The United States Industrial Control System Cyber Emergency Response Team recently released an advisory warning operators of industrial control systems that there is an active cyber crime campaign targeting them with Trojans and backdoor attacks.
According to information from the advisory, organizations using human-machine interface software are being targeted for attacks using BlackEnergy malware. Multiple companies using Internet-connected HMI software were found to be infected with the malware. Such software is seen as a valuable target by hackers because it provides a visual overview of manufacturing and industrial control processes which are able to communicate with logic controllers and manage processes from a central, usually Windows-based, interface. Processes controlled by the software include manual functions like modifying temperature controls and turning pumps on and off for some of the country’s most critical infrastructure, such as wind turbines, power transmission grids and oil and gas pipelines.
ICS-CERT reported in its advisory that it has not yet identified any malicious activity regarding the software as a result of the intrusions, but that does not mean affected organizations shouldn’t make remediation efforts.
“At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system,” the organization explained in the advisory. “However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims.”
Black Energy used in multiple high-level attacks
According to an alert about the malware from Trend Micro, BlackEnergy is a backdoor Trojan attack that can be downloaded remotely. The malware works by dropping a malicious file into the Windows User Startup folder that enables it to automatically execute at every system startup.
In October, security analysts from iSIGHT Partners revealed a group of Russian cyber criminals were using BlackEnergy malware to exploit a Windows zero-day flaw to exfiltrate data from telecom providers, defense contractors, energy firms and government agencies, as well as departments within NATO. The group behind the attacks, dubbed Sandworm by iSIGHT, used phishing emails containing malicious PowerPoint attachments carrying exploit code. The vulnerability used in those breaches has since been patched, but a connection has been identified between the two campaigns, as officials within the Department of Homeland Security believe there is evidence that the attackers behind the most recent campaign are being sponsored by the Russian government, ABC News reported.
Attacks against at least one of the HMI software vendors affected by the BlackEnergy exploit have been ongoing since January 2012, and the vulnerability was disclosed in December 2013, with information about the attacks available since then.
Not all infrastructure is created equal
A recent blog post by Trend Micro researchers about the cyber security issues facing critical infrastructure noted that not all operations are at equal risk. Energy suppliers are often targeted because a successful attack on such a group would have the most visible consequences. Electrical grids are especially vulnerable to attacks because the IP connectivity used to streamline and enhance control systems can also be easily leveraged by hackers to initiate an attack. Industrial control systems and supervisory control and data acquisition programs have grown to be increasingly Internet-facing in recent years, elevating the risk of malicious surveillance and intrusion into highly privileged networks.
“[A]s things changed over time, most of these systems’ purposes have been reestablished, along with the way they were configured,” wrote Trend Micro’s Kyle Wilhoit in a research paper entitled, “Who’s Really Attacking Your ICS Equipment?”. “A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the Internet, with very little hindrance.”
The Department of Homeland Security has warned that advanced penetration of software controlling critical infrastructure could cause severe economic damage. A reliable way for organizations utilizing the affected software to secure their devices is to implement a Trend Micro Smart Protection Network. Such a solution provides continuous monitoring of databases containing known email, Web and file threats in order to detect attacks before they occur. The increased connectivity necessary for modern operations can also put enterprises at a greater risk of attack. It’s not practical to assume an organization can prevent every cyber criminal from intruding onto a network, but it is possible to be one step ahead of the hackers before an attack happens.