FBI Memo Shows Hackers Accessed Commercial HVAC Systems

An FBI memo says cyber intruders took advantage of weak credentialing in an industrial control system to gain control of a New Jersey air conditioning company’s heating, ventilation and air conditioning units.

An FBI memo says cyber intruders took advantage of weak credentialing in an industrial control system to gain control of a New Jersey air conditioning company’s heating, ventilation and air conditioning units.

The cyber alert was issued July 23, 2012 but did not come to light until being posted last week on a Web site operated by Public Intelligence, an international research project that advocates for public access to information. Ars Technica and Wired both published pieces Thursday outlining the intrusions, which underscore vulnerable SCADA systems linked to the nation’s critical infrastructure.

In the cyber alert sourced by a Newark-based FBI agent, an unidentified New Jersey air conditioning company (referred to as US Business 1) had installed a version of the Tridium Niagara framework when intruders in February and March accessed its ICS system using unauthorized IP addresses. Just a week earlier someone going by “@ntisec” had posted on “a known U.S. website” that hackers were targeting SCADA systems to direct more attention to their vulnerabilities.

“The user of the ‘@ntisec’ moniker searched Google, and the website www.shodanhq.com, for the term “:(unknown character) slot:/” and “#TRIDIUM / #NIAGARA vector,” according to the memo. “The posting by ‘@ntisec’ included a list of URLs, one of which was an IP address that resolved to US Business 1, and was assigned to its office building’s HVAC control system.

“The main control box for the HVAC system of US Business 1 was a Tridium brand, Niagara model controller. US Business 1 actively used this system in-house, but also installed the control system for customers, which included banking institutions and other commercial entities. An IT contractor of US Business 1 confirmed the Niagara control box was directly connected to the Internet with no interposing firewall.”

The company had a password-protected controller for the system set up for remote access via the Internet. This allowed someone to use the published backdoor to access the control system as an administrator. Logs show such illegal access began Feb 3, just a week or few days after the postings by the hactivist had begun.

In July, the Department of Homeland Security issued a CERT alert detailing the possible exploitation of Niagra AX ICS by downloading and decrypting a file containing the user credential from the server. At that time, more than 300,000 companies, including those in energy management, telecommunications and security automation, had the Niagara AX Framework installed.

The FBI memo notes the agent’s findings were for informational purposes only had not been vetted by FBI headquarters.

 

Suggested articles

Discussion

  • R Morgan on

    The article states the attackers "....accessed its ICS system using unauthorized IP addresses."

    Let us be clear here, this was unauthorized access to public accessible IP addresses.  If you have something you want to protect, then hide it on your trusted non-routable network and get it behind a semi-trusted zone (DMZ), etc.

    Buying something and assigning it a routable IP is just plain dumb.

     

     

  • Ian Lyons on

    Wise words from R Morgan. If infrastructure hacking is going to be a serious concern, then we need to ensure that contractors understand the risks and recommended ways to protect against them.

    This was an easy target, but it seems entirely viable that a good hacker could penetrate even a hardened HVAC system.

  • Anonymous on

    This is old news, The president of Tridium resigned months ago over this. And Tridium released a security patch back in august to resolve this issue. The patch was less to fix a hole in security and more to force contractors not to be lazy when installing the product which is what casued the whole problem. So if there is anyone out there still being hacked becasue of this the fault is that of the contractor not the manufacture "Tridium"

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.