(Reuters) – A sophisticated hacking group recently attacked a U.S. public utility and compromised its control system network, but there was no evidence that the utility’s operations were affected, according to the Department of Homeland Security.
DHS did not identify the utility in a report that was issued this week by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.
Such cyber attacks are rarely disclosed by ICS-CERT, which typically keeps details about its investigations secret to encourage businesses to share information with the government. Companies are often reluctant to go public about attacks to avoid potentially negative publicity.
ICS-CERT said in the report posted on its website that investigators had determined the utility had likely been the victim of previous intrusions. It did not elaborate.
The agency said the hackers may have launched the latest attack through an Internet portal that enabled workers to access the utility’s control systems. It said the system used a simple password mechanism that could be compromised using a technique known as “brute forcing,” where hackers digitally force their way in by trying various password combinations.
Justin W. Clarke, an industrial control security consultant with security firm Cylance Inc, said it is rare for such breaches to be identified by utilities and even more rare for the government to disclose them.
“In most cases, systems that are so antiquated to be susceptible to such brute forcing technologies would not have the detailed logging required to aid in an investigation like this,” Clarke said.
Full article: U.S. utility’s control system was hacked, says Homeland Security (Reuters)