Throwback attack: Chinese hackers fall for a “honeypot” trap

The Verkada security breach exposed data from thousands of surveillance cameras.
Courtesy: CFE Media and Technology

Critical infrastructure has always been a major target of threat actors around the world. For some, they strive to hit society at its most critical points (energy grids, water facilities, etc.). Some adversaries do it for fun, while others do it to steal information to use or hold ransom. Some just want to just cause problems. No matter the motive, these are threats to human life and safety. That’s why it is essential that the United States is able to identify threats of this nature before any damage is done. One of the ways to do this is to set up decoys for hackers to attack and then trace their location, also known as a honeypot.

That is exactly what the U.S. did in 2012. They were able to set up a honeypot in different countries as an experiment to show evidence that critical infrastructure is being consistently targeted. This helped prove that critical infrastructure must be protected and analyzed for potential threats around the clock.

A brief history on critical infrastructure attacks

Critical infrastructure, as its name implies, is comprised of important sectors that help keep a society running. The considered first attack on modern-day critical infrastructure was Stuxnet, a worm virus meant to cause Iranian nuclear facilities to melt down. This worm traveled through a USB stick and silently did its work in the background, wreaking havoc on nuclear plant centrifuges.

While it was never confirmed, the U.S. and Israeli governments were allegedly behind this attack. If it weren’t for an error in the code, the Stuxnet worm may have never been identified at all. Iran went on to counter with a failed strike on the Bowman Avenue Dam in New York, ushering in a new era of cyberwarfare.

A more recent hit on critical infrastructure was the Colonial Pipeline attack, a ransomware attack that reportedly came in through Colonial Pipeline’s informational technology (IT) system. Out of fear of the operational technology (OT) system (the physical pipeline) being infected and compromised, the biggest oil pipeline serving the East Coast was shut down for several days. While that may not seem long, Southern states felt it in their wallets as gas prices (temporarily) rose and airplanes on the East Coast suffered a temporary gas shortage.

The buzz around honeypots

Let’s start with the basics of this decoy attack: What is a honeypot?

According to TechTarget, a honeypot is a “network-attached system set up as a decoy to lure cyber attackers and detect, deflect and study hacking attempts to gain unauthorized access to information systems.”

This particular honeypot was created via cloud software that displayed a realistic login page for various local water plants across several countries, including the United States. If the hackers were successful with getting past the login screen, they were greeted with control systems for the water plants.

They were able to get remote access to these systems via a virus attached to a Word document. Many of the hacks that took place allowed the hacker to affect the different settings in the water plant.

Because this exercise was more for research purposes, the U.S. did not counterattack. Rather, they used it as an opportunity to observe threat actors’ methods and learn how to prevent future attacks. In fact, the different researchers had an interface to observe the hacks happening from the virus in real time.

After the test period, there were a total of 74 attacks from 16 countries. According to MIT Technology Review, “Most of the noncritical attacks, 67 percent, originated in Russia, and a handful came from the U.S.”

More importantly, though, half of the critical attacks came from China. This led the U.S. to conclude that critical facilities and infrastructure are constantly being attacked and are at risk of hackers infiltrating and disrupting the processes.

Protecting devices: a how-to guide

While there is no right way to protect your devices — and no guaranteed protection from attacks — there are several methods that can be deployed to mitigate threats and vulnerabilities, such as:

Patching known vulnerabilities – This is a simple and effective way to continuously improve your software and keep out unwanted company from your systems. Keeping your systems up to date with the latest firmware and software falls under this category, too.

Building a up a defense environment – This could include triggers that spring into action when something is tripped in a system. Perhaps they shut the system down entirely as a failsafe or enact a “counterattack” to prevent further damage. 

Securing network connections – While this can apply to internal network connections, it’s essential to secure external connections, as well. This is an easy way for threats to get in from the outside, so having a thick layer of security on the external connection side goes a long way in beefing up cybersecurity.

Monitoring consistently – Always have technicians or employees looking for signs of an attack. This could include training employees on the basics of cybersecurity (which should be done anyway) or having regular system audits to ensure all is well.

We live in an era where everybody has access to technology, and by extension, the ability to cause harm to critical infrastructure. It is important to be properly equipped to handle these threats as they come and have safeguards in place to mitigate future ones.




Keep your finger on the pulse of top industry news