Install bait (Honeypot) and catch hackers “live bait” – a standard practice to gather information about the enemy and training counterattacking actions. Experts from the antivirus company Trend Micro launched the open access bait under the guise of communal SCADA-systems for managing water supplies. The bait worked – and the catch was unusually bold: a group of Chinese hackers allegedly working for the government. This was told by the project manager Kyle Vilhoyt (Kyle Wilhoit) in a report on the hacker conference Black Hat.
According Vilhoyta, they caught the hackers in the act of state Chinese group APT1, also known as the Comment Crew.
Bait worked in December 2012, when a letter arrived in the mail with an infected Word-file that run the exploit, so that eventually the attacker could gain full access to the SCADA-system (bait). Type of malware used by itself and exploit other characteristics are unique just for groups APT1.
“The group attacked a water supply not by accident, looking for some other purpose, it was a deliberate attack – says Kyle Vilhoyt – I saw the attacker’s computer interface, and 100% sure that they clearly understand what they are doing.” To counterattack attackers to triangulate their location used framework Browser Exploitation Framework (BeEF).
Naturally, APT1 was not the only group that “kupilas” the bait. From March to June 2013 Vilhoyt opened 12 baits in eight countries during that time were 74 registered hacker attacks, 10 of which were sufficiently literate and hard to take complete control of an affected system.
To create a realistic web-based interface with the authorization form and configuration of the equipment used by cloud services. Fictitious waterworks created in Ireland, Russia, Singapore, China, Japan, Australia, Brazil and the United States. If a hacker was able to log in, he saw the control panel and the system for monitoring equipment for water supply.
Registered 74 attacks came from 16 countries. Most of the “non-critical” attacks (67%) came from the Russian addresses. Half of the “critical” attacks – from China.