Threat Intelligence firm mistakes research for nation-state attack

China, the world's mythical hacking unicorn, and Chattanooga, TN, said to be major threats

1 2 Page 2
Page 2 of 2


After this story was published ThreatStream responded to follow-up questions. Their responses have been added below:

Q: As a threat intelligence firm, do you keep tabs on other vendors in the ICS space and their research? Do you follow projects in the open source community dedicated to addressing ICS security? If not, why not?

"...We do follow projects in the Open Source community dedicated to ICS security. We integrated conpot ( into our open source Modern Honey Network project ( and have been using it actively for several months. That's how we found these scans. We would love to know of other researchers working in this space so we can deconflict this sort of research if, in fact, this is a researcher..."

[In addition, Jason Trost, director of ThreatStream Labs said that he and Greg Martin recently attended a three-day ICS-ISAC conference and spoke on a panel there.]

Q: I ask, because the scans that you detected were from a researcher who works for a vendor in the ICS space. Also, while the scans stood out as unusual, otherwise they wouldn't have been flagged for Bloomberg, what was done to identify them and validate that the attack was legitimate?

"How do you know this is from another researcher?  We haven't released the IP address of the scanner, the IPs of the honeypots, or the exact timeframe. If the researcher provides his IP we can confirm whether or not it was him that we saw.

"The scans were to honeypots, so there is no reason for any traffic to be going to these systems. They run no legitimate services and have no DNS entries, so any traffic to them is suspicious, especially traffic to tcp port 102 that conforms to the S7comm spec. I would argue that this other security researcher's scans are suspicious (although it sounds like the intent is good natured) and he has likely received complaints for his actions. We did OSINT on his IP, looking through all of our threat intel feeds as well as others' intelligence portals. We searched all the security mailing lists we're on and there has been no mention of this IP.  We found almost nothing publicly available about this IP."

Q: How would Optic react in a situation like this if it was deployed?

"OPTIC is a threat intelligence platform. It aggregates hundreds of threat intelligence feeds including SCADA attack data from our honeypots deployed using Modern Honey Network. Customers using OPTIC can stream the threat information directly to their security tools (i.e. SIEM and firewall) to update their defenses proactively as well as collaborate with other organizations on the attacks that they see internally."

Update 2:

Later in the day, Threat Stream's Greg Martin sent over an additional statement, which is printed below in full.

"I appreciate you contacting us for your story but there are some concerns that we have with the resulting article. I did in fact share the data with Bloomberg. And you’re correct in that the spike in Chattanooga was most likely based on Stephen Hilt’s research for DerbyCon. However you’ve taken the research out of context and ThreatStream did not suggest this was a nation-sponsored attack.

"Jordan inserted his opinion into the article which as a journalist he has the creative license to do. However, myself as a cyber security professional would never make that assumption without more detailed analysis. The headline is inaccurate, and therefore we respectfully request that you edit it ASAP. I’m happy to jump on the phone to discuss the research further if necessary."

In addition, the talk given by Stephen Hilt is embedded below. In it, he references that he discovered 95 instances of ThreatStream's honeypot code, which was previously mentioned by Hilt in the original article.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.