Security firm Trend Micro has duped hackers into attacking fake industrial control systems (ICS), collecting invaluable data on their attack methods and goals and revealing surprising insights on the UK's hacking scene.
The research was revealed at Blackhat Europe 2013 in Amsterdam on Friday and is the result of a collaborative project between Trend Micro and Scada security researcher Kyle Wilhoit.
The scam worked by enticing the hackers attack fake honeypot architectures developed by Whilhoit. The honeypots directly mimicked the ICS/Scada devices used in many critical infrastructure power and water plants.
"When the honeypots were launched, we seeded the devices in several fashions. First, we optimised the sites for searches and published them on Google to make sure they garnered attention. In addition to seeding on Google, we also named the servers ‘Scada-1','Scada-2', and so on," explained Kyle Wilhoit.
"We also made sure that the other honeypot settings would be seeded on devices that were part of HD Moore's Shodan Project.4. This would enable motivated and targeted attackers to easily find the servers. It took only 18 hours to find the first signs of attack on one of the honeypots.
"While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing."
The systems are similar to those targeted by the infamous Flame and Stuxnet malwares.
Stuxnet is a cyber sabotage tool discovered targeting Iranian nuclear power plants in 2011. Flame is a cyber snooping tool caught spying on Iranian government and critical infrastructure systems in 2012.
Trend Micro reported detecting 39 attacks on the Honeypots from 11 different countries during the 28 days they were active.
The firm said 12 of the attacks were targeted and that 13 of them were repeated several times by the same actor, indicating they could have been automated.
Trend Micro reported that the majority of the attacks stemmed from China, the US and Lao.
"All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same /27 netblock. In sum, China accounted for the majority of the attack attempts at 35 percent, followed by the US at 19 percent and Lao at 12 percent," wrote Wilhoit.
The UK and Russia where the fourth and fifth worst offenders being responsible for eight percent and six percent of the attacks respectively.
Despite being responsible for most of the attacks China was the least aggressive of country, with its attacks being designed for espionage and data collection.
The US, UK and Lao-based attacks all made attempts to sabotage the systems either by altering the sites or changing physical controls in the fake plants. The Russian attacks took a separate tactic attempting to infect the systems with malware.
Trend Micro chief technology officer Raimund Genes said that the research proves more must be done to protect critical infrastructure system.
"It shows that attackers have enough knowledge to analyse and affect industrial control devices infrastructures", said Genes
"This is a wake-up call for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the Internet/Open Networks.
"The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard."
Genes warnings echo those of other security vendors during the London 2012 Cybergeddon press event.
During the event experts from The Jericho Forum and Blue Coat Systems warned that governments had made themselves foolishly vulnerable to attack when they took critical infrastructure Scada systems online.
Should you link your data sets to add value, or leave them separate to reduce risk?
Can process camera images in real-time at up to 171 frames per second
Graphene and Kevlar used to make 'the world's toughest' shoes
Ecostress instrument will provide new insights into water usage and plant health on Earth