Trojan Backdoor on Water SCADA System

Event Year: 2004 Reliability: Confirmed
Country: Canada
Industry Type: Water/Waste Water

During a security audit of the SCADA system, a trojan backdoor was located on a human machine interface (HMI) computer.
This trojan contained a keylogger and reverse tunnel to an outside website. It is believed that the HMI was infected by an operator browsing external hot-mail websites as the trojan was mail based.

The firewall blocked the HTTP reverse tunnel, but not the key logger which used SMTP for transport.

The HMI was on the enterprise network for the regional government. Multiple Internet connections in different agencies allowed both web and email access from the HMI.



Action Description: Firewalls were modified to prevent HTTP access from the SCADA system computers to external websites. Antivirus software and procedures were invoked for all SCADA computers.