• Subscriber/Sign In
  • Register
  • About Us
isssource.com
  • Home
  • Eguide: Overcoming the Industrial Cyber Security Skills Gap
  • Register
  • News
    • Careers
    • Government
    • Incidents
    • Industry Voices
    • Products and Services
    • Sending it Your Way
    • Technology Update
    • Views
  • Profile
  • Research
  • User Profile
  • Events
  • Login
  • Lost Password
  • Training & Certification
  • Transactions
  • White Papers
  • Membership Details
  • Subscribe Now
  • Membership Contents
  • Archives

Breaking News

  • Fukushima Report: Robot Lifts Melted Fuel
  • TÜV, Nozomi Ink Partnership Pact
  • Pangea Patches Bypass Vulnerability
  • Fuji Fixes FRENIC Devices
  • ARC: Safety and Profitability Work Together
  • Public Needs to Know About Chem Releases: Judge
  • Robot Testing Radioactive Fuel at Fukushima
  • Siemens Fixes CP1604, CP1616 Holes
  • Siemens has Upgrade for Intel AMT
  • Siemens Fixes Hole in SIMATIC S7-300 CPU
  • Siemens has Licensing Software Fix for SICAM 230
  • Siemens Fixes Ethernet Communication Module, Relays
  • OSIsoft has Update for PI Vision Hole
  • First Responders Test Technology
  • Manufacturing Targeted in Hack Attack
  • Siemens Fixes SICAM A8000 RTU Series Hole
  • Read More

Chemical Safety Incidents

White Papers

  • A Year in Vulnerabilities
  • A Year in Threats
  • Year in Hunting and Responding
  • Finding the Competitive Edge
  • Going Digital
  • Visibility Leads to Knowledge
  • Tips to SCADA Security
  • Insurance Dilemma: Infrastructure Attacks
  • Monitoring a Growing Network
  • Integrated Approach to Protecting ICS
  • Analytics through Network Monitoring
  • Gaining Visibility on Malware Attacks
  • The Wireless Edge
  • Benefits of Virtualization
  • Wireless Reshaping IT/OT Network
  • Virtualizing Network: Benefits, Challenges
  • Read More

Sending It Your Way

  • aeSolutions Security Blog
  • exida Explains
  • Joel Langill: SCADAhacker
  • [In] Security Culture
  • Eric Byres: Practical SCADA Security
  • Department of Homeland Security
  • Jim Cahill
  • Dale Peterson
  • Industrial Defender
  • Wurldtech
  • Read More

Attack Group Called Out

Wednesday, July 29, 2015 @ 10:07 AM gHale

A cyber espionage group called Black Vine is targeting multiple industries including energy, aerospace and healthcare, researchers said.

The most prominent attack came to light last year when healthcare provider, Anthem, suffered a breach and over 80 million records ended up stolen. That attack came to light when an administrator noticed multiple queries running from the account, but someone else had executed the queries. That discovery of the database queries soon led Anthem to realize that it was under attack from an advanced cyber espionage group.

RELATED STORIES
Cyber Arrest Frequency on Rise
FBI Takes Down Cyber Crime Forum
Estonian Man Guilty in Botnet Plan
Brothers Guilty in State Dept. Hack

The breach, conducted by Black Vine, was only one of several targeted campaigns, which spread across multiple industries, according to a report by security provider Symantec. Since 2012, Black Vine has conducted targeted attacks against multiple industries, including the energy, aerospace, and healthcare sectors.

The group, in existence since 2012, uses advanced custom-developed malware, Zero Day exploits, and other tactics, techniques and procedures (TTPs) typically associated with highly capable, organized attackers, the Symantec report said.

Symantec went on to study Black Vine’s known attacks since 2012. Connecting multiple Black Vine campaigns over time not only shows the group’s previous operations, but also demonstrates how the attackers have rolled with the times.

After researching Black Vine’s attacks over time, Symantec identified the following key findings:
• Black Vine is responsible for carrying out cyber espionage campaigns against multiple industries, including energy, aerospace, and healthcare.
• Black Vine conducts watering-hole attacks targeting legitimate energy- and aerospace-related websites to compromise the sites’ visitors with custom malware.
• Black Vine appears to have access to the Elderwood framework, used to distribute Zero Day exploits among threat groups that specialize in cyber espionage.
• Black Vine uses custom-developed malware and has resources to frequently update and modify its malware to avoid detection.

Symantec research found Black Vine is an attack group with working relationships with multiple cyber espionage groups. The group has solid funding, well organized, and consists of at least a few members, some of which may have a past or present association with a China-based IT security organization called Topsec.

Over the course of the Black Vine investigation, Symantec identified a number of targeted companies across several verticals. They found analysis of attack data alone is misleading because of Black Vine’s attack vectors. Black Vine frequently conducts watering-hole attacks, which is when a legitimate website ends up compromised by an attacker and forced to serve malware to visitors of the website.

As a result, an analysis of compromised computers alone does not portray an accurate picture of Black Vine’s targeting objectives, Symantec said. Instead, it showed the industries with the highest infection rates of Black Vine’s malware.

To further determine Black Vine’s intended target industries, Symantec assessed the companies who own the affected websites. Symantec also investigated attacks conducted by Black Vine which didn’t involve watering-hole attacks. After assessing multiple attack verticals, Symantec believes Black Vine’s primary targeted industries have been aerospace and healthcare. It is likely that other affected industries may have been secondary targets.

Black Vine’s targets are across several regions, based on the IP address locations of the compromised computers. The vast majority of affected companies are in the U.S., followed by China, Canada, Italy, Denmark, and India.

Black Vine used three variants of malware throughout the years known as Hurix, Sakurel, and Mivast. All three variants originated from one malware family likely created and updated by the same author or developer, Symantec said. Each variant ended up updated to add features and re-hashed to avoid detection.

In a number of attacks, the malware ended up delivered onto the victim’s computer after Black Vine has exploited a Zero Day vulnerability primarily through watering-hole attacks. The Zero Day exploits used in these attacks went out via the Elderwood distribution framework.

The goal of all analyzed Black Vine campaigns has been cyber espionage.

Click here for the full report.



Leave a Reply

Click here to cancel reply.

You must be logged in to post a comment.

« Chem Fire Aftermath Under Investigation
Safety Reliability Book Released »

  • Home
  • Eguide: Overcoming the Industrial Cyber Security Skills Gap
  • Register
  • View Spotlight Article
  • News
  • Profile
  • Research
  • User Profile
  • Events
  • Login
  • Lost Password
  • Training & Certification
  • Transactions
  • White Papers
  • Membership Details
  • Subscribe Now
  • About Us
  • Membership Contents
  • Archive
  • Sitemap
  • Careers
  • Government
  • Incidents
  • Industry Voices
  • Products and Services
  • Sending it Your Way
  • Technology Update
  • Views
Policies
Copyright © 2019 isssource.com