The IT security researchers at Sixgill‘s threat intelligence team have identified an “experienced threat actor” on the dark web selling access to the admin panel of a Chinese rail control system. This access would enable criminals to manipulate train control systems, affecting over one million residents living in the urban core of Hubei Province.
Sixgill, an Israel based cyber threat intelligence company that analyzes Deep and Dark Web activity is currently keeping the name of the targeted railway company secret for security reasons. However, according to the details [PDF] shared by the company; the compromised firm also manufactures management systems for rail transportation, as well as management systems for the aviation sector.
The listing was posted on a prominent Russian speaking hacking forum on the dark web on February 19th, 2019, and includes details on the content of the sold data. According to Sixgill, the listing provides visual proof of admin access, sharing four print and screenshots of the hacked management system.
An analysis carried out by Sixgill researchers on the screenshots revealed that they include details regarding the system configuration, information management, and personnel management. If train databases and scheduling systems are attacked, the disruption to rush hour public transportation will have disastrous consequences for local and international business.
Researchers believe that this can let malicious elements including terrorists further access the module, navigation, and employee management systems, as well as the codes for locomotive segments.
Researchers are of opinion that by using the stolen information cybercriminals can also access the management software and damage its activity along with the company’s internal cyberinfrastructure. Furthermore, it is feared that the same information can be used to put lives at risk.
“As the use of such control systems becomes more prevalent, the cyber threats against them grow. From threat actors who explore new ways of making a profit, to terrorists who seek to execute attacks that will inflict massive damage, attacks on ICS have become a major threat to many organizations and governments,” researchers said.
It is noteworthy that Sixgill is the same company which previously identified a listing on the dark web offering undetectable Proton malware for macOS. To go through SixGill’s blog post follow this link.
This is not the first time when hackers have been found selling access to critical online infrastructure. In July last year, McAfee’s Advanced Threat Research Team discovered a dark web marketplace where hackers were selling RDP access (remote desktop protocol) to a prominent airport’s security system for just $10.