BlackEnergy Malware Hits Industrial Control Systems in the US

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
An ongoing malicious campaign has compromised multiple industrial control systems (ICS) in the US by using a version of BlackEnergy toolkit on Internet-facing human-machine interfaces (HMI) from different vendors.

The activity is believed to have started at least three years ago, in 2011, the malware being identified by multiple companies on the control solutions they use.
Malware does not function at full capacity
According to the US ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), the threat actors behind this BlackEnergy campaign targeted the HMI products of GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC. Other solutions may also be affected, although at the moment there are no details about which ones.

The malware is modular in architecture, which allows its operators to implement new modules that would cover additional functions.

Despite its multiple capabilities, at the moment, there have been observed modules designed for lateral movement on the network by searching for shared locations and removable media. However, this type of activity has not been noted and the malware remained on the compromised HMIs.

ICS-CERT found no evidence that BlackEnergy tried to influence in any way the control processes on the victimized systems.
The attack vectors have not been determined in all cases
The findings of the investigation revealed that on GE Cimplicity, the threat actors leveraged a vulnerability (CVE-2014-0751) that allowed remote execution of arbitrary code through a specially crafted message to TCP port 10212.

The security glitch was publicly disclosed at the beginning of 2014, while instructions for mitigating the risk had been published by GE in December 2013, but ICS-CERT says that the operators have been exploiting it since at least January 2012.

According to the analysis of the attack on Cimplicity products, BlackEnergy executes a self-delete routine following its installation on the target machine.

“Analysis suggests that the actors likely used automated tools to discover and compromise vulnerable systems. ICS-CERT is concerned that any companies that have been running Cimplicity since 2012 with their HMI directly connected to the Internet could be infected with BlackEnergy malware,” the advisory says.

Attack vectors for the other HMI products have not been determined yet, but files associated with the BlackEnergy campaign have been discovered on machines running WinCC and Advantech/Broadwin WebAccess control software.
ICS operators urged to check their machines
A strong recommendation has been issued for companies operating industrial control systems to check their assets for signs of intrusion.

ICS-CERT created a Yara signature to help identify the BlackEnergy compromise. “This signature is provided ‘as is’ and has not been fully tested for all variations or environments. Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and correlation,” the group of experts warn.

BlackEnergy is a toolkit that has been employed by multiple criminal groups over the years. In a recent incident discovered by Finnish security researchers at F-Secure, samples of the malware were seen collecting intelligence from Ukranian government entities. The custom versions were attributed to the Quedagh group, known for aiming at political organizations.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top