Power Transmission Substation Honeypot Yields Unexpected Results

We’ve discussed the security of critical infrastructure many times on this blog. From the hijacking of the Dallas, TX tornado warning system, to discussions at Davos, selfies revealing sensitive information and even a video showing a white hat hacker team physically compromising a substation security system.

The security of the nation’s critical infrastructure is, well, critical, so we were quite intrigued by a recent honeypot experiment conducted by researchers at Cybereason.

Honeypot Yields Unexpected Results

Looking to further understand the threats facing critical infrastructure Cybereason set up a honey pot late in Q2 2018 that emulated the network of a major electric provider’s power transmission substation. All significant network systems including an IT environment, an OT environment and HMI (human machine interface) management system were included in the honeypot to make it appear as legitimate a network as possible.


Cybereason expected the honeypot to reveal attack vectors that targeted individuals with network access. Instead what they found was that the honeypot was compromised by a set of actors who sourced their access tools off a dark web forum!

According to Cybereason CISO Israel Barak, the honeypot infrastructure was first discovered by a black-market seller conducting a broad internet reconnaissance. “The seller was able to compromise a single machine in the honeypot and posted it for sale in a black market called xDedic – along with the network identifiers of the compromised environment, which disclosed its probable affiliation with a large utility provider.”

Dark Web = Lights Out?

While the genesis of the threat, purchasing access off the darkweb, was unexpected Cybereason believes that those using the purchased access are very familiar with ICS environments. They moved quickly from the honeypot’s IT environment into the OT (operational technology) environment which is the system environment that actually controls the equipment used to deliver the utility in question whether it be electricity, natural gas or water.  The attackers appear to have been singularly focused on getting to the OT network. And, while some of their techniques were sloppy and raised red flags that would have likely elicited a security team’s response, had they been left unchallenged for some reason it appears possible they would have achieved their goal.

Can We Help You Achieve Your Goals?

When it comes to security, having an end goal in mind makes sense. Let us help you discover what goals make sense for your organization. It’s simple to get started, we’re just a phone call away.



© Copyright 2018 Konsultek