Chinese hackers linked to breach of control systems used in electric grids

How to protect your critical infrastructure

electricity_170Attackers breached Telvent’s network, the company has informed its customers in a letter. Telvent is the maker of an industrial control system that remotely controls smart grid networks used in portions of the electric grid.

Telvent told its customers that on Sept. 10, it learned that hackers had breached its internal firewall and security systems, implanted malicious software, and stolen project files.

According to KrebsOnSecurity, which first reported the breach, the project files concerned Telvent’s OASyS SCADA product, which offers energy firms a bridge between older technology and advanced smart grid technologies.

Telvent, which is owned by Schneider Electric, told customers that the attack spans operations in the US, Canada and Spain.

Experts detected digital fingerprints implicating a Chinese hacking group that has been tied to cyber-espionage campaigns against Western interests.


KrebsOnSecurity cited Joe Stewart, director of malware research at Dell SecureWorks, who said that website and malware names mentioned in a more recent letter from Telvent can be traced to a Chinese hacking team known as the “Comment Group.”

That group, often referred to as the Comment group, has been under investigation by US intelligence for years.

Researchers told Bloomberg that during two months of monitoring last year, targeted companies spanned a vast scale as data “bled from one victim to the next”:

...from oilfield services leader Halliburton Co. (HAL) to Washington law firm Wiley Rein LLP; from a Canadian magistrate involved in a sensitive China extradition case to Kolkata-based tobacco and technology conglomerate ITC Ltd. (ITC)

A loose-knit group of some 30 North American private security researchers tracking the group have called the Comment Group one of the biggest and busiest hacking groups in China.

Bloomberg quoted Shawn Henry, former executive assistant director of the FBI in charge of the agency’s cyber division, who said that typical cybersecurity headlines about data breaches scarcely hint at the scope of the group’s activities:

What the general public hears about — stolen credit card numbers, somebody hacked LinkedIn (LNKD) — that’s the tip of the iceberg, the unclassified stuff. … I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.

Evidence indicates that at least 20 organizations have been harvested for data, many of whose secrets could give China a leg up on its path to becoming the world’s largest economy.

Bloomberg cited unnamed security experts who said that the breaches have sprung data leaks in major oil companies, who’ve lost seismic maps charting oil reserves, while patent law firms have been squeezed for clients’ trade secrets and investment banks have been targeted for market analysis regarding global ventures of state-owned companies.

Telvent said that investigations are still under way, but it’s taken the precaution of severing data links between clients and the affected portions of its internal networks.

The company also said that it hasn’t yet found evidence that the attackers had been able to compromise customers’ systems:

Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent.

Telvent gave me this statement:

Telvent is aware of a security breach of its corporate network that has affected some customer files. Customers have been informed and are taking recommended actions, with the support of Telvent teams. Telvent is actively working with law enforcement, security specialists and its affected customers to ensure the breach has been contained.

Meanwhile, the Obama adminstration and Congress have grown increasingly vocal about Chinese and Russian cyber espionage and attacks, with the White House close to completing the first draft of a cybersecurity executive order designed to bring about stronger cyber security around the nation’s water, electrical and transportation systems.

It’s a reasonable thing to call for stronger protection around vital infrastructure.

But as Reuters pointed out in a recent report on what one top US cybersecurity official called “reckless” cyber behavior from nation states, the US’s right to complain about other nations’ cyber warfare might be questionable, given what is by now a widespread belief that the US and Israel were behind Stuxnet.

electricity images courtesy of Shutterstock