BOSTON (Reuters) – A sophisticated hacking group recently attacked a U.S. public utility and compromised its control system network, but there was no evidence that the utility’s operations were affected, according to the Department of Homeland Security.
DHS did not identify the utility in a report that was issued this week by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.
“While unauthorized access was identified, ICS-CERT was able to work with the affected entity to put in place mitigation strategies and ensure the security of their control systems before there was any impact to operations,” a DHS official told Reuters on Tuesday.
Such cyber attacks are rarely disclosed by ICS-CERT, which typically keeps details about its investigations secret to encourage businesses to share information with the government. Companies are often reluctant to go public about attacks to avoid potentially negative publicity.
ICS-CERT said in the report posted on its website that investigators had determined the utility had likely been the victim of previous intrusions. It did not elaborate.
The agency said the hackers may have launched the latest attack through an Internet portal that enabled workers to access the utility’s control systems. It said the system used a simple password mechanism that could be compromised using a technique known as “brute forcing,” where hackers digitally force their way in by trying various password combinations.
Justin W. Clarke, an industrial control security consultant with security firm Cylance Inc, said it is rare for such breaches to be identified by utilities and even more rare for the government to disclose them.
“In most cases, systems that are so antiquated to be susceptible to such brute forcing technologies would not have the detailed logging required to aid in an investigation like this,” Clarke said.
DHS also reported another hacking incident involving a control system server connected to “a mechanical device.” The agency provided few details about that case, except to say the attacker had access over an extended period of time, though no attempts were made to manipulate the system.
“Internet facing devices have become a serious concern over the past few years,” the agency said in the report.
Last year ICS-CERT responded to 256 cyber incident reports, more than half of them in the energy sector. While that is nearly double the agency’s 2012 case load, there was not a single incident that caused a major disruption.
Those incidents include hacking into systems through Internet portals exposed over the Web, injecting malicious software through thumb drives, and exploitation of software vulnerabilities.