(U//FOUO) Likely Network Device Compromise Results in Excessive Data Traffic; Device Provided Access to Industrial Control System

(U//FOUO) An unidentified actor or actors between November 2016 and January 2017 targeted a US water and sewage authority’s network, resulting in excessive cellular charges and unusual traffic on ports 10000 and 9600, according to an FBI source with excellent access who spoke in confidence but whose reliability cannot be determined. The FBI source indicated that four of the seven devices on the authority’s cellular data plan were impacted with high data usage, which was likely a result of compromised network devices. The November 2016–December 2016 billing cycle totaled $45,000, and the December 2016–January 2017 billing cycle totaled $53,000. A typical monthly bill averages approximately $300. The devices were Sixnet devices, which had been in place for six or seven years and provided access to the authority’s industrial control systems, according to the same FBI source.

(U//FOUO) Support to Computer Network Defense

(U//FOUO) Sixnet BT-5xxx and BT-6xxx series device versions prior to 3.8.21, as of May 2016, were vulnerable to a compromise that exploited a hard-coded factory password that could enable full access to the affected device, according to ICS-CERT Advisory ICSA-16-0147-02. The same advisory identifies vendor patches and firmware updates that address the issue.

(U//FOUO) Sixnet BT-5xxx series industrial cellular modems and BT-6xxx machine-to-machine gateways facilitate data communications connectivity in mobile or remote environments. Ports 9600 and 10000 are used for transmission control protocol and user datagram protocol (TCP/UDP) communications, according to an online report from a firm that provides industrial automation and networking solutions.

Share this: