The Public Eye with Eric Chabrow

Is China after More than IP? Study: Most Attacks against Industrial Systems Start in China
Is China after More than IP?

Think about the cyberthreat from China. Its main goal is to attack information systems to steal government and military secrets as well as intellectual property from Western corporations.

Conventional thinking goes that China isn't interested in disabling industrial control systems, say, to bring down a power plant in the United States. After all, being so heavily invested in America's and other Western economies, such acts would go against China's own economic interests.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Chinese hackers often come back to try additional exploitations if the prior attempts failed. 

That's why a finding from a Trend Micro study can give one pause: The information security provider finds that China by far leads all other nations as the place where attacks originate against industrial control and SCADA (supervisory control and data acquisition) systems.

When American governmental leaders speak about the consequences of cyberattacks originating from China, they generally refer to intellectual-property theft, not disruptions to the nation's critical infrastructure [see U.S. Asks China to Probe, Stop Cyber-Intrusions]. Just last week, in a phone conversation with China's new President Xi Jinping, President Obama raised concerns about the pilfering of U.S. intellectual property through cyberattacks [see Obama Raises IP Theft with New China Leader].

Honeypot Traps Employed

Nothing in the Trend Micro study says China seeks to disrupt the American economy through attacking industrial control systems. What Trend Micro threat researcher Kyle Wilhoit did was to create honeypot traps that mimic vulnerabilities found on industrial control systems and SCADA devices. And, as he reveals in a blog, 35 percent of the attacks he recorded originated in China; the U.S. was a distant second at 19 percent, followed by Laos at 12 percent [see chart below].

(Blog continues after the chart.)



Except for Laos, China had the most repeat offenders, often returning not only to exploit the same vulnerabilities, but to try additional exploitations if the prior attempts failed. Wilhoit explains that the repeated acts show that these particular actors were likely interested in gaining access to the devices or causing further damage or exploitation, adding that he expects these types of attacks to increase "with possible far reaching consequences."

In its report, Trend Micro contends industrial systems can be defended from such attacks, and offers 20 recommendations. The No. 1 recommendation: "Disable Internet access to your trusted resources, where possible."

True, removing key systems from the Internet could prevent the attacks Wilhoit describes, but creating an island of such systems is not necessarily easy to accomplish. Besides, as the Iranians learned when their nuclear centrifuges were disabled by the computer worm Stuxnet, not being connected to the Internet doesn't mean one is safe from outside exploits.



About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network