Numerous industrial control systems (ICS) in the USA were compromised in a malicious campaign using a version of the BalckEnergy toolkit that was launched at least three years ago.
The HMI products of Advantech/Broadwin WebAccess, GE Cimplicity and Siemens WinCC were targeted in the campaign, reported the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The experts suspect that other solutions may also be compromised, but there is no hard evidence so far.
The architecture of BlackEnergy is modular, thus allowing the implementation of new modules to cover additional functions. The malware is known to possess numerous capabilities, yet researchers have observed only the use of modules configured for lateral movement on the Web. What they do is scan for removable media and shared locations. Experts haven’t found any evidence of BlackEnergy interfering with the control processes on the compromised system.
Attack Vectors of BlackEnergy
The cybercriminals have leveraged the CVE-2014-0751 vulnerability on GE Cimplicity, which allows them to execute the arbitrary code via a specially designed message to TCP port 10212 from a remote location.
The glitch was publicly reported at the beginning of the year but according to the ICS-CERT the hackers have been exploiting the vulnerability since the beginning of 2012. In the campaign targeting Cimplicity products, BlackEnergy follows a self-delete pattern right after installation. To find and attack vulnerable systems, the crooks are probably using automated tools. The experts warn all the companies that have been using Cimplicity since 2012 with their HMI directly connected to the Web that they might be infected with BlackEnergy.
The attack vectors for further HMI products have not been defined so far. Computers using Advantech/Broadwin WebAccess control software and WinCC have been red-flagged because files related to BlackEnergy have been spotted on them.
Companies that operate industrial control systems are strongly recommended to revise their assets for any sign of infection.
The BlackEnergy intrusion can be identified with the help of the Yara signature, created by ICS-CERT. Users must keep in mind that the signature has not been tested for all environments or variations, so in case of any suspected findings, they are sked to contact ICS-CERT immediately.