Data theft appears to be the primary motivation behind a sophisticated malware campaign directed at U.S. industrial control systems (ICS) networks since at least 2011.
That’s the conclusion of security vendor CyberX based on its analysis over the past several months, of the malware toolset used in the campaign. In a report released this week, CyberX said it has found clues suggesting that the attackers behind the campaign may be infecting machines that are used to interface and communicate with industrial control systems in order to steal data from deep inside ICS networks.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) first sounded the alarm on the threat last October and followed up with an update in December 2014. Both alerts identified the malware being used in the campaign as variants of BlackEnergy, a crimeware tool that has been around for several years and used in various previous criminal campaigns.
The ICS-CERT alerts warned of numerous industrial control systems networks being compromised in the campaign with multiple victims saying they had identified the malware on Internet-connected human-machine interface (HMI) systems from companies like GE Cimplicity, Siemens WinCC, and Advantech/Broadwin WebAccess.
The alerts noted that the threat actors behind the campaign appear to be initially attempting to gain access to Internet-connected HMI systems by taking advantage of previously known vulnerabilities in such systems. In the case of Windows machines running GE Cimplicity web server for instance, the attackers exploited a directory traversal flaw in the WebView component of the software to install BlackEnergy on vulnerable systems. ICS-CERT said its analysis showed that automated tools were used to search for and compromise vulnerable systems.
At the time it released the alerts, ICS-CERT said it had not been able to discern any obvious motivation for the campaign or any attempts to damage, disrupt or modify infected ICS systems and networks. ICS-CERT said it had not been able to identify either if the threat actors behind the campaign had managed to expand their access beyond the HMI systems and into the underlying control systems network.
According to CyberX, its analysis of several BlackEnergy samples strongly indicates that data theft is the primary motive.
“After studying a series of samples we managed to focus on BlackEnergy 3 (the third generation of the BlackEnergy family of malwares), which incorporates a mechanism that seems to be designed for this purpose,” the CyberX report said.
While reverse-engineering the malware, CyberX discovered two Remote Procedure Call (RPC) functions that appear designed to receive files and other data from remote machines.
The module that CyberX discovered seems to allow for data to be siphoned out from ICS systems and networks with no Internet connectivity to Internet connected HMI systems via the firewall using RPC communication over the Server Message Block (SMB) protocol.
“Our research has led us to the conclusion that there may be other undiscovered plugins, which would be responsible for the reconnaissance and data exfiltration from the deeper parts of the organizational network,” CyberX warned in its report.
The report focuses attention on what a growing number of security experts say is the continuing misconception that isolating an ICS network from the Internet is sufficient protection against all threats.
In a report released last year, security vendor Kaspersky Labs had noted how industrial networks could be disrupted not just by a production unit failure or operator error, but also by software errors resulting from accidental or deliberate infection of workstations connected to such networks.
While Stuxnet remains the best known example of malware designed to exploit ICS networks, there are many other industrial control systems infected with ordinary malware that pose a threat as well, Kaspersky said.
“In industrial networks, regular malware can cause far greater damage than when it infects office or home computers,” the report had noted. “ For instance, it may block the operation of critical applications, thus leading to hardware failure. The potential consequences may go far beyond even the plans of many malware writers.”