Endpoint
5/28/2015
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Data Theft The Goal Of BlackEnergy Attacks On Industrial Control Systems, Researchers Say

CyberX analysis of BlackEnergy module reveals most likely motive behind sophisticated multi-year attack campaign.

Data theft appears to be the primary motivation behind a sophisticated malware campaign directed at U.S. industrial control systems (ICS) networks since at least 2011.

That’s the conclusion of security vendor CyberX based on its analysis over the past several months, of the malware toolset used in the campaign. In a report released this week, CyberX said it has found clues suggesting that the attackers behind the campaign may be infecting machines that are used to interface and communicate with industrial control systems in order to steal data from deep inside ICS networks.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) first sounded the alarm on the threat last October and followed up with an update in December 2014. Both alerts identified the malware being used in the campaign as variants of BlackEnergy, a crimeware tool that has been around for several years and used in various previous criminal campaigns.

The ICS-CERT alerts warned of numerous industrial control systems networks being compromised in the campaign with multiple victims saying they had identified the malware on Internet-connected human-machine interface (HMI) systems from companies like GE Cimplicity, Siemens WinCC, and Advantech/Broadwin WebAccess.

The alerts noted that the threat actors behind the campaign appear to be initially attempting to gain access to Internet-connected HMI systems by taking advantage of previously known vulnerabilities in such systems. In the case of Windows machines running GE Cimplicity web server for instance, the attackers exploited a directory traversal flaw in the WebView component of the software to install BlackEnergy on vulnerable systems. ICS-CERT said its analysis showed that automated tools were used to search for and compromise vulnerable systems.

At the time it released the alerts, ICS-CERT said it had not been able to discern any obvious motivation for the campaign or any attempts to damage, disrupt or modify infected ICS systems and networks. ICS-CERT said it had not been able to identify either if the threat actors behind the campaign had managed to expand their access beyond the HMI systems and into the underlying control systems network.

According to CyberX, its analysis of several BlackEnergy samples strongly indicates that data theft is the primary motive.

“After studying a series of samples we managed to focus on BlackEnergy 3 (the third generation of the BlackEnergy family of malwares), which incorporates a mechanism that seems to be designed for this purpose,” the CyberX report said.

While reverse-engineering the malware, CyberX discovered two Remote Procedure Call (RPC) functions that appear designed to receive files and other data from remote machines.

The module that CyberX discovered seems to allow for data to be siphoned out from ICS systems and networks with no Internet connectivity to Internet connected HMI systems via the firewall using RPC communication over the Server Message Block (SMB) protocol.

“Our research has led us to the conclusion that there may be other undiscovered plugins, which would be responsible for the reconnaissance and data exfiltration from the deeper parts of the organizational network,” CyberX warned in its report.

The report focuses attention on what a growing number of security experts say is the continuing misconception that isolating an ICS network from the Internet is sufficient protection against all threats.

In a report released last year, security vendor Kaspersky Labs had noted how industrial networks could be disrupted not just by a production unit failure or operator error, but also by software errors resulting from accidental or deliberate infection of workstations connected to such networks.

While Stuxnet remains the best known example of malware designed to exploit ICS networks, there are many other industrial control systems infected with ordinary malware that pose a threat as well, Kaspersky said.

“In industrial networks, regular malware can cause far greater damage than when it infects office or home computers,” the report had noted. “ For instance, it may block the operation of critical applications, thus leading to hardware failure. The potential consequences may go far beyond even the plans of many malware writers.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So...are we supposed to be the elves or the reindeer?
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.