Telvent Canada Ltd. is investigating a sophisticated hack attack spanning its operations in the United States, Canada and Spain.
Security researchers said the attacker’s digital fingerprints are leading them to a Chinese hacking group tied to repeated cyber espionage programs.
In letters sent to customers last week, Telvent said on Sept. 10 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.
Telvent is still investigating the incident, but that as a precautionary measure, it disconnected the usual data links between clients and affected portions of its internal networks.
“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” the company said in a letter mailed to customers this week, a copy of which was obtained by KrebsOnSecurity.com. “Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent.”
The incident just goes to show what can happen when systems critical networks connect to control systems that have a patchwork security system at best.
Security experts fret about vulnerabilities introduced into the systems that regulate the electrical grid as power companies transferred control of generation and distribution equipment from internal networks to supervisory control and data acquisition (SCADA) systems that an attacker could remotely access. The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely, but experts say it also exposes these once-closed systems to attacks.
In their letters to customers, the company detailed ongoing efforts to determine the veracity of the breach. Telvent said it was working with law enforcement and a task force of representatives from its parent firm, Schneider Electric, which has operations across the Americas, Western Europe and Asia. Telvent employs 6,000 people in at least 19 countries around the world.
In its most recent dispatch to customers impacted by the breach, dated Sept. 25, 2012, Telvent executives provided details about the malicious software used in the attack. Those malware and network components suggest the involvement of Chinese hacker groups tied to other high-profile attacks against Fortune 500 companies over the past several years.
Joe Stewart, director of malware research at Dell SecureWorks and an expert on targeted attacks, said the Web site and malware names cited in the Telvent report map back to a Chinese hacking team known as the “Comment Group.”
In July, Bloomberg News published an in-depth look at the Comment Group and its years of suspected involvement in deploying sophisticated attacks to harvest intellectual property and trade secrets from energy companies, patent law firms and investment banks.