that this interest is somewhat also prevalent outside the US” the duo say in the paper The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems presented at Blackhat in Las Vegas this week.

The attacks against gas thanks are not a novelty, early this year researchers at Rapid7 published an interesting study on this kind of attacks. Rapid7 revealed that more than 5000 Automated tank gauges (ATGs) used to prevent fuel leaks at gas stations in the US are vulnerable to remote cyber attacks.

As explained in the paper presented at the Black Hat 2015, the researchers deployed a network of honeypots to capture the attention of the attackers and study their techniques and tactics in hacking gas tanks.

“To better understand the current gas-tank-monitoring system attack landscape, we developed a way to simulate the existence of these devices to check whether threat actors will find them venues attractive enough to go after.” continues the paper.” states the paper. “We created virtualised Guardian AST tank-monitoring systems, complete with function and input /output controls and other features, that make attackers believe they are real.”

According to the experts, the majority of the attacks they observed was a conducted with automated scanners that tries basic connection attempts to the honeypot gas tanks. In many cases also valid commands were entered by attackers, the most common of them allows users to list basic gas tank information. This kind of command was entered 33 times, meanwhile a command that allows attackers to change gas tank names was entered nine times.

In two cases the attackers changed the name of two gas tanks in Jordan, the attacks were carried out by an Iranian hacktivist group known as “Iranian Dark Coders Team” or “IDC-TEAM.”

Among the attacks, there is also a distributed denial-of-service (DDoS) attack that seemed to be launched by the Syrian Electronic Army, but the nature of the target and “modus operandi” led the expert to believe that someone used the name of the popular hacking crew.

The experts deployed a network of honeypots that appear simulated a real monitoring system, they were also configured to leak information to the popular SHODAN industrial control system search engine.

“Attacks against internet-facing gas-tank-monitoring systems are no longer hypothetical,” the expert explained. “The implications of this research highlight the lack of security awareness surrounding internet-connected devices.”

Pierluigi Paganini

(Security Affairs – Gas tanks, hacking)