We Set Up a Decoy. Hackers Came. From Beijing. And Chattanooga

Photographer: Sipa via AP Photo

Three months after online decoys were set up pretending to be industrial-control systems, we wrote about how computers from the U.S., China and Russia were found to be the biggest sources for launching scouting attacks against these fake critical infrastructures.

This week, ThreatStream, a cyber-security company that set up the target computers at Bloomberg's request, went deeper with the data. Hidden in the larger dataset, which catalogued thousands of reconnaissance probes against our honeypots, was a subset of attacks that revealed the location of computers used to not only find Internet-connected control systems, but to manipulate them as well with specialized software and communications protocols. In other words, these were recon missions sent by machines that also had some level of ability to do damage.

So-called supervisory control and data acquisition, or SCADA, systems are used to run things such as nuclear reactors, manufacturing plants and prisons. So you can imagine why attacks that allow hackers to remotely control key parts of the operations at essential facilities is a big concern.

Here are the countries that were the biggest source of this type of attack against the decoys, according to Jason Trost, lab director at ThreatStream. As you can see, neither the U.S. nor China are at the top:


At the city level, the experiment wasn't able to determine where in Turkey these 105 attacks came from. But it was for some of the other countries:


Beijing may not be a surprise, but Chattanooga? After being alerted that the Tennessee traffic may have come from a researcher probing control systems, ThreatStream confirmed that those attacks were part of a security project.

The "attacks were legitimate," said ThreatStream founder and Chief Technical Officer Greg Martin. "What it says is, these things are being targeted whether it's by security researchers or nation-states. People are actively scanning and finding these vulnerabilities, whether they are honeypots or the real thing."

As for the other data, a key limitation of any honeypot experiment like this one is that it's difficult to determine if the computers involved are being used by hackers as bounce points, which disguises their true location. Martin points out that nation-states sometimes launch attacks from computers within their own borders because they control the Internet there and can ensure the computers won't get taken offline. And at the very least, the data offers a glimpse of how hacking attacks on infrastructure are orchestrated on a global scale.