US ICS operators under attack by crims wielding BlackEnergy malware

The US ICS-CERT has issued a warning about an ongoing sophisticated malware campaign that has hit a number of industrial control systems (ICSs) environments using a variant of the BlackEnergy malware.

BlackEnergy started as a DDoS Trojan, but was subsequently turned into a multi-purpose malware kit with modern rootkit/process-injection techniques, strong encryption, support for proxy servers, and data exfiltration capabilities thanks to its modular architecture, which makes it possible for capable programmers to write plug-ins for it and additionally enhance its capabilities.

The malware has been used by a variety of attackers, and has most recently been spotted by Trend Micro and iSight Partners, who saw it used to target ICSs.

“Analysis indicates that this campaign has been ongoing since at least 2011,” noted ICS-CERT. “ICS-CERT has determined that users of HMI products from various vendors have been targeted in this campaign, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.”

Other vendor’s products might have also been targeted, but there is no evidence yet.

“At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes,” they pointed out, but added that they have not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system.

“However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims,” they warned.

Systems running GE’s Cimplicity HMI were compromised via a vulnerability (CVE-2014-0751) whose existence was known since at least January 2012. The initial infection vector for Siemens WinCC and Advantech/Broadwin WebAccess software is still unknown.

The CERT encourages asset owners and operators to look for signs of compromise within their control systems environments, and has offered information, risk mitigation tips and help in the form of a (still not fully tested) Yara signature that should identify if the malware files are present on a given system.