If you build it, they will come. And attack.
Earlier this year, I was brainstorming with Greg Martin, the founder and chief technical officer of ThreatStream, a Google Ventures-backed security startup, about finding a way to show the global nature of attacks against industrial-control systems used in electrical grids, water systems and manufacturing plants. For obvious reasons, attacks against critical infrastructure are among the biggest concerns in cyber-security.
Industrial networks are already under daily assault by hackers, and that threat is only growing as more countries develop advanced cyber-war capabilities. Few have been as thoroughly revealed to the public as the United States' through the disclosures of former National Security Agency contractor Edward Snowden.
Martin and I decided on setting up an online decoy known as a honeypot, which was made to look like an enticing industrial-control computer to hackers. It's designed to attract attacks so they can be traced and studied.
The graphic below shows which countries were the apparent source of the majority of attacks.
The fake control systems were made to look like they were located in the U.S., the U.K., Amsterdam, Brazil, Tokyo and Singapore. We wanted a variety of locations to show that systems everywhere are under attack. Over a three-month period ending last week, the U.S. was by far the biggest source of attack traffic (more than 6,000 attacks), followed by China (more than 3,500), Russia (more than 2,500), the Netherlands and France.
The presence of countries such as the Netherlands and France isn't surprising because they are home to well-known hacking efforts, both commercial and state-sponsored, Martin said.
One challenge with a study like this, and a challenge of defending networks in general, is that hackers often route their traffic through infected personal computers called "bots," or proxies, which disguise their true location. So, some of the computers were likely used without their owners' knowledge, with the hackers residing in other countries.
That said, the data largely reflect reconnaissance missions, in which hackers often use less obfuscation, Martin said. These probes to learn about networks don't set off the same alarms that attempts to break into the targets do, so reconnaissance data can reveal many true IP addresses and countries of origin. Nation-states also sometimes launch attacks from bots within their own borders because the government controls the Internet providers, he said. More than anything, the experiment shows that the U.S. is the conduit for a lot of the world's attack traffic, even if it's not the source of all of it. And a lot of other countries have their hands in the honeypot as well, as nation-states and private firms race to find the latest vulnerabilities in critical infrastructure.
"It's not unlikely that some probes are from security companies and academia, but the dataset is large and diverse enough that it probably includes a large amount of military organizations, if not all of them (proxied or not)," Martin wrote in an e-mail.
The honeypot idea was inspired by work that Kyle Wilhoit, a threat researcher at the security firm FireEye, previously did where he replicated the network of a municipal water system that looked like it was in Ashburn, Virginia, population 44,000. The virtual utility was raided within weeks by what Wilhoit said he believes was a Chinese military hacking unit, which stole passwords, engineering PDFs and other data. A later version of the experiment saw hackers, most of them in China, override controls in fake water plants in Europe and Asia. LINK