BlackEnergy: Analyzing an ICS Threat

Wednesday, November 5, 2014 @ 03:11 PM gHale

By Gregory Hale
Fear emanating from an industrial control system (ICS) threat like BlackEnergy can quickly take hold of any discussion and the idea of a thoughtful, well thought out plan can dissipate rapidly – and when that occurs, the bad guys win.

BlackEnergy is a malware threat that has been around since at least 2011 and is now searching out, compromising, and spying on systems around the world, but not very much is known about this APT yet. While researchers analyze code and try to dig deeper, there is no doubt this is a clear and present danger to ICS.

“There is a lot people that really don’t know what is going on with BlackEnergy,” said Joel Langill, of RedHat Cyber, an independent ICS security researcher. “That is one reason why DHS (Department of Homeland Security) is being slow and methodical on this.”

BlackEnergy Targets Linux, Routers
ICS Targeted in Malware Campaign
IOServer Fixes Resource Exhaustion Flaw
Fox-IT Fixes DataDiode Vulnerability

BlackEnergy is a malware program with capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and one report even said it can wipe a hard disk.

Over the past few years, industrial infrastructure has been a key target for hackers and government-sponsored warfare, attracting some of the most sophisticated cyber attacks on record, including Stuxnet, Flame, Duqu and Dragonfly. BlackEnergy is another advanced attack with payloads that target specific ICS components.

Right now, though, it appears BlackEnergy is learning and waiting and who its real targets are seem to be up in the air. While there does not appear to be any U.S.-based industrial victims right now, researchers said there has been at least one targeted victim in Poland that was an energy company.

“There is nothing happening on the ICS targets once they have been compromised,” Langill said. “The idea is they would get the ability to do something, but it doesn’t seem anybody has been able to figure out if anything has been done.

“Command and control has been established, but no command control has been executed. Right now, for example, we know it is exploiting a vulnerability in Cimplicity and GE fixed it. But once they exploited that vulnerability they are not sure what anybody has done. That tells me (researchers) don’t have a good idea on who has been attacked.”

There is a possibility code used in Dragonfly, could end up used in Cimplicity. Dragonfly focused on executing malicious code targeting intellectual property of pharmaceutical organizations, Langill said.

“The end target of compromise in Dragonfly was not an ICS device,” he said. “It was some host, like an engineering workstation that was general purpose and had access to the networks. Now that they have access to the networks, they need something else to happen (to find an ICS weakness).” That is one reason why Langill is saying there is some strong synergies between the attacks.

Another interesting piece of information is the Dragonfly attack didn’t use any Zero Days, Langill said. But the more recent attack called Sandworm did. Sandworm was another attack discovered by security firm iSIGHT Partners, which found spear-phishing attacks exploiting a Zero Day vulnerability in all supported versions of Microsoft Windows, but not XP.

“One really big bit of information that jumps out is the Windows Zero Day they found didn’t have an impact on XP machines, which leads me to believe that is why they developed the ICS exploits because the number of XP platforms sitting on ICS hosts has to be huge,” Langill said. “It is by far the majority. When you see new age malware and it wouldn’t succeed against an XP machine you probably wouldn’t be able to compromise a target you are looking at in an ICS world — especially the energy market. Because that Windows Zero Day wouldn’t work on XP, they had to develop something that would work on XP.”

They word “they” seems to appear quite often and no one really seems to know who “they” really is. Most reports seem to agree the attacks are coming from Russia. iSIGHT is tracking five campaigns that appear to be originating from that region. And, as Langill said, there could be a connection.

“When we saw what Dragonfly was doing, it seems to have a lot of synergy with a lot of campaigns that appear to be originating from Russia,” Langill said.

Some of the campaigns coming out of that region include Dragonfly, Sandworm and APT28. APT28, discovered by security firm FireEye, does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government.

All these attacks appear to focus on espionage. “They are related in exfiltrating information,” Langill said. “There have been no consequences when it comes to SCADA and ICS. There seems to be this common theme of theft.”

While there are no real definitive answers to most questions, only small pieces of information gleaned from various sources, that is why DHS is working on answers and not just working in a total reactive mode.

In upcoming meetings that DHS will hold across the country, they can at least discuss and learn about who is behind the attack and why.

“We are still trying to unravel their intent,” Langill said.

Leave a Reply

You must be logged in to post a comment.