Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.
The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a “Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the memo, which was issued in July. “All areas of the office were clearly labeled with employee names or area names.”
The revelation that Niagara vulnerabilities have been actively exploited in the wild is significant because the system is widely used to control critical equipment used around the world. Further, the number of Internet-facing Niagara systems appears to be growing. A search using the Shodan computer search engine late last year found about 16,000 systems, with more than 12,000 of those based in the US, according to Billy Rios, one of the security researchers who documented the vulnerabilities in the industrial control system. This year, the same search returned more than 20,000 systems, with about 16,000 of them in the US. While patches released earlier this year apply only to versions 3.5 and 3.6 of Niagara, Shodan continues to show “tons” of systems running earlier versions, including 1.1, Rios said.