Blackhat 2015: Trend Micro researchers Kyle Wilhoit and Stephen Hilt believe they've found attackers actively seeking to hack and shut down petrol stations.
The duo from the forward-looking research team find the attacks by establishing simulated petrol station monitoring systems around the world as honeypots.
Wilhoit and Hilt had earlier this year found actors using the Anonymous hacker moniker tried to pop the monitors.
Earlier this year, Rapid7 published research that showing attackers could shut down petrol stations.
"We found that GasPot (gas monitoring honeypot) systems deployed in the US were deemed most attractive by attackers," the pair say in the paper The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems [PDF] presented at Blackhat in Las Vegas this week.
"To better understand the current gas-tank-monitoring system attack landscape, we developed a way to simulate the existence of these devices to check whether threat actors will find them venues attractive enough to go after.
"We created virtualised Guardian AST tank-monitoring systems, complete with function and input /output controls and other features, that make attackers believe they are real."
Most attackers targeted US honeypots, followed by those in Jordan, Britain, and other parts of the world. One of the groups left a calling card of the Iranian Dark Coder hackvitist team. In another 'AHAAD WAS HERE' was sprayed across the honeypot.
The team says the honeypots are crafted from the ground up to closely resemble a real monitoring system and would drop logs to reveal connection attempts.
Some honeypots are configured to leak to the popular SHODAN industrial control system search engine.
Attackers are found sharing IP address information of the would-be petrol pumps on web clipboards.
"Attacks against internet-facing gas-tank-monitoring systems are no longer hypothetical," the pair says. "The implications of this research highlight the lack of security awareness surrounding internet-connected devices." ®