Telvent Canada says someone sneaked past its internal firewall, installing malicious software and stealing files related to control software it makes that’s used to manage the electric grid in various countries.
The company warned customers last week that it learned of a breach of its network on September 10, according to the KrebsOnSecurity blog. Project files associated with the firm’s OASyS SCADA (supervisory control and data acquisition) software were stolen, the post says.
“Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent,” the company said this week in a letter to customers, which was cited by the blog.
A Telvent spokesman confirmed the breach to Wired today but wouldn’t comment on whether files had been downloaded or altered. “We are aware of a security breach of our corporate network that has affected some customer files,” spokesman Martin Hannah is quoted as saying. “We’re working directly with our customers, and they are taking recommended actions with the support of our Telvent teams. And Telvent is actively working with law enforcement, with security specialists, and with customers to ensure that this breach has been contained.”
Meanwhile, malware used in the attack is believed to be associated with a Chinese hacker group called “Comment Group,” the KrebsOnSecurity post reports.
Dale Peterson, CEO of industrial control system (ICS) security firm Digital Bond, says his Web site was attacked recently too. “If this Comment Group is the same as Comment Crew, then this is likely the same people that sent spear phishing e-mail to Digital Bond and EnergySec,” he wrote in a blog post. “They are going after the ICS energy sector, and Telvent is almost certainly not the only vendor being targeted or compromised. In fact, I would be worried if a large asset owner or vendor in the energy sector is not detecting these attacks.”
Two days after Telvent says it noticed the breach, the company announced a partnership with security firm Industrial Defender to “expand its cybersecurity capabilities within Telvent’s key utility and critical infrastructure solutions.”
SCADA systems, which were not meant to be connected to the public-facing Internet, are being increasingly linked to the outside world so engineers can access the systems remotely. While it makes it convenient for critical-infrastructure operators, it can provide a way in for attackers.