Hackers have exploited a crucial vulnerability in software used to run industrial control systems, the FBI says.
Although the FBI privately issued its alert in late July, the breach was only disclosed publicly by the FBI last week in a posting on the site of Public Intelligence, an information freedom advocacy project. The flaw itself had been circulating on Twitter for months.
"Unauthorized IP addresses accessed the Industrial Control System (ICS) network of a New Jersey air conditioning company," the FBI statement read. "The intruders were able to access a backdoor into the ICS system that allowed access to the main control mechanism for the company's internal heating, ventilation and air conditioning (HVAC) units."
The compromised software, Tridium Niagara, was exploited after hackers used the Shodan search engine to find its ICS. Shodan, a publicly available tool, searches the Internet for connected devices that are not standard computers or servers, such as cameras and wireless routers.
The breaches began soon after someone using the Twitter handle @ntisec tweeted details of the exploit in January. It's not clear if the Twitter handle has anything to do with the hackers who got in.
Although the hackers had access to very sensitive controls, it appears all they did was breach the system, take a look around and leave.
The widely used Tridium Niagara systems are used to control other crucial systems that regulate water, electricity, elevators, locking mechanisms and surveillance networks.
According to Tridium's own website, versions of the same software control vital systems for electricity supplier Manitoba Hydro, in Canada; the Sheraton in Sydney, Australia; and home appliance manufacturer Whirlpool's data center.
Hackers began exploiting the system in February, Ars Technica reported, weeks after a user with the Twitter handle @ntisec announced an impending hacking operation aimed at supervisory control and data acquisition ( SCADA ) systems.
Although the hack took some ingenuity on the part of the hackers, the system's security wasn't exactly ironclad: An employee admitted that "the Niagara control box was directly connected to the Internet with no interposing firewall."
To date, there are zero confirmed reports of an attack on an industrial control system in the United States. Hackers, however, have demonstrated that it is possible to improperly remotely access control panels that, if sabotaged, could lead to widespread mayhem and panic.
Follow Ben on Twitter.