FBI says hackers hit key services in three US cities

Shopping centre Hackers could, in theory, have turned off the lights on shoppers

Related Stories

The infrastructure systems of three US cities have been attacked, according to the Federal Bureau of Investigation.

At a recent cybersecurity conference, Michael Welch, deputy assistant director of the FBI's cyber division, said hackers had accessed crucial water and power services.

The hackers could theoretically have dumped sewage into a lake or shut off the power to a shopping mall, he said.

Industrial control systems are becoming an increasing target for hackers.

'Ego trip'

"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city," Mr Welch told delegates at the Flemings Cyber Security conference.

"Essentially it was an ego trip for the hacker because he had control of that city's system and he could dump raw sewage into the lake, he could shut down the power plant at the mall - a wide array of things," he added.

Such systems - commonly known as Supervisory Control and Data Acquisition (Scada) - are increasingly being targeted by hackers, following reports that they rely on weak security.

It follows two alleged break-ins to city water supplies. The first, to a water supply in Springfield, Illinois, was later played down by the FBI which said it could find no evidence of cyber-intrusion.

Initially it had thought a hardware fault was caused by Russian hackers but it later emerged that this was not the case.

In another attack a hacker named pr0f claimed to have broken into a control system that kept water supplied to a town in Texas.

The hacker said the system had only been protected by a three-character password which "required almost no skill" to get around.

Mr Welch did not confirm whether this breach was one of the three he was talking about.

Default passwords

Security experts predict there will be a rise in such attacks.

"Such systems have become a target partly because of all the chatter about the lack of security. Hackers are doing it out of curiosity to see how poorly they are protected," said Graham Cluley, senior security consultant at Sophos.

He said that many relied on default passwords, and information about some of these passwords was "available for download online".

Furthermore the firms that run Scada systems, such as Siemens, often advise against changing passwords because they claim the threat from malware is not a great as the problem that will be caused if passwords are changed.

"Not changing passwords is obviously slightly crazy. Proper security needs to be in place otherwise it is laughable," said Mr Cluley.

24-hour surveillance

Industrial-scale hacking hit the headlines in 2010 with news of a worm aimed at Iran's nuclear facilities. Stuxnet was widely rumoured to have been developed by either the US or Israeli authorities and, according to experts, was configured to damage motors used in uranium-enrichment centrifuges by sending them spinning out of control.

Iran later admitted that some of its centrifuges had been sabotaged although it downplayed the significance of Stuxnet in that.

This year a Stuxnet copycat, Duqu, was discovered by security experts.

Initial analysis of the worm found that parts of Duqu are nearly identical to Stuxnet and suggested that it was written by either the same authors or those with access to the Stuxnet source code.

Unlike Stuxnet it was not designed to attack industrial systems but rather to gather intelligence for a future attack.

Mr Welch also revealed at the conference that, to date, the FBI's cyberteam had worked a 9 to 5 day. He said that a 12% increase in its budget would mean the team could now expand and begin monitoring cyberthreats around the clock.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features

  • RihannaCloud caution

    After celebrity leaks, what can you do to safeguard your photos?


  • Cesc FabregasFair price?

    Have some football clubs overpaid for their new players?


  • Woman and hairdryerBlow back

    Would banning high-power appliances actually save energy?


  • Rack of lambFavourite feast

    Is the UK unusually fond of lamb and potatoes?


  • Members of staff at James Stevenson Flags hold a Union Jack and Saltire flag UK minus Scotland

    Does the rest of the UK care if the Scots become independent?


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.