• United States



Hacker takes aim at Homeland, posts ‘proof’ of hacking SCADA for Houston’s water supply

Nov 18, 20116 mins
CyberattacksData and Information SecurityData Breach

DHS selects Online Trust Alliance for cyber training to increase awareness and to stem the flood of spear phishing attacks on government agencies meant to steal secrets or wreak havoc on critical U.S. infrastructure. Cyber mayhem strikes as hackers launch digital attack that destroyed a water pump in real time and the physical world of Springfield, Illinois. Unhappy with Homeland Security's response, a hacker took aim at the SCADA system behind Houston's water supply network and posted 'proof of concept' hack.

What would make you nibble, take the bait, and open an email? Because you think you know the sender is trusted, or because it appears to be related to something that happened in real time in our physical world like an earthquake or a hurricane? Spear phishing emails are specially crafted malicious temptations which could be potential cyber weapons aimed at espionage, especially disastrous if that poison-tainted spear is aimed at stealing credentials to access sensitive or proprietary data from federal employees, business executives, political figures or even top government officials. To that end, protecting the infrastructure, DHS is working with Online Trust Alliance (OTA) to provide best practices and spear phishing cyber training to stop and block targeted email threats.

Executive director and president of OTA, Craig Spiezle said, “Email authentication is the front line defense for the escalating levels of spear phishing targeting government agencies and businesses which is undermining the trust and confidence of online services. This program, supported by the White House, will help stem the tide of malicious and deceptive email. This is a great example of the public and private sector working together to help increase end-to-end trust of our nation’s critical infrastructure.”

America’s cyber-enemies are doggedly determined to wreak cyber mayhem on our infrastructure [PDF]. You should read Crosston’s World Gone Cyber MAD [PDF] as it addresses cyber-warfare issues with nation-state sponsored crackers like China’s ‘honkers’ and the Russian Federation’s ‘patriotic hackers.’ A great example of real-world destruction as a result of a digital attack might be the SCADA water system hacked in Springfield, Illinois, and a pump that was burned up. According to cybersecurity expert Joe Weiss, the attacker’s IP address was traced to Russia. “It is believed the SCADA software vendor was hacked and customer usernames and passwords stolen. Like Maroochy, minor glitches were observed in remote access to the SCADA system for 2-3 months before it was identified as a cyber attack,” Weiss wrote. “There was damage – the SCADA system was powered on and off, burning out a water pump.”

According to forensic evidence and a “Public Water District Cyber Intrusion” report, released by the Illinois Statewide Terrorism and Intelligence Center on November 10, ‘glitches’ that turned the SCADA system off and on were noticed since September. Those glitches seem to have been cyber spies and saboteurs. Weiss told Wired’s Threat Level, “One thing that is important to find out is whose SCADA system this is. If this is a [big software vendor], this could be so ugly, because a biggie would have not only systems in water utilities but a biggie could even be [used] in nukes.” He could find “no evidence of the information in reports distributed by the Department of Homeland Security’s Industrial Control System-Cyber Emergency Response Team or other government and industry security lists” and believes no U.S. water utilities were warned.

But there have been endless warnings coming out of DHS about attacks on critical infrastructure such as drinking water systems or chemical storage facilities or even potential destruction of dams. There seems to be countless Homeland issued cybersecurity bulletins, warnings, and national infrastructure vulnerabilities awaiting exploitation. You are not paying attention if you believe the warnings of digital attacks meant to destroy equipment in real time in our physical world are not being issued, or if you believe the threats to industrial control systems (ICS) and the power grid are not real.

DHS spokesman Peter Boogaard said in a statement that DHS and FBI are “gathering facts” and “at this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

According to CNN, Sean McGurk, former director of the National Cybersecurity and Communications Integration Center, said, “This is just one of many events that occur almost on a weekly basis. While it may be nice to speculate that it was caused by a nation-state or actor, it may be the unintended consequence of maintenance.”

A hacker with the handle of ‘pr0f’ is unhappy with Homeland Security’s handling of the Illinois water utility hack. So in a pastebin post, ‘pr0f’ wrote, “This was stupid. You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F****D the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done. So, y’know. The city of South Houston has a really insecure system. Wanna see? I know ya do.” Then he posted links to images showing access to SCADA and South Houston’s water supply. “I’m not going to expose the details of the box,” ‘pr0f’ wrote. “No damage was done to any of the machinery; I don’t really like mindless vandalism. It’s stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn’t even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic [sic].”

Like this? Here’s more posts:

  • Fourth Amendment’s Future if Gov’t Uses Virtual Force and Trojan Horse Warrants?
  • 4th Amendment vs Virtual Force by Feds, Trojan Horse Warrants for Remote Searches?
  • Facebook Wants to Issue Your IRL Offline ID & Internet Driver’s License
  • Skype Exploits: I know where you are, what you are sharing, and how to best stalk you
  • FBI rolling out nationwide face search and recognition system
  • Alabama Sheriff Demands Go Daddy Kill AntiSec Hackers’ Websites for Data Dumps
  • Privacy Nightmare: Data Mine & Analyze all College Students’ Online Activities
  • Busted! DOJ says you might be a felon if you clicked a link or opened email
  • Too much social media networking: Paranoia of Big Brother surveillance may destroy ya
  • Secret Snoop Conference for Gov’t Spying: Go Stealth, Hit a Hundred Thousand Targets
  • PROTECT-IP or control freaks? Monster Cable blacklists Sears, Facebook as rogue sites
  • 4Chan Founder Moot Cherishes Choices: ‘Facebook and Google Do Identity Wrong’
  • Do you give up a reasonable expectation of privacy by carrying a cell phone?

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.