By Richard Sale
U.S. solar companies that manufacture solar panels are falling prey to Chinese hackers who are using a variety of malware, including “root kit” devices, to seize control of solar equipment and loot solar companies of sensitive information, intelligence sources told ISSSource.
Some of the new malware used is extremely hard for the legitimate users to detect, the sources said, adding much of it doesn’t contain configuration data of the command and control server with which it communicates.
The penetration of such solar systems by hackers could result in widespread blackouts because the users of this technology number in the hundreds of thousands, ranging from small to mid-sized facilities, and all are vulnerable to hacking, the sources said. Hackers can compromise and seize solar equipment and exploit it for gain, said another U.S. intelligence official.
“Even big companies have a hard time dealing with the persistence,” said James Lewis, Director and Senior Fellow, Strategic Technologies Program at the Center for Strategic International Studies (CSIS).
Some of the information hackers are looking to obtain include company’s financial position, production capabilities, and other critical information strategies, the sources said.
According to reports issued by the Department of Homeland Security, the SCADA (supervisory control and data acquisition) systems that manage much of the nation’s critical infrastructure remain infested with serious security bugs that experts labeled “forever day” vulnerabilities because their manufacturers have spent little energy or money to try to fix them. These flaws include SQL injection vulnerabilities, passwords stored in plain text, hard-coded passwords, and other defects that left the devices open to tampering by intruders.
Unfortunately, most companies have been less than energetic in confronting hackers and their breaches.
“The efforts of firms and corporations to eliminate these threats have never been more than half-hearted. Their interest in solutions is slack,” a congressional source said, adding that solar companies are increasingly in the hackers’ sights.
The costs of such breaches can be catastrophic. An Oregon producer of solar panel technology was rapidly losing its market share to Chinese competitors that were systematically providing exports well below what they cost to produce, while at the same time members of the hacker conspiracy stole cost and pricing information from the Oregon producer, the intelligence sources said.
The intelligence sources told ISSSource as many as three to five companies have been hacked or are currently targeted by hackers, but they refused to name them, saying their employment rules prohibit them from talking publicly about such issues.
“The panel companies under threat do not constitute a wide sector of the solar market,” said the U.S. intelligence official. Mandiant, which outed a Chinese military hacker in last year, found he had had cast a much wider net and had successfully infiltrated 141 companies.
Two years ago, the Department of Homeland Security warned of critical vulnerabilities in a computerized control system that attackers could exploit in order to sabotage or steal sensitive data from operators of the solar arrays that generate electricity in homes and businesses across the nation.
Photovoltaic products would also be vulnerable since many of them are manufactured from companies based abroad. Hackers with skill can enter commands that would allow them to enter databases connected with a Web interface. Such a breach would allow them to access the content of the key software programs that contains all the valid under username/password combinations. Photovoltaic Management Servers are a key target, the report said. Once software is infected, the hackers would gain access to administrative software and execute arbitrary demands.
The issue of the economic damage done by Chinese hackers came to a head last month when the Justice Department charged five Chinese men with cyber espionage against U.S. corporations and a labor organization for commercial advantage. The five charged were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA), officials said.
The 31-page indictment said one of the companies ransacked by the hackers was SolarWorld. The hackers targeted the computers of the U.S. subsidiaries of SolarWorld AG, a German solar products manufacturing company located in Hillsboro, Oregon, and a sales facility of the firm located at Camarillo, California.
On or about May 2012 to September of that year, one of the indicted Chinese hackers, a man named Xinyu Wen and at least one unidentified co-conspirator, stole thousands of emails and related attachments that gave detailed information about SolarWorld’s “financial position, production capabilities, cost structure and business strategy.”
At the time of the hacking, SolarWorld was a co-litigant in trade cases against Chinese solar manufacturers alleged to have “dumped” large volumes of solar products into U.S. markets at prices below fair value, severely undercutting companies like SolarWorld and, in some cases, driving some U.S. companies out of business. Worse, the hackers stole trade secrets that would have been “particularly beneficial,” to Chinese competitors, increasing their sales at the cost of their U.S. counterparts, officials said.
One company that is taking action to fix long standing vulnerabilities is Solar-Log based in Germany. Experts at firms like Alien Vault and Positive Security found that multiple Solar-Log products, could end up exploited by malicious hackers to disclose certain sensitive information and compromise the company’s administrative systems.
According to news reports, the company has kept silent about the flaws in its system, and has been rushing to distribute patches.
The congressional source said multiple Solar-Log products can suffer exploitation by hackers who are able to disclose certain sensitive information and compromise parts of its operating system. The threat is substantial because, as the company boasts, its global management system runs on roughly 229,300 solar plants that typically pump out 5.66TWh of electrical energy a day.
The U.S. intelligence official said attackers could break into the Solar-Log boxes and cause significant damage on centralized power grids. The congressional source added hackers who were able to penetrate Solar-Log could download malware and disrupt or misappropriate passwords because the software flaws make it impossible to authenticate the real users. Local users are vulnerable, he said. He confirmed a hacker could execute arbitrary code programs or manipulate other software procedures. Hackers could spoof the amount of power returning to their grids from their solar installations, effectively robbing the legitimate company of big revenues.
Hackers can pillage remote or local sources and documents and compromise credentials and exploit them. The Chinese hackers are able to use an error within web server component to upload sensitive files, the intelligence source said.
Backup files are posing another danger. If the access to the backup scripts does not have proper restrictions, they too can end up exploited and their contents exposed, said the U.S. intelligence official.
“Some breaches could have “life threatening consequences,” said a former U.S. intelligence official who remains on top of the issue.
“The key is getting out ahead of these issues, spending the money to obviate the software flaws, rather than to lose millions of dollars, thanks to hackers whether they are Chinese, Russian, or Iranian,” the congressional source said.
Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.