The hacker collective known as Anonymous has expressed interest in hacking industrial systems that control critical infrastructures, such as gas and oil pipelines, chemical plants and water and sewage treatment facilities, according to a Department of Homeland Security bulletin.
But DHS doubts the anarchic group has the necessary skills. At least for now.
Anonymous efforts to attack such systems could be thwarted by the lack of centralized leadership in the loosely collected group, the bulletin says, as well as a lack of “specific expertise” about how the systems work and how to attack them. However, the report notes, the latter could easily be overcome through study of publicly available information.
“The information available on Anonymous suggests they currently have a limited ability to conduct attacks targeting [industrial control systems],” according to DHS. “However, experienced and skilled members of Anonymous in hacking could be able to develop capabilities to gain access and trespass on control system networks very quickly.”
The assessment comes in a bulletin issued recently (.pdf) by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, and published Monday by the web site Public Intelligence. The bulletin was marked “For Official Use Only,” a designation that means the data isn’t classified but is meant only to be shared with government agencies and trusted outside sources.
The bulletin says that members of Anonymous have not yet demonstrated attacks on such systems, instead choosing to “harass and embarrass their targets using rudimentary attack methods.” But the group’s interest in attacking these systems could grow once they realize how poorly the systems are secured, and they figure out how to leverage information that is already publicly available about vulnerabilities in the systems.
NCCIC predicts a ”moderate likelihood” that the group’s protest activities could be accompanied by hacking attacks on core infrastructure in the future.
“[T]here are control systems that are currently accessible directly from the internet and easy to locate through internet search engine tools and applications,” the bulletin notes. “These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations.”
As evidence of Anonymous’ interest in control systems, the bulletin points to a July 11 post at Pastebin, a site where programmers and hackers post code and missives. The post discussed a denial-of-service attack against Monsanto and possible future plans against the company.
We blasted their web infrastructure to shit for 2 days straight, crippling all 3 of their mail servers as well as taking down their main websites world-wide. We dropped dox on 2500+ employees and associates, including full names, addresses, phone numbers, and exactly where they work. We are also in the process of setting up a wiki, to try and get all collected information in a more centralized and stable environment. Not bad for 2 months, I’d say.
What’s next? Not sure… it might have something to do with that open 6666 IRC port on their nexus server though.
And on July 19, a known member of Anonymous tweeted the results of browsing the directory tree for Siemens SIMATIC software, the same industrial control system software that was exploited by the Stuxnet worm last year to sabotage uranium-enriching centrifuges at an Iranian nuclear plant.
Another Anonymous member subsequently pointed to XML and HTML code that could be used to query the SIMATIC system to find vulnerabilities in it, and also indicated he was already inside multiple control systems.
The posted xml and html code reveals that the individual understands the content of the code in relation to common hacking techniques to obtain elevated privileges. It does not indicate knowledge of ICS; rather, it indicates that the individual has interest in the application software used in control systems.
The posted xml and html contained administration code used to create password dump files for a human‐machine interface control system software product from Siemens. The code also contained OLE for Process Control (OPC) foundation code that is used in server communication with control system devices such as programmable logic controllers, remote terminal units, intelligent‐electronic devices, and industrial controllers.
While the latter information indicated the individual had an interest in control systems, NCCIC could find nothing to indicate that the person actually possessed the capabilities necessary to hack an ICS.
“There are no indications of knowledge or skill in control systems operations, design, or components,” the bulletin notes. “The individual may possess the necessary skill to exploit elevated privileges by hijacking credentials of valid users of the ICS software product posted based on traditional exploitation methods, not anything ICS specific. ”
According to the NCCIC bulletin, oil and gas companies could become particularly attractive targets to Anonymous and its sympathizers, owing to the hacking collective’s “green energy” agenda and its members’ past opposition to pipeline projects.
“This targeting could likely extend beyond Anonymous to the broader [hacker activist] community, resulting in larger-scope actions against energy companies,” DHS warns in the bulletin.
The security of industrial control systems, which are used in commercial manufacturing facilities and critical infrastructure systems around the world, was thrown into the spotlight over the last year, after the Stuxnet worm infected more than 100,000 computers in Iran and elsewhere. Although the worm was designed to target the SIMATIC industrial control system made by Siemens, it only released its destructive payload on a specific Simatic system – believed to be the system that controls centrifuges at Iran’s uranium enrichment plant in Natanz.
The discovery of the worm helped bring attention to the serious security vulnerabilities that exist in the Siemens system. Researchers who have further examined Siemens systems, as well as industrial control systems made by other manufacturers, have found them all to share the same kinds of security vulnerabilities.
Photo: matti.frisk / Flickr