Home > Identity Theft > BlackEnergy: The Scariest Malware in America?

Comments 0 Comments

Malicious software that researchers think has been used by hackers to attack critical infrastructure systems, such as trains and power plants in Ukraine and Poland, has been found in similar American systems, the U.S. government says.

And while there is no sign hackers have used the software — called BlackEnergy — to wreak havoc by actually changing settings at power plants or railroads, industry groups and government officials are taking the discovery seriously. The group believed to be behind the attacks, dubbed “Sandworm” by some researchers, has been conducting electronic espionage or reconnaissance on U.S. systems for several years, according to the Department of Homeland Security.

Warnings and urgent calls to update systems have flown around the security community for several weeks.

The Department of Homeland Security’s Computer Emergency Response Team — the nation’s top cyber defense agency — issued a notice saying that the campaign ‘has compromised numerous industrial control systems (ICSs).”

“Analysis indicates that this campaign has been ongoing since at least 2011,” it said. “Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”

Human-machine interfaces give plant operators easy, visual controls over operations. The software layer, which is sometimes also connected to the public Internet, apparently also gives hackers a back door into infrastructure systems.

A ‘Targeted Campaign’

Manufacturers have responded quickly to the warning. Software made by both Siemens and GE were among the programs listed as vulnerable by CERT. Siemens said its experts were investigating with CERT, and promised to provide information soon.

GE’s notice provided more detail, and explicitly linked the attacks to the Sandworm group. As with all hacker groups, Sandworm’s location and origin are shrouded in mystery, but researchers at security firms F-Secure and iSight Partners have linked the group to Russia.

“A group of adversaries named ‘Sandworm’ is implementing a targeted campaign against select targets in the United States and abroad,” GE said. “Among the attack vectors, adversaries may engage in phishing campaigns, leverage known and 0-day vulnerabilities and target vulnerable … systems routable through public networks.”

BlackEnergy, the software used in the attacks, has actually been around since 2007, and was initially designed for standard cyber mischief, like spam. But is has a long history in the cyberwar world — researchers think it was used against Georgia during that nation’s conflict with Russia. It’s been updated incessantly with plugins that perform all manner of attacks. A favorite of simple credit card hackers, it’s also used by more sophisticated crime rings in part because it is so common — that helps hide their trail.

Can Lie in Wait for Months, Years

Unlike splashy hacker attacks that result in high-profile database thefts, BlackEnergy, as used in this case, is known as an Advanced Persistent Threat, meaning it designed to lurk unnoticed in systems for weeks, months or even years — either to gain insight on a system, or to wait for perfect timing for a larger attack.

Sandworm, the group, has engaged in serious hack attacks that appear to be state-sponsored, or at least part of a freelance cyber-warfare campaign, researchers say. F-Secure reported in September that the gang had attacked Ukrainian Railways and other infrastructure systems. Its method of attack was ingenious.

“Victims were sent emails containing documents that ostensibly offered information on Russian plans to take over the world, said researchers from another anti-virus firm ESET,” the Guardian wrote in September. “One appeared to be a story from the Guardian, entitled ‘Russian ambassadors: next we’ll take Catalonia, Venice, Scotland and Alaska’. Though this was a genuine article online, anyone who clicked on the associated Word file would open themselves up to BlackEnergy infection.”

Building on F-Secure’s research, iSight Partners said later that Sandworm had attacked a much wider array of targets recently, including NATO, energy sector firms in Poland, telecom firms across Europe, and a U.S. academic organization.

“iSIGHT has dubbed ‘Sandworm Team’ based on its use of encoded references to the classic science fiction series Dune in command and control URLs and various malware samples,” the firm said.

Mikko Hypponen, chief research officer at F-Secure, told Credit.com the BlackEnergy software could be focusing not on shutting down systems, but watching them.

“This is pretty bad,” he said. “When Stuxnet was found, 4 years ago, everybody was expecting a wave of attacks against factory automatization systems. Instead, we got silence. Now, in 2014, we are starting to see what we expected to see back then. The new attacks that we’ve seen – including Havex and BlackEnergy – don’t seem to attempt to do sabotage like Stuxnet. Instead, they seem to be focusing on reconnaissance. We can only hope that ICS systems are better prepared today than what they were in 2010.”

Whether the software is designed to merely conduct espionage — intelligence gathering — or something more serious is unknown. So far, CERT says the damage has been limited.

“At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system,” CERT said in its warning. But the top U.S. cyber agency noted that the lack of a smoking gun — or power plant — should provide no comfort to operators. “However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims.”

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team