BlackEnergy: The Scariest Malware in America?

Malicious software that researchers think has been used by hackers to attack critical infrastructure systems, such as trains and power plants in Ukraine and Poland, has been found in similar American systems, the U.S. government says.

And while there is no sign hackers have used the software — called BlackEnergy — to wreak havoc by actually changing settings at power plants or railroads, industry groups and government officials are taking the discovery seriously. The group believed to be behind the attacks, dubbed “Sandworm” by some researchers, has been conducting electronic espionage or reconnaissance on U.S. systems for several years, according to the Department of Homeland Security.

Warnings and urgent calls to update systems have flown around the security community for several weeks.

The Department of Homeland Security’s Computer Emergency Response Team — the nation’s top cyber defense agency — issued a notice saying that the campaign ‘has compromised numerous industrial control systems (ICSs).”

“Analysis indicates that this campaign has been ongoing since at least 2011,” it said. “Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).”

Human-machine interfaces give plant operators easy, visual controls over operations. The software layer, which is sometimes also connected to the public Internet, apparently also gives hackers a back door into infrastructure systems.

A ‘Targeted Campaign’

Manufacturers have responded quickly to the warning. Software made by both Siemens and GE were among the programs listed as vulnerable by CERT. Siemens said its experts were investigating with CERT, and promised to provide information soon.

GE’s notice provided more detail, and explicitly linked the attacks to the Sandworm group. As with all hacker groups, Sandworm’s location and origin are shrouded in mystery, but researchers at security firms F-Secure and iSight Partners have linked the group to Russia.

“A group of adversaries named ‘Sandworm’ is implementing a targeted campaign against select targets in the United States and abroad,” GE said. “Among the attack vectors, adversaries may engage in phishing campaigns, leverage known and 0-day vulnerabilities and target vulnerable … systems routable through public networks.”

BlackEnergy, the software used in the attacks, has actually been around since 2007, and was initially designed for standard cyber mischief, like spam. But is has a long history in the cyberwar world — researchers think it was used against Georgia during that nation’s conflict with Russia. It’s been updated incessantly with plugins that perform all manner of attacks. A favorite of simple credit card hackers, it’s also used by more sophisticated crime rings in part because it is so common — that helps hide their trail.

Can Lie in Wait for Months, Years

Unlike splashy hacker attacks that result in high-profile database thefts, BlackEnergy, as used in this case, is known as an Advanced Persistent Threat, meaning it designed to lurk unnoticed in systems for weeks, months or even years — either to gain insight on a system, or to wait for perfect timing for a larger attack.

Sandworm, the group, has engaged in serious hack attacks that appear to be state-sponsored, or at least part of a freelance cyber-warfare campaign, researchers say. F-Secure reported in September that the gang had attacked Ukrainian Railways and other infrastructure systems. Its method of attack was ingenious.

“Victims were sent emails containing documents that ostensibly offered information on Russian plans to take over the world, said researchers from another anti-virus firm ESET,” the Guardian wrote in September. “One appeared to be a story from the Guardian, entitled ‘Russian ambassadors: next we’ll take Catalonia, Venice, Scotland and Alaska’. Though this was a genuine article online, anyone who clicked on the associated Word file would open themselves up to BlackEnergy infection.”

Building on F-Secure’s research, iSight Partners said later that Sandworm had attacked a much wider array of targets recently, including NATO, energy sector firms in Poland, telecom firms across Europe, and a U.S. academic organization.

“iSIGHT has dubbed ‘Sandworm Team’ based on its use of encoded references to the classic science fiction series Dune in command and control URLs and various malware samples,” the firm said.

Mikko Hypponen, chief research officer at F-Secure, told Credit.com the BlackEnergy software could be focusing not on shutting down systems, but watching them.

“This is pretty bad,” he said. “When Stuxnet was found, 4 years ago, everybody was expecting a wave of attacks against factory automatization systems. Instead, we got silence. Now, in 2014, we are starting to see what we expected to see back then. The new attacks that we’ve seen – including Havex and BlackEnergy – don’t seem to attempt to do sabotage like Stuxnet. Instead, they seem to be focusing on reconnaissance. We can only hope that ICS systems are better prepared today than what they were in 2010.”

Whether the software is designed to merely conduct espionage — intelligence gathering — or something more serious is unknown. So far, CERT says the damage has been limited.

“At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system,” CERT said in its warning. But the top U.S. cyber agency noted that the lack of a smoking gun — or power plant — should provide no comfort to operators. “However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims.”