A group of elite hackers attacked a United States public utility and compromised its control system network, but there was no evidence that the utility operations were tampered with, according to the Department of Homeland Security.
The Department of Homeland Security (DHS) did not choose to identify the compromised utility in a report issued by the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
“While unauthorized access was identified, ICS-CERT was able to work with the affected entity to put in place mitigation strategies and ensure the security of their control systems before there was any impact to operations,” a DHS official told Reuters on Tuesday.
The ICS-CERT rarely discloses information on cyber attacks, this encourages businesses to share threat information with government entities while it remaining private. Many companies choose to keep attacks in the dark to mitigate negative publicity.
ICS-CERT said in their official report that the hacked utility had been victim of a past attack. The agency did not choose elaborate in their report. The ICS-CERT said hackers may have launched their latest attack through a worker specific internet portal that allows access to the utility’s control systems. The agency noted the system used a simple password combination that could be easily compromised by brute forcing. A method in which attackers maliciously attack administrative panels trying to gain unauthorized access with various password combinations.
“Justin W. Clarke, an industrial control security consultant with security firm Cylance Inc, said it is rare for such breaches to be identified by utilities and even more rare for the government to disclose them,” Reuters reported. “In most cases, systems that are so antiquated to be susceptible to such brute forcing technologies would not have the detailed logging required to aid in an investigation like this,” Clarke said.
The Department of Homeland Security also reported another attack that involved hackers gaining access to a control system server connected to “a mechanical device.” Again, in a vague report the agency only stated the attacker had access to the system for an extended period of time, but the attacker made no attempts to manipulate or alter the system in any way.
“Internet facing devices have been a serious concern over the past few years with remote access demands giving way to insecure or vulnerable configurations,” the agency reported.
Just last year the ICS-CERT responded to nearly 256 cyber attacks, more than half of the incidents came from the energy sector. That is nearly double the cyber attack rate the ICS-CERT dealt with in 2012, but not a single incident caused a major disruption in the system, sources reported.