The BlackEnergy malware toolkit has been compromising US SCADA (Supervisory Control and Data Acquisition) systems in a sophisticated campaign, according to the US Computer Emergency Response Team’s advisory.
SCADA systems compromised with BlackEnergy included those of GE Cimplicity, Advantech/Broadwin WebAccess and Siemens WinCC, while there is still no evidence that the compromised systems were disrupted or damaged.
“However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment,” US CERT said.
BlackEnergy was also used in the recent Sandworm campaign that leveraged the Windows OLE (CVE-2014-4114) zero-day vulnerability and, even if SCADA systems were not attacked by leveraging the same vulnerability, the â€œanalysis of the technical findings in the two report shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor.â€
But the issue with BlackEnergy is that its architecture is highly modular and not all features are activated when a machine is compromised, thus making the investigation harder.
The three vendors were most likely specifically targeted. In Cimplicity’s case, BlackEnergy leveraged a directory transversal vulnerability (CVE-2014-0751) from the WebView component, allowing attackers to execute arbitrary code.
The attack vector is yet unknown in the case of Advantech/BroadWin WebAccess platforms with direct net access.
Now in Siemens’s WinCC case, US CERT found circumstantial evidence that resembled the analyzed modus operandi from Cimplicity’s case.
The Siemens SCADA WinCC is notorious for being targeted by Stuxnet and used on a large scale in infrastructure and industry for controlling and monitoring physical processes.
This summer, Siemens fixed five severe vulnerabilities in the SIMATIC WinCC that could allow an attacker to gain unauthenticated access and elevate privileges within the Project admin application.
SCADA-powered systems are important because they control mission-critical tasks in power-plants, sewage systems and so on, making them targets by themselves.
If one attacker disrupts one of these services, he could cause sabotage the functioning of a state and spread havoc.
US CERT also advised that SCADA operators should minimize their internet exposure, isolate their local networks, use VPN if remote access is required and create strong password policies.