Moscow Suspected in Hack of U.S. Industrial Control Systems

BlackEnergy malware used by Russians found in water, energy control systems

Russian President Vladimir Putin visits the laboratory where the super computer Lomonosov is placed / AP
October 31, 2014

Industrial control systems used to operate critical U.S. infrastructure including water and energy systems are under attack from cyber actors using malicious software implanted in numerous control systems, the Department of Homeland Security said Friday.

The cyber attacks have been underway since 2011 and U.S. officials suspect Russia is behind them.

The hacking was revealed in a Department of Homeland Security alert this week that identified the malicious software found in a number of industrial control systems as BlackEnergy—the same malware that recently was linked by cyber security investigators to Russian government hacking in an operation code-named Sandworm.

Sandworm was a large-scale Russian cyber-spying program that targeted NATO, a U.S. government agency and European countries.

Disclosure of the industrial control system hacking follows confirmation this week that Russian hackers also conducted cyber attacks that gained access to an unclassified White House network in what analysts say is a cyber reconnaissance effort aimed at gathering intelligence on U.S. cyber defenses.

BlackEnergy is used in cyber attacks to gain remote control of networks and to remove data.

Security analysts say BlackEnergy malware can be used for a range of illicit activities, from distributed denial of service attacks, spam attacks, online bank fraud, accessing sensitive information, and for executing code on infected systems.

In the Sandworm operation, Russian hackers linked to the Moscow government used BlackEnergy in an effort to mask intelligence gathering as cyber crime.

The DHS Industrial Control System-Cyber Emergency Response Team (IDC-CERT) revealed in the notice to industry Wednesday that it had "identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware."

A U.S. official familiar with intelligence reports of the cyber attack said analysis of the industrial control system penetration indicates Russian government hackers were likely involved.

The industrial control cyber attack did not appear to exploit the Windows software flaw, called a zero-day, that was used by Russian government-linked hackers in the BlackEnergy malware that was a key feature of the Sandworm program.

"However, analysis of the technical findings in the two reports shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor," ICS-CERT stated.

A cyber attack on critical infrastructure could be carried out during a crisis or conflict as part of a military campaign of sabotage designed to cripple vital services.

Multiple companies uncovered the malicious software on Internet-connected "human-machine interfaces," the notice said.

DHS spokesman S. Y. Lee declined to attribute the attack to Russia, but said, "we will continue to lean forward to provide warning to private sector partners through actionable alerts and possible mitigations strategies."

A DHS official said the most recent BlackEnergy software activity was spotted last month.

"The known affected entities are a mix of industries to include water, energy, property management and industrial control systems vendors," the official said.

"At this time, DHS has not identified any attempts related to this variant of BlackEnergy to damage, modify, or otherwise disrupt the compromised systems’ control processes," the official said.

All companies that were infected with the malware have been contacted about the threat, and investigators are continuing to search for BlackEnergy virus infection and expect more victims to be uncovered.

The notice said the malware was found in human-machine interface software—usually Windows-based software that allows infrastructure operators to remotely control industrial systems, such as turning pumps on and off or changing temperature controls and similar functions.

Software vendors known to be infected include GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.

Investigators are continuing to determine if others vendors have been targeted.

Additionally, cyber security sleuths also have been unable to verify if hackers were able to expand access beyond the human-machine interface software to the rest of industrial control systems, which appears to have been the ultimate target.

"Typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment," the notice said. "The malware is highly modular and not all functionality is deployed to all victims."

The notice called on all owners and operators of industrial infrastructure to check for BlackEnergy malware in control systems and report them to DHS.

The flaw used by the cyber attackers was first discovered in GE Complicity’s software and analysis revealed the hackers were exploiting it since January 2012.

Using the software flaw, the hackers were able to prompt an industrial control server to execute a malicious file called a complicity screen file, or .cim, on a remote, attacker-controlled server. The activity allowed the hackers to download BlackEnergy that then allowed the hackers gain illicit access to the industrial control network.

"Analysis suggests that the actors likely used automated tools to discover and compromise vulnerable systems," the notice said. "ICS-CERT is concerned that any companies that have been running Cimplicity since 2012 with their HMI directly connected to the Internet could be infected with BlackEnergy malware."