Endpoint
5/28/2015
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Data Theft The Goal Of BlackEnergy Attacks On Industrial Control Systems, Researchers Say

CyberX analysis of BlackEnergy module reveals most likely motive behind sophisticated multi-year attack campaign.

Data theft appears to be the primary motivation behind a sophisticated malware campaign directed at U.S. industrial control systems (ICS) networks since at least 2011.

That’s the conclusion of security vendor CyberX based on its analysis over the past several months, of the malware toolset used in the campaign. In a report released this week, CyberX said it has found clues suggesting that the attackers behind the campaign may be infecting machines that are used to interface and communicate with industrial control systems in order to steal data from deep inside ICS networks.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) first sounded the alarm on the threat last October and followed up with an update in December 2014. Both alerts identified the malware being used in the campaign as variants of BlackEnergy, a crimeware tool that has been around for several years and used in various previous criminal campaigns.

The ICS-CERT alerts warned of numerous industrial control systems networks being compromised in the campaign with multiple victims saying they had identified the malware on Internet-connected human-machine interface (HMI) systems from companies like GE Cimplicity, Siemens WinCC, and Advantech/Broadwin WebAccess.

The alerts noted that the threat actors behind the campaign appear to be initially attempting to gain access to Internet-connected HMI systems by taking advantage of previously known vulnerabilities in such systems. In the case of Windows machines running GE Cimplicity web server for instance, the attackers exploited a directory traversal flaw in the WebView component of the software to install BlackEnergy on vulnerable systems. ICS-CERT said its analysis showed that automated tools were used to search for and compromise vulnerable systems.

At the time it released the alerts, ICS-CERT said it had not been able to discern any obvious motivation for the campaign or any attempts to damage, disrupt or modify infected ICS systems and networks. ICS-CERT said it had not been able to identify either if the threat actors behind the campaign had managed to expand their access beyond the HMI systems and into the underlying control systems network.

According to CyberX, its analysis of several BlackEnergy samples strongly indicates that data theft is the primary motive.

“After studying a series of samples we managed to focus on BlackEnergy 3 (the third generation of the BlackEnergy family of malwares), which incorporates a mechanism that seems to be designed for this purpose,” the CyberX report said.

While reverse-engineering the malware, CyberX discovered two Remote Procedure Call (RPC) functions that appear designed to receive files and other data from remote machines.

The module that CyberX discovered seems to allow for data to be siphoned out from ICS systems and networks with no Internet connectivity to Internet connected HMI systems via the firewall using RPC communication over the Server Message Block (SMB) protocol.

“Our research has led us to the conclusion that there may be other undiscovered plugins, which would be responsible for the reconnaissance and data exfiltration from the deeper parts of the organizational network,” CyberX warned in its report.

The report focuses attention on what a growing number of security experts say is the continuing misconception that isolating an ICS network from the Internet is sufficient protection against all threats.

In a report released last year, security vendor Kaspersky Labs had noted how industrial networks could be disrupted not just by a production unit failure or operator error, but also by software errors resulting from accidental or deliberate infection of workstations connected to such networks.

While Stuxnet remains the best known example of malware designed to exploit ICS networks, there are many other industrial control systems infected with ordinary malware that pose a threat as well, Kaspersky said.

“In industrial networks, regular malware can cause far greater damage than when it infects office or home computers,” the report had noted. “ For instance, it may block the operation of critical applications, thus leading to hardware failure. The potential consequences may go far beyond even the plans of many malware writers.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.