ICS-CERT Three Year BlackEnergy Attack on Industrial Control Systems

Written by

The Department of Homeland Security’s ICS-CERT is warning of a sophisticated three-year malware campaign using variants of the BlackEnergy malware family to target industrial control systems in multiple companies.

The ongoing attack has been spotted via malware which infected various internet-connected human machine interfaces (HMIs), ICS-CERT said in an advisory.

Specifically, HMI products from GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC were targeted and the ICS-CERT is working with the vendors in question to evaluate the malicious activity.

It added:

“At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system. However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims.”

ICS-CERT said it has produced a Yara pattern matching tool to help firms identify if the malware in question is present on their systems.

It recommended firms running industrial control systems to take a defense-in-depth approach immediately, beginning with the auditing of networks for “internet-facing devices, weak authentication methods, and component vulnerabilities.”

The attacks have been linked – via a shared C&C structure – with the ‘Sandworm Team’ campaign pegged for exploiting the CVE-2014-4114 vulnerability by using a malicious PowerPoint attachment in spear-phishing emails.

It could also be linked to the Quedagh group documented by F-Secure, which also used BlackEnergy variants in mainly politically motivated attacks on Eastern European targets.

Sean Sullivan, security advisor at F-Secure, told Infosecurity by email that attribution beyond the fact that the attacks are likely to have been “Russian actors,” is problematic.

“Havex, BlackEnergy, Sofacy – all of them have strong ties to Russian interests. But they could be serving the interests of oligarchs friendly with the Kremlin rather than the Kremlin itself,” he added.

“And some of the attacks could be pure mercenary action – because any intelligence gathered will find a buyer.”

This activity could be linked to wider geopolitical issues, with oil prices falling and Russia increasingly isolated on the world stage, Sullivan claimed.

“The security and stability of the Russian state is entirely dependent on its economy – the motive and end goal of all this activity is survival,” he said.

“An animal is most dangerous when cornered and wounded.”

All ICS manufacturers should be on high alert and firms running such systems should realize that anything connected to the internet is a target, Sullivan concluded.

What’s hot on Infosecurity Magazine?