Security Experts:

Telvent Hit by Sophisticated Cyber-Attack, SCADA Admin Tool Compromised

A company that supplies remote administration and monitoring tools to the energy sector has warned customers it was a victim of sophisticated advanced persistent threat.

Telvent Canada discovered on Sept. 10 its internal firewall and security systems had been breached and notified its customers of the incident last week, Brian Krebs, the security expert behind KrebsonSecurity.com, first reported on Wednesday. It's not clear when the initial breach occurred, and the incident itself was still under investigation. Televent had disconnected the clients and affected portions of its internal networks as a precautionary measure, according to the report.

Telvent Hacked in Cyber Attack“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” the company wrote in that letter, according to Krebs.

"Telvent is aware of a security breach of its corporate network that has affected some customer files," Telvent said in a statement sent via email to SecurityWeek. "Customers have been informed and are taking recommended actions, with support of Telvent teams. Telvent is actively working with law enforcement, security specialists and its affected customers to ensure the breach has been contained."

"Every energy company in the Fortune 100 relies on our systems and information to manage their business, even in the most complex and volatile market conditions," Telvent claims on its Web site. "Telvent systems now manage more than 60 percent of the total hydrocarbon movements in North American and Latin American pipelines," they add.

The likely culprit appears to be a Chinese hacking group. The malware names and network components, such as the domain names used in the attack, have been used in the past by a Chinese cyber-group called the "Comment Group," Dell SecureWorks told Krebs.

Comment Group is a well-known attack group which has targeted a wide range of organizations over the past few years, Alex Cox, a senior researcher at RSA NetWitness, told SecurityWeek. Based on the malware and domain names used, Cox agreed with Dell SecureWorks the group was somehow involved.

The Comment Group has targeted a variety of organizations, including chemical and electric companies as well as other industrial sectors. It is possible that the group is contracting out their attack capabilities, and the entity hiring the group is the one deciding what organizations to hit, Cox said.

Power Grid Security

The evidence is circumstantial, and "would not hold up in the court of law," Anup Ghosh, chief scientist at Invincea, told SecurityWeek. Even if the Comment Group was responsible, it is not clear that the Chinese government had any involvement.

Figuring out who is behind an attack is a tremendous challenge, and researchers often look for patterns of attack, commonalities in the controls used, and the tools used to figure out whether the attack looks like something they've seen before, Ghosh said. There is a evidence linking the attack to the Chinese group, but it's important to remember that anyone can use those same tools, Ghosh said.

After breaching the network and installing malware, the attackers stole project files related to the OASyS SCADA product, a remote administration tool, Telvent said. OASyS allows companies to combine older IT equipment with modern "smart grid" technologies.

It's possible the attackers wanted the code in order to find vulnerabilities in the software to launch future attacks against other energy companies directly, Ghosh said.

One would think the remote administration tool has some kind of authentication built-in to prevent random visitors from being able to access the SCADA equipment, Ghosh speculated. The attackers may be looking for a way to exploit a vulnerability to bypass the authentication so that they can get inside the energy infrastructure.

It's reminiscent of how it turned out attackers targeted RSA Security and stole information relating to the SecureID technology in order to launch attacks against defense contractors, Ghosh said.

However, Telvent said it did “not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system."

The energy sector and organizations with SCADA systems are highly vulnerable to sophisticated attacks, Ghosh said. Ever since Stuxnet infected SCADA systems and damaged centrifuges in Iran's nuclear facility, SCADA-based attacks have increased.

"When we launched Stuxnet, we established precedent by going after SCADA systems," Ghosh said, adding, "We shouldn't be surprised that other nation states are going after our energy sectors," Ghosh said.

In addition to deep involvement in the energy sector, Telvent claims their "intelligent transportation systems" control traffic at 9,000 intersections used by 195 million drivers per day, and 2.5 billion passengers per year use train and metro networks manged by the company.

[Updated at 4:35PM ET with statment from Telvent]

Related News: New FERC Office Will Focus on Cyber Security   

Related InsightMaking The Smart Grid Smarter than Cyber Attackers

Related Insight: Smart Power Grids a Prime Target in Cyber Warfare

Related Insight: The Increasing Importance of Securing The Smart Grid

Related ReadingFun and Games Hacking German Smart Meters

Related ReadingSmart Meters Vulnerable to False Data Injection

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.