An FBI memo says cyber intruders took advantage of weak credentialing in an industrial control system to gain control of a New Jersey air conditioning company’s heating, ventilation and air conditioning units.
The cyber alert was issued July 23, 2012 but did not come to light until being posted last week on a Web site operated by Public Intelligence, an international research project that advocates for public access to information. Ars Technica and Wired both published pieces Thursday outlining the intrusions, which underscore vulnerable SCADA systems linked to the nation’s critical infrastructure.
In the cyber alert sourced by a Newark-based FBI agent, an unidentified New Jersey air conditioning company (referred to as US Business 1) had installed a version of the Tridium Niagara framework when intruders in February and March accessed its ICS system using unauthorized IP addresses. Just a week earlier someone going by “@ntisec” had posted on “a known U.S. website” that hackers were targeting SCADA systems to direct more attention to their vulnerabilities.
“The user of the ‘@ntisec’ moniker searched Google, and the website www.shodanhq.com, for the term “:(unknown character) slot:/” and “#TRIDIUM / #NIAGARA vector,” according to the memo. “The posting by ‘@ntisec’ included a list of URLs, one of which was an IP address that resolved to US Business 1, and was assigned to its office building’s HVAC control system.
“The main control box for the HVAC system of US Business 1 was a Tridium brand, Niagara model controller. US Business 1 actively used this system in-house, but also installed the control system for customers, which included banking institutions and other commercial entities. An IT contractor of US Business 1 confirmed the Niagara control box was directly connected to the Internet with no interposing firewall.”
The company had a password-protected controller for the system set up for remote access via the Internet. This allowed someone to use the published backdoor to access the control system as an administrator. Logs show such illegal access began Feb 3, just a week or few days after the postings by the hactivist had begun.
In July, the Department of Homeland Security issued a CERT alert detailing the possible exploitation of Niagra AX ICS by downloading and decrypting a file containing the user credential from the server. At that time, more than 300,000 companies, including those in energy management, telecommunications and security automation, had the Niagara AX Framework installed.
The FBI memo notes the agent’s findings were for informational purposes only had not been vetted by FBI headquarters.