Reversemode
Home
Monday, 22 September 2014
 
 
BYTES & WORDS
Reverse engineering a SCADA hoax PDF Print
Written by Rubén   
Monday, 18 April 2011

Well, before the snowball becomes bigger (too late I guess) I'll try to explain why I think the FPL hack is an hoax.

Context: FD ...

Let's analyze the email:

Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL)
   ... ain't nothing you can do with it, since your electricity is turned off !!! 
D'Oh, not very original, disgruntled former engineer...if real, too many clues...

Secure you SCADA better! Leaked files are attached ...
1)http://img838.imageshack.us/i/49986845.png/

Taking into account it claims he hacked a 200 MW /136 turbines wind farm, those 3945KW/135KWh make non sense for a large wind energy facility. Another weird thing is the "energie" button (energy in german language). Wind speed metered in m/s without mentioning mph is still possible so it's ok for me.

2) http://img838.imageshack.us/i/24380855.png/
3) http://img24.imageshack.us/i/58868342.png/

Either you have WinCC or GIMP/Paint/Photshop you'll be able to create this creepy sinoptic. If you manage to convince me that a 200MW facility is controlled by this sinoptic, I'll kiss your shiny metal ass.
Even the lines are malformed. The input voltage line for the sinamics s120 is used as feeder for 'whatever' those fans are representing . Absurd.

Also note the custom messages in german...Everybody knows that at FPL german is the corporate language ¬¬

4) http://img228.imageshack.us/i/85258364.png/

ftp://goxftp01.fpl.com/pub/oasis/ ...no comment

5) http://img163.imageshack.us/i/90736853.png/
6) http://img217.imageshack.us/i/55439027.png/
7) http://img40.imageshack.us/i/87526089.png/
8) http://img864.imageshack.us/i/94061747.png/

Lifted from the following public document ftp://goxftp01.fpl.com/pub/oasis/switchyardreliability/switchyardreliability.pdf ...no comment


161.154.232.65 

HTTP/1.0 401 Unauthorized
Date: Sat, 05 Feb 2011 23:43:13 GMT
Server: VTS 9.0.05
Content-Type: text/html
Content-Length: 622
Cache-Control: no-cache
WWW-Authenticate: Basic realm="Ft. Sumner SCADA"
Cache-control: no-cache="set-cookie"
Cache-control: private
Set-Cookie: VTS=9.0005;Version=1;Path=/
Set-Cookie: SessionID=0;Version=1;Path=/Ft. Sumner SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c3576a
Set-Cookie: SessionID=0;Version=1;Path=/Ft%2e%20Sumner%20SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c..

IP does not match the headers.

Headers correspond to a computer running water-treatment HMI software developed by Trihedral. Server: VTS is the key.Some time ago I reported to ICS-CERT that dozens of facilities running this software could be accessed by using default password. People behind this hoax probably used this info to reinforce the hoax due to "WWW-Authenticate: Basic realm="Ft. Sumner SCADA" linking it to Fort Sumner, where this wind farm is located.

Morever, according to public docs the wind farm operates 136 1.5 MW GE turbines, likely controlled by GE's hardware/software...WindControl,WindSCADA...

The CISCO IOS config is not anything special...

Conclusion: FAKE.

Last Updated ( Monday, 18 April 2011 )
< Prev   Next >