In what must be every process engineer's post-Stuxnet nightmare
, a group of Chinese cybersoldiers, known by US security firms as the “Comment Crew” or “Shanghai Group," are trying to penetrate America's critical infrastructure, which has included hacking one company that enables remote monitoring of oil and gas pipelines, according to a New York Times
article by David Sanger, the reporter who originally broke the Stuxnet computer virus story.
These attacks have been traced back to a building on the outskirts of Shanghai, which is the headquarters of the People's Liberation Army (P.L.A.) Unit 61398. Digital evidence painstakingly detailed in a 60-page study
by Mandiant, an American computer security firm, and confirmed by American intelligence officials, leaves little doubt about the attackers' intentions. Along with at least 937 Command and Control servers hosted in 13 countries, the report posits a large and varied support staff:
(the cybersoldiers) would need to be directly supported by linguists, open source researchers, malware authors, industry experts who translate task requests from requestors to the operators, and people who then transmit stolen information to the requestors.
Mandiant estimates that the group's 130,663 square foot building can house as many as 2,000 people; the security company also obtained an internal memo from state-owned China Telecom discussing the installation of high-speed fiber-optic lines. (David Sanger interviews Kevin Mandia, founder of Mandiant
A digitally weaponized world
Although the report can't put the hackers in the building, it emphatically states that there is no other reason why so many attacks have come from such a small geographical area. Watch Mandiant forensically dissect an observed attack, referring to the attackers as the Advanced Persistent Threat (APT) group or APT1:
While past attacks focused on swiping terabytes of sensitive corporate data to gain a competitive edge for Chinese state corporations, the latest attacks – representing a serious escalation – have tried to gain the ability to manipulate American critical infrastructure: power grids and other utilities. And this all leads back to the digitally weaponized world of Stuxnet, SCADA infiltration, destroyed machinery and networks – in other words, literal warfare.
To date, the most serious attack was the penetration of Telvent, a company owned by Schneider Electric, which designs software that gives oil and gas pipeline companies and power grid operators remote access to valves, switches, and security systems. The probable goal: Telvent's blueprints of more than half of all the oil and gas pipelines in North and South America, and access to their systems. Revealed by Sanger:
In September, Telvent Canada told customers that attackers had broken into its systems and taken project files. That access was immediately cut, so that the intruders could not take command of the systems.
Digital Bond, a small security firm that specializes in industrial-control computers, also reported that the same group had unsuccessfully attacked it last June.
The never-ending threat
“This is terrifying because — forget about the country — if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent,“ Digital Bond's founder Dale Peterson
told David Sanger. “It’s the holy grail.”
This threat has escalated to the point where President Obama shared his concern in the State
of the Union speech, without ever mentioning China or other hacker groups: “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing.”
Obviously, no one has suggested that the Chinese are on the verge of disrupting oil and gas supplies or shutting down the electrical grid, but this type of aggressive reconnaissance – preparing the field of battle – so to speak, means many plants will have to more rigorously patch security flaws to counter this never-ending threat, as a sense of reconstituted Cold-War dread spikes for anyone monitoring the reliability of the nation's infrastructure.