Hacker honeypot shows even amateurs are going after ICS systems

Cybereason's honeypot shows that the hacker world is really, really interested in ICS.
ics honeypot
(Getty Images)

While stories of nation-state backed hackers threatening the U.S. power sector garner regular headlines, a new experiment highlights the risk of unintended consequences when less-skilled adversaries target the sector.

Researchers from Cybereason, a Boston-based company, set up a honeypot in mid-July that mimicked a utility substation’s network environment, drawing the attention of a determined attacker that repeatedly disabled the honeypot’s security system. The hackers’ attempts to be conspicuous, coupled with some sloppy work, told researchers that they were not part of any advanced persistent threat (APT) group that is linked with a nation-state.

“It’s not script kiddies, but I’m not convinced that it’s APT either,” said Ross Rustici, senior director of intelligence at Cybereason. “[That] is a red flag for me because they’re very focused, but they’re making mistakes.”

While the spotlight has been on nation-state threats to the energy grid, Rustici told CyberScoop, “one of the more concerning and less talked about things is the amateurs who get into these systems and then make a mistake” that could cause a disruption in a utility company’s operational network. Utilities plan for such disruptions through exercises and building resiliency into their systems.


In a recent webinar on a two-year-old alleged Russian government hacking campaign against the U.S. power sector, Department of Homeland Security official Jonathan Homer said the Russians had accessed an industrial control system (ICS) but had not caused any operational impact on the system. As Homer put it: “They’ve had access to the button but they haven’t pushed it.”

Chris Krebs, a top DHS official, last week emphasized that the hackers had limited impact, accessing controls at “a renewable source of energy that would not disrupt the grid.”

Rustici’s point is that less sophisticated hackers could slip up and “push the button,” hampering a control in a utility’s operations. While power plants’ critical systems are designed to safely shut down in the event of anomalous behavior, utility owners are still keen to prevent compromises to the technology that actually powers the grid. Studying the miscreants that show up in honeypots can help ICS operators strengthen their defenses.

Living off the land

The hackers drawn to Cybereason’s honeypot used common tools like Powershell, an open-source scripting language, along with Microsoft’s Remote Desktop Protocol.


“The tools themselves don’t necessarily exhibit any level of specific sophistication,” Cybereason CISO Israel Barak told CyberScoop. “The playbook, though, is something that you do not expect to find within your run-of-the-mill type of hacker who is working alone or a botnet operator.”

In other words, the attackers were singularly focused on getting from the honeypot’s IT network to its operating environment, and showed a level of sophistication that the researchers said was rare for honeypots.

“From the moment they saw these assets, they focused specifically on trying to find a way to move towards the HMI [human machine interface] system and two controllers that were registered in the Active Directory,” Barak said.

Whoever the attackers are – Cybereason has not linked them to a known group – they found the honeypot by way of the black market. Within two days of the lure going online, someone had sold a tool for accessing the honeypot’s IT network on xDedic, a Russian-speaking underground forum.

Breaching the OT environment proved much more difficult — the hackers had come up short of that goal as of this writing. They moved from server to server, looking for a gateway into the tech the “powered” the honeypot. “With each new server that they’re moving into, they’re dropping a new backdoor, allowing themselves another way in,” Barak said.


As that probing for a foothold has continued, Cybereason researchers have looked to test the hackers’ capabilities by changing network configurations.

“The next step is to throw in some roadblocks, make them use customized tools if they have them, and really dig into those [tactics, techniques, and procedures] that they’re so far not revealing,” Rustici said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts