Russian Malware ‘BlackEnergy’ Infiltrates US Critical Infrastructure

Industrial control systems used to operate US critical infrastructure have been compromised by a destructive Russian hacking campaign that has been going on since 2011, according to the Department of Homeland Security (DHS).

DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently warned that a sophisticated malware campaign using a variant of the BlackEnergy malware has compromised numerous industrial control systems environments.

Although the hacking campaign has been ongoing since 2011, the DHS ICS-CERT Bulletin indicated no attempt has been made to activate the malware to “damage, modify or otherwise disrupt” the industrial control process.

If unleashed, however, the malware could shut down most of the nation’s critical infrastructure, including pipelines, nuclear power plants, wind turbines and water treatment plants.

A white paper issued by Finland-based online privacy and security company F-Secure indicated BlackEnergy has been around for a number of years but gained notoriety over the summer when certain samples of BlackEnergy malware began targeting Ukrainian government organizations to steal information.

“In the summer of 2014, BlackEnergy caught our attention when we noticed that samples of it were now tailored to target Ukrainian government institutions. Though it may be unrelated, it is interesting to note that this change conveniently coincides with the on-going crisis in that country,” stated F-Secure’s white paper.

“Related or not, one thing is certain: the actor(s) using these customized BlackEnergy malware are intent on stealing information from the targets.”

F-Secure indicates that BlackEnergy originated as a tools for conducted Distributed Denial of Service attacks (DDoS), but evolved to support a variety of different plugins to extend its capabilities, depending on the purpose of an attack.

BlackEnergy has been used by a number of different gangs for cyber crime purposes, including sending spam and stealing banking credentials. F-Secure also believes BlackEnergy may have been used to conduct cyber attacks against Georgia during the Russo-Georgian confrontation in 2008.

"The use of BlackEnergy for a politically-oriented attack is an intriguing convergence of criminal activity and espionage," F-Secure’s white paper said. "As the kit is being used by multiple groups, it provides a greater measure of plausible deniability than is afforded by a custom-made piece of code."

Moreover, DHS believes BlackEnergy is the same malware that was used by a large-scale Russian cyberespionage teamdubbed “Sandworm” to target the North Atlantic Treaty Organization, as well as a number of energy and defense companies and academic institutions in the United States, Poland, Ukraine and Western Europe.

“Analysis of the technical findings in the two reports shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor,” the DHS ICS-CERT bulletin said.

Researchers at security firm iSIGHT Partners indicated Sandworm has been using the Windows vulnerability CVE-2014-4114 in conjunction with a series of other flaws to deliver the BlackEnergy malware. The attackers used spearphishing emails customized to the recipients’ interests to lure users into opening a PowerPoint files containing the damaging malware.

“Though we now believe Sandworm Team is targeting ICS systems, we are still attempting to unravel their ultimate intent for them," stated an iSIGHT online notice. "Other Sandworm Team activity is almost certainly designed to collect intelligence on military and diplomatic adversaries, and there are good reasons for Russian actors to monitor competing energy interests."

DHS sources told ABC News they believe the “Russians have torn a page from the old, Cold War playbook and have placed the malware in key US systems as a threat, and/or as a deterrent to a US cyber attack on Russian systems – mutually assured destruction.”

This is not the first time Russia has targeted US critical infrastructure. Homeland Security Today reported last week that news about BlackEnergy emerged on the heels of reports that the White House was the subject of a cyber attack from Russian hackers last month.

In addition, Homeland Security Today reported DHS alerted critical infrastructure operators to the Russian hacking group known as “Energetic Bear,” or “Dragonfly,” as being behind an ongoing malware campaign primarily targeting the energy sector in the United States and Europe with the capability to sabotage the power supply of the attacked countries.

Commenting on the “Energetic Bear” campaign, Adam Kujawa, head of Malware Intelligence at anti-malware company Malwarebytes, said the only logical reasons behind targeting the energy sector are to keep an eye on developments made to the energy grid in order to “identify if the economy and ability of the country has risen to a dangerous level,” or to gain control of the energy grid in the event of a physical attack where the ability to control the power supply would give the attackers an advantage over their adversaries.

“Energy is one of the most valued and often relied upon resources in our society today,” Kujawa said. “If you were to remove that aspect of our lives it would most certainly throw the country into complete chaos, something that an offensive force might want to do rather than try and fight the full force of a country.”

The DHS alerts indicated BlackEnergy hackers went after three popular human-machine interface systems made by General Electric Co., Siemens AG and Broadwin Technology Inc. Although investigations have yet to uncover the intent behind the infiltration of the nation’s critical infrastructure by BlackEnergy malware, the Siemens system was the same software targeted by Stuxnet, the computer worm that ravaged Iran’s Natanz nuclear facility in 2010 in what is suspected to have been a joint US/Israeli covert operation.

“After taking another look, we also found a second file which suggests targeting of WinCC, Siemens HMI and SCADA software," the iSIGHT notice said. "The file, CCProjectMgrStubEx.dll is very similar to CCProjectMgr.exe a WinCC executable. WinCC may sound familiar to some involved in cyber security as it is the same software program previously targeted by the Stuxnet intrusions."

“Given the function of these systems, and historical precedents such as Stuxnet and destructive incidents in the Gulf, we are still weighing the possibility that these intrusions could be reconnaissance-for-attack," the notice stated.

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply