Home > Cyber News > BlackEnergy Targeting Industrial Control Systems in the USA

BlackEnergy Targeting Industrial Control Systems in the USA

Numerous industrial control systems (ICS) in the USA were compromised in a malicious campaign using a version of the BalckEnergy toolkit that was launched at least three years ago.
The HMI products of Advantech/Broadwin WebAccess, GE Cimplicity and Siemens WinCC were targeted in the campaign, reported the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The experts suspect that other solutions may also be compromised, but there is no hard evidence so far.

The architecture of BlackEnergy is modular, thus allowing the implementation of new modules to cover additional functions. The malware is known to possess numerous capabilities, yet researchers have observed only the use of modules configured for lateral movement on the Web. What they do is scan for removable media and shared locations. Experts haven’t found any evidence of BlackEnergy interfering with the control processes on the compromised system.

Attack Vectors of BlackEnergy

The cybercriminals have leveraged the CVE-2014-0751 vulnerability on GE Cimplicity, which allows them to execute the arbitrary code via a specially designed message to TCP port 10212 from a remote location.

The glitch was publicly reported at the beginning of the year but according to the ICS-CERT the hackers have been exploiting the vulnerability since the beginning of 2012. In the campaign targeting Cimplicity products, BlackEnergy follows a self-delete pattern right after installation. To find and attack vulnerable systems, the crooks are probably using automated tools. The experts warn all the companies that have been using Cimplicity since 2012 with their HMI directly connected to the Web that they might be infected with BlackEnergy.

The attack vectors for further HMI products have not been defined so far. Computers using Advantech/Broadwin WebAccess control software and WinCC have been red-flagged because files related to BlackEnergy have been spotted on them.

Experts’ Recommendation

Companies that operate industrial control systems are strongly recommended to revise their assets for any sign of infection.

The BlackEnergy intrusion can be identified with the help of the Yara signature, created by ICS-CERT. Users must keep in mind that the signature has not been tested for all environments or variations, so in case of any suspected findings, they are sked to contact ICS-CERT immediately.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share