BlackEnergy Targets Linux, Routers

Wednesday, November 5, 2014 @ 03:11 PM gHale

A cyberespionage group that built its operations around a malware program called BlackEnergy and targets industrial control systems (ICS) has been compromising routers and Linux systems based on ARM and MIPS architectures in addition to Windows computers, researchers said.

The group developed custom modules for BlackEnergy, a tool originally created and used by cybercriminals to launch distributed denial-of-service (DDoS) attacks, said researchers from antivirus vendor Kaspersky Lab in a report released Monday.

ICS Targeted in Malware Campaign
IOServer Fixes Resource Exhaustion Flaw
Fox-IT Fixes DataDiode Vulnerability
CareFusion Mitigates Vulnerabilities

Variants of the BlackEnergy plug-ins developed by the group ended up created for Windows and Linux systems. They enhance the malware program with capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping.

Different selections of plug-ins deploy from command-and-control servers for every victim, depending on the group’s goals and the victim’s systems, Kaspersky researchers said.

In one case, attackers downloaded and executed a BlackEnergy plug-in called dstr that destroyed data on an organization’s Windows computers, Kaspersky researchers said.

“By all appearances, the attackers pushed the ‘dstr’ module when they understood that they were revealed, and wanted to hide their presence on the machines,” the Kaspersky Lab researchers said. “Some machines already launched the plugin, lost their data and became unbootable.”

In another incident, an organization that also had data from some of its Windows machines destroyed and it was no longer able to access its Cisco routers via telnet. When they investigated, they found several “farewell” scripts left on the routers by the BlackEnergy group, Kaspersky researchers said.

Those scripts came into play to clean traces of what the attackers did on the compromised routers. One script had the description “Cisc0 API Tcl extension for B1ack En3rgy b0t” and contained a message for Kaspersky researchers.

The group seems is targeting organizations that run industrial control systems, especially from the energy sector.

Victims identified by Kaspersky include power generation operators, power facilities construction companies, suppliers and manufacturers of heavy power-related materials, and energy sector investors.

This matches recent findings by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security. In a security alert last week, ICS-CERT warned multiple companies running HMI (human-machine interface) products from General Electric, Siemens and BroadWin/Advantech had their systems infected with BlackEnergy. HMIs are software applications that provide a graphical user interface for monitoring and interacting with industrial control systems.

The group is also targeting high-level government organizations, municipal offices, federal emergency services, national standards bodies, banks, academic research institutions, property holdings and other organizations.

Leave a Reply

You must be logged in to post a comment.