Carbon Trading Market Hacked for $40 Million

In yet another demonstration of organized crime in the cyber-world, the carbon trading market is in a mess due to a recently discovered wave of cyber-attacks. In the EU, trading has been suspended in all registries.

The carbon trading market, which had a turnover of $144 billion in 2009, is big business. The framework for a market system began in 1997 with the Kyoto Protocol, when the US made the scheme a condition for American participation. Binding targets for the reduction of gas emissions were set at Kyoto together with agreements on the setting up of national registries to record, track, and trade units.

The registries track account activity just as a banking system does. In the EU, an estimated 15 million units of carbon credit are traded daily. One unit is equivalent to one metric ton of carbon dioxide. Units represent credits from projects using fewer emissions and from private deals to make consumers' activities “carbon neutral.” Participating companies have a carbon emission allowance and can trade units to help meet emission reduction targets.

This latest hack is, sadly, another illustration of cyber-criminals being one step ahead of the rest. According to an EU press release, on the day of the unprecedented trading cessation, “other registries are known to be vulnerable to attack.”

Another press release stated that “agreement has been reached on guidance for the minimum requirements that each national registry has to fulfill in order to resume normal operations… each Member State has been asked to urgently provide the European Commission with an independent report confirming that the minimum security requirements have been put in place.”

Among the few recent cyber-attacks that have been actually reported was an attack on the Austrian emissions carbon trading registry. Another report came from Blackstone Global Ventures in the Czech Republic. The company’s Website stated: “Yesterday at 12 CET 475 000 allowances were unlawfully removed from our account with the Czech registry (OTE). We are doing our outmost to resolve the problem and want to make all market participants aware of the incident.” These breaches resulted in the looting of permits worth at least $4 million were stolen in a phishing attack, in which companies in Germany were tricked into providing details of their carbon registry account log-ins to a fake Website sent as an email link.

These were not the first attacks on the carbon trading network. Last year, carbon trading permits worth at least $4 million were stolen in a phishing attack, in which companies in Germany were tricked into providing details of their carbon registry account log-ins to a fake Website sent as an email link.

These cyber-attacks were perpetrated by hackers using a DDoS (distributed denial of service) methodology; while the Websites were then offline, users were directed to fake Websites. Here the transactions were hijacked and redirected to accounts controlled by the cyber-criminals. Overall, transactions from market participants in at least 15 countries were involved. As I described in an earlier post, an analysis of the activity and some anonymous feedback indicates this would appear to be the work of the “Darkness” DDoS and bank-robbing botnet.

Credibility in the security of a system where 15 million units can be traded in just one day is paramount. There are a lot of lessons here, and other markets can learn from the mistakes made in the EU.

Apparently, only now will the EU Commission “ensure” that national carbon registries have an adequate level of protection similar to other sensitive IT systems. This statement brings to mind stable doors, bolts, and horses.

Although increasing security in carbon trading markets is vital, this incident again highlights the global threat of botnets such as “Darkness” and “BlackEnergy” and millions of their related enslaved zombies (botnet-infected PCs). The real job is to prevent these cyber-attacks by removing the threat in the first place; i.e., taking down the botnets and as a matter of public health policy, quarantining the zombies.