Sandworm Team Went After Firms Running SCADA

Security experts have discovered that hackers dubbed the “Sandworm Team” last week are most likely using malware to target industrial SCADA systems using products from GE Intelligent Platforms.

Trend Micro senior threat researchers Kyle Wilhoit and Jim Gogolinksi said the group were using .cim and .bci files as attack vectors.

Both file types are used by CIMPLICITY – an application suite developed by GE Intelligent Platforms to run the Human Machine Interface (HMI) systems used in conjunction with SCADA.

Working back from the command and control (C&C) servers identified in the report last week, the Trend Micro researchers found files associated with CIMPLICITY. However, because HMI systems can be found in various parts of a power plant, it’s not yet clear what the end goal of the attackers was.

“It is important to note that we are currently seeing CIMPLICITY being used as an attack vector; however, we have found no indication that this malware is manipulating any actual SCADA systems or data,” Wilhoit and Gogolinski said in a blog post

“Since HMIs are located in both the corporate and control networks, this attack could be used to target either network segment, or used to cross from the corporate to the control network.”

First revealed by iSight Partners last week, Sandworm is believed to be a Russian cyber espionage team which was behind the BlackEnergy attacks on Eastern European government agencies.

Most recently it was fingered for exploiting the vulnerability CVE-2014-4114 in spear phishing attacks using a malicious PowerPoint attachment.

The vulnerability was subsequently patched by Microsoft in its monthly security update round.

In related news Microsoft was apparently forced at the weekend to withdraw an update featured last Tuesday after users reported forced reboots after installation.

Microsoft Security Advisory 2949927 added support for SHA-2 signing and verification functionality in Windows 7 and Server 2008 R2.

What’s Hot on Infosecurity Magazine?