FBI Memo Shows Hackers Accessed Commercial HVAC Systems
Just released in December by Public Intelligence, a July 23, 2012 FBI.gov memo, which the FBI confirms is factual, says that cyber intruders took advantage of weak credentialing in an industrial control system (ICS) to gain control of a New Jersey air conditioning company’s heating, ventilation and air conditioning units.
According to the FBI memo, located here, an unidentified New Jersey based air conditioning company (referred to as US Business 1) had installed a version of the Tridium Niagara framework when intruders in February and March accessed its ICS system using unauthorized IP addresses. Just a week earlier someone going by “@ntisec” had posted on “a known U.S. website” that hackers were targeting SCADA systems to direct more attention to their vulnerabilities.
“The user of the ‘@ntisec’ moniker searched Google, and the website www.shodanhq.com, for the term “:(unknown character) slot:/” and “#TRIDIUM / #NIAGARA vector,” according to the memo. “The posting by ‘@ntisec’ included a list of URLs, one of which was an IP address that resolved to US Business 1, and was assigned to its office building’s HVAC control system.
“The main control box for the HVAC system of US Business 1 was a Tridium brand, Niagara model controller. US Business 1 actively used this system in-house, but also installed the control system for customers, which included banking institutions and other commercial entities. An IT contractor of US Business 1 confirmed the Niagara control box was directly connected to the Internet with no interposing firewall.”
The company had a password-protected controller for the system set up for remote access via the Internet. This allowed someone to use the published backdoor to access the control system as an administrator. Logs show such illegal access began Feb 3, just a week or few days after the postings by the hactivist had begun.
In July, the Department of Homeland Security issued a CERT alert detailing the possible exploitation of Niagra AX ICS by downloading and decrypting a file containing the user credential from the server. At that time, more than 300,000 companies, including those in energy management, telecommunications and security automation, had the Niagara AX Framework installed.
Welcome to the growing world of SCADA attacks, as we predicted. While one could expect power grid infrastructure or transportation ICS to be the real target in cyber terrorism and cyber warfare, it may be that cranking up or down the A/C is just a prelude of what is to come.
(Sources: CDM, Public Intelligence and FBI.gov)