BOSTON May 20 A sophisticated hacking group
recently attacked a U.S. public utility and compromised its
control system network, but there was no evidence that the
utility's operations were affected, according to the Department
of Homeland Security.
DHS did not identify the utility in a report that was issued
this week by the agency's Industrial Control Systems Cyber
Emergency Response Team, or ICS-CERT.
"While unauthorized access was identified, ICS-CERT was able
to work with the affected entity to put in place mitigation
strategies and ensure the security of their control systems
before there was any impact to operations," a DHS official told
Reuters on Tuesday.
Such cyber attacks are rarely disclosed by ICS-CERT, which
typically keeps details about its investigations secret to
encourage businesses to share information with the government.
Companies are often reluctant to go public about attacks to
avoid potentially negative publicity.
ICS-CERT said in the report posted on its website that
investigators had determined the utility had likely been the
victim of previous intrusions. It did not elaborate.
The agency said the hackers may have launched the latest
attack through an Internet portal that enabled workers to access
the utility's control systems. It said the system used a simple
password mechanism that could be compromised using a technique
known as "brute forcing," where hackers digitally force their
way in by trying various password combinations.
Justin W. Clarke, an industrial control security consultant
with security firm Cylance Inc, said it is rare for such
breaches to be identified by utilities and even more rare for
the government to disclose them.
"In most cases, systems that are so antiquated to be
susceptible to such brute forcing technologies would not have
the detailed logging required to aid in an investigation like
this," Clarke said.
DHS also reported another hacking incident involving a
control system server connected to "a mechanical device." The
agency provided few details about that case, except to say the
attacker had access over an extended period of time, though no
attempts were made to manipulate the system.
"Internet facing devices have become a serious concern over
the past few years," the agency said in the report.
Last year ICS-CERT responded to 256 cyber incident reports,
more than half of them in the energy sector. While that is
nearly double the agency's 2012 case load, there was not a
single incident that caused a major disruption.
Those incidents include hacking into systems through
Internet portals exposed over the Web, injecting malicious
software through thumb drives, and exploitation of software
vulnerabilities.
(Reporting by Jim Finkle; Editing by Tiffany Wu)