FBI Memo: Hackers Breached Heating System via Backdoor

FBI Memo: Hackers Breached Heating System via Backdoor

Tridium ICS diagram of HVAC network.Tridium ICS diagram of HVAC network.

Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week.

The intruders first breached the company’s ICS network through a backdoor in its Niagara AX ICS system, made by Tridium. This gave them access to the mechanism controlling the company’s own heating and air conditioning, according to a memo prepared by the FBI’s office in Newark (.pdf), which was published on Saturday by the website Public Intelligence. News about the memo was first reported by Ars Technica.

The breach occurred in February and March of this year, several weeks after someone using the Twitter moniker @ntisec posted a message online indicating that hackers were targeting SCADA systems, and that something had to be done to address SCADA vulnerabilities.

The individual had used the Shodan search engine to locate Tridium Niagara systems that were connected to the internet and posted a list of URLs for the systems online. One of the IP addresses posted led to the New Jersey company’s heating and air conditioning control system.

The company used the Niagara system not only for its own HVAC system, but also installed it for customers, which included banking institutions and other commercial entities, the memo noted. An IT contractor who worked for the company told the FBI that the company had installed its own control system directly connected to the internet with no firewall in place to protect it.

Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. “[Th]e published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login,” said the memo.

The backdoor URL gave access to a Graphical User Interface (GUI), “which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the FBI. “All areas of the office were clearly labeled with employee names or area names.”

Forensic logs showed that intruders had gained access to the system from multiple IP addresses in and outside the U.S. The memo does not indicate if the intruders manipulated the system after obtaining access to it.

Five months after the breaches first began, Tridium and the Department of Homeland Security’s ICS-CERT division published alerts disclosing a directory traversal and weak credential storage vulnerability (.pdf) in the Niagara AX Framework system. Security researchers Billy Rios and Terry McCorkle were credited with disclosing the vulnerability to ICS-CERT.

More than 300,000 Tridium Niagara AX Framework systems are installed worldwide, according to the Tridium web site, and are used in energy management, building automation, telecommunications, security automation and lighting control.

According to Ars Technica, a search of Shodan earlier this year by Rios uncovered more than 20,000 of the Niagara systems connected to the internet.