Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Telvent Hit by Sophisticated Cyber-Attack, SCADA Admin Tool Compromised

A company that supplies remote administration and monitoring tools to the energy sector has warned customers it was a victim of sophisticated advanced persistent threat.

A company that supplies remote administration and monitoring tools to the energy sector has warned customers it was a victim of sophisticated advanced persistent threat.

Telvent Canada discovered on Sept. 10 its internal firewall and security systems had been breached and notified its customers of the incident last week, Brian Krebs, the security expert behind KrebsonSecurity.com, first reported on Wednesday. It’s not clear when the initial breach occurred, and the incident itself was still under investigation. Televent had disconnected the clients and affected portions of its internal networks as a precautionary measure, according to the report.

Telvent Hacked in Cyber Attack“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” the company wrote in that letter, according to Krebs.

“Telvent is aware of a security breach of its corporate network that has affected some customer files,” Telvent said in a statement sent via email to SecurityWeek. “Customers have been informed and are taking recommended actions, with support of Telvent teams. Telvent is actively working with law enforcement, security specialists and its affected customers to ensure the breach has been contained.”

“Every energy company in the Fortune 100 relies on our systems and information to manage their business, even in the most complex and volatile market conditions,” Telvent claims on its Web site. “Telvent systems now manage more than 60 percent of the total hydrocarbon movements in North American and Latin American pipelines,” they add.

The likely culprit appears to be a Chinese hacking group. The malware names and network components, such as the domain names used in the attack, have been used in the past by a Chinese cyber-group called the “Comment Group,” Dell SecureWorks told Krebs.

Comment Group is a well-known attack group which has targeted a wide range of organizations over the past few years, Alex Cox, a senior researcher at RSA NetWitness, told SecurityWeek. Based on the malware and domain names used, Cox agreed with Dell SecureWorks the group was somehow involved.

The Comment Group has targeted a variety of organizations, including chemical and electric companies as well as other industrial sectors. It is possible that the group is contracting out their attack capabilities, and the entity hiring the group is the one deciding what organizations to hit, Cox said.

Power Grid Security

The evidence is circumstantial, and “would not hold up in the court of law,” Anup Ghosh, chief scientist at Invincea, told SecurityWeek. Even if the Comment Group was responsible, it is not clear that the Chinese government had any involvement.

Advertisement. Scroll to continue reading.

Figuring out who is behind an attack is a tremendous challenge, and researchers often look for patterns of attack, commonalities in the controls used, and the tools used to figure out whether the attack looks like something they’ve seen before, Ghosh said. There is a evidence linking the attack to the Chinese group, but it’s important to remember that anyone can use those same tools, Ghosh said.

After breaching the network and installing malware, the attackers stole project files related to the OASyS SCADA product, a remote administration tool, Telvent said. OASyS allows companies to combine older IT equipment with modern “smart grid” technologies.

It’s possible the attackers wanted the code in order to find vulnerabilities in the software to launch future attacks against other energy companies directly, Ghosh said.

One would think the remote administration tool has some kind of authentication built-in to prevent random visitors from being able to access the SCADA equipment, Ghosh speculated. The attackers may be looking for a way to exploit a vulnerability to bypass the authentication so that they can get inside the energy infrastructure.

It’s reminiscent of how it turned out attackers targeted RSA Security and stole information relating to the SecureID technology in order to launch attacks against defense contractors, Ghosh said.

However, Telvent said it did “not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system.”

The energy sector and organizations with SCADA systems are highly vulnerable to sophisticated attacks, Ghosh said. Ever since Stuxnet infected SCADA systems and damaged centrifuges in Iran’s nuclear facility, SCADA-based attacks have increased.

“When we launched Stuxnet, we established precedent by going after SCADA systems,” Ghosh said, adding, “We shouldn’t be surprised that other nation states are going after our energy sectors,” Ghosh said.

In addition to deep involvement in the energy sector, Telvent claims their “intelligent transportation systems” control traffic at 9,000 intersections used by 195 million drivers per day, and 2.5 billion passengers per year use train and metro networks manged by the company.

[Updated at 4:35PM ET with statment from Telvent]

Related News: New FERC Office Will Focus on Cyber Security   

Related InsightMaking The Smart Grid Smarter than Cyber Attackers

Related Insight: Smart Power Grids a Prime Target in Cyber Warfare

Related Insight: The Increasing Importance of Securing The Smart Grid

Related ReadingFun and Games Hacking German Smart Meters

Related ReadingSmart Meters Vulnerable to False Data Injection

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...