Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/28/2015
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Data Theft The Goal Of BlackEnergy Attacks On Industrial Control Systems, Researchers Say

CyberX analysis of BlackEnergy module reveals most likely motive behind sophisticated multi-year attack campaign.

Data theft appears to be the primary motivation behind a sophisticated malware campaign directed at U.S. industrial control systems (ICS) networks since at least 2011.

That’s the conclusion of security vendor CyberX based on its analysis over the past several months, of the malware toolset used in the campaign. In a report released this week, CyberX said it has found clues suggesting that the attackers behind the campaign may be infecting machines that are used to interface and communicate with industrial control systems in order to steal data from deep inside ICS networks.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) first sounded the alarm on the threat last October and followed up with an update in December 2014. Both alerts identified the malware being used in the campaign as variants of BlackEnergy, a crimeware tool that has been around for several years and used in various previous criminal campaigns.

The ICS-CERT alerts warned of numerous industrial control systems networks being compromised in the campaign with multiple victims saying they had identified the malware on Internet-connected human-machine interface (HMI) systems from companies like GE Cimplicity, Siemens WinCC, and Advantech/Broadwin WebAccess.

The alerts noted that the threat actors behind the campaign appear to be initially attempting to gain access to Internet-connected HMI systems by taking advantage of previously known vulnerabilities in such systems. In the case of Windows machines running GE Cimplicity web server for instance, the attackers exploited a directory traversal flaw in the WebView component of the software to install BlackEnergy on vulnerable systems. ICS-CERT said its analysis showed that automated tools were used to search for and compromise vulnerable systems.

At the time it released the alerts, ICS-CERT said it had not been able to discern any obvious motivation for the campaign or any attempts to damage, disrupt or modify infected ICS systems and networks. ICS-CERT said it had not been able to identify either if the threat actors behind the campaign had managed to expand their access beyond the HMI systems and into the underlying control systems network.

According to CyberX, its analysis of several BlackEnergy samples strongly indicates that data theft is the primary motive.

“After studying a series of samples we managed to focus on BlackEnergy 3 (the third generation of the BlackEnergy family of malwares), which incorporates a mechanism that seems to be designed for this purpose,” the CyberX report said.

While reverse-engineering the malware, CyberX discovered two Remote Procedure Call (RPC) functions that appear designed to receive files and other data from remote machines.

The module that CyberX discovered seems to allow for data to be siphoned out from ICS systems and networks with no Internet connectivity to Internet connected HMI systems via the firewall using RPC communication over the Server Message Block (SMB) protocol.

“Our research has led us to the conclusion that there may be other undiscovered plugins, which would be responsible for the reconnaissance and data exfiltration from the deeper parts of the organizational network,” CyberX warned in its report.

The report focuses attention on what a growing number of security experts say is the continuing misconception that isolating an ICS network from the Internet is sufficient protection against all threats.

In a report released last year, security vendor Kaspersky Labs had noted how industrial networks could be disrupted not just by a production unit failure or operator error, but also by software errors resulting from accidental or deliberate infection of workstations connected to such networks.

While Stuxnet remains the best known example of malware designed to exploit ICS networks, there are many other industrial control systems infected with ordinary malware that pose a threat as well, Kaspersky said.

“In industrial networks, regular malware can cause far greater damage than when it infects office or home computers,” the report had noted. “ For instance, it may block the operation of critical applications, thus leading to hardware failure. The potential consequences may go far beyond even the plans of many malware writers.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25414
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
CVE-2021-32078
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
CVE-2021-31818
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-34825
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
CVE-2021-32944
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...