SCADATelvent, the maker of a SCADA product used in a number of critical industries, said that its corporate network has been compromised by attackers and that some of the files used by customers on their own networks were changed. This attack is the latest in what looks to be a series of incidents of varying severity that have occurred at companies involved in either the production or use of SCADA systems in recent months.

The target of the attack apparently were the files related to Telvent’s OASyS SCADA software, a system that’s used in the management of smart grid deployments. The system is designed to provide a bridge between a customer’s corporate network and the smart grid control systems. The company says that the software “ensures reliability by managing the distribution network and maintaining its operational integrity. It plays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.”

The details of the attack are somewhat scarce, however Brian Krebs obtained a copy of a letter Telvent sent to its customers warning them of the recent compromise, and the letter contains a list of malicious files and suspected command-and-control domains that are known to be used by a crew of Chinese attackers dubbed the Comment Group. The crew is a subset of one of the two larger known attack conglomerates operating in China that often target Western businesses, government agencies and other organizations. Researchers say the Comment Group, also known as the Comment Crew, is based near Shanghai. Their attack campaigns span months or years and typically are focused on the theft of intellectual property or military secrets, but this attack looks to be somewhat different.

The attack on Telvent focused on accessing and modifying files used by the company’s OASyS customers, a vector that could have produced major problems for companies who ran the compromised files. If the files were backdoored or otherwise modified, the customers could have been running code inserted by the attackers on critical smart grid or other SCADA-controlled systems.

In a statement, an official from Schneider Electric, Telvent’s corporate parent, said that the company had alerted customers to the attack and that there was no evidence the attackers ever had the ability to access customers’ networks.

“Telvent is aware of a security breach of its corporate network that has affected some customer files. Customers have been informed and are taking recommended actions, with the support of Telvent teams. Telvent is actively working with law enforcement, security specialists and its affected customers to ensure the breach has been contained,” Martin Hanna, a spokesman for Schneider Electric, said.

Vulnerabilities in SCADA systems have been one of the frequent talking points for politicians and former federal security officials, who have warned that attackers from hostile nations easily could take advantage of weaknesses in the U.S. critical infrastructure to cause serious damage. There have been some attacks on utilities and other such companies in the U.S. in the last year or so, and there also has been a series of ongoing spear-phishing attacks targeting executives and employees at firms involved in the energy and SCADA worlds.

In an analysis of the Telvent attack, Dale Peterson of Digital Bond, a SCADA security consultancy, said that the attack is just one piece of a larger pie.

If this Comment Group is the same as Comment Crew, then this is likely the same people that sent spear phishing email to Digital Bond and EnergySec. They are going after the ICS energy sector, and Telvent is almost certainly not the only vendor being targeted or compromised. In fact, I would be worried if a large asset owner or vendor in the energy sector is not detecting these attacks,” Peterson said.

Last November, a hacker compromised a SCADA system connected to the Internet by a water district in Texas simply by guessing the system’s three-character password. Earlier this year, researcher Terry McCorkle, who, along with Billy Rios, identified a series of serious flaws in the Tridium Niagara ICS system, said that the state of security in SCADA and ICS is beyond bad.

“It turns out they’re stuck in the Nineties. The SDL doesn’t exist in ICS,” McCorkle said. “There are a lot of ActiveX and file format bugs and we didn’t even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable.”


Categories: Critical Infrastructure, Hacks