BlackEnergy Malware Used in Attacks Against Industrial Control Systems

Attackers are using BlackEnergy malware to attack HMI software running inside industrial control systems, according to an advisory from ICS-CERT.

Industrial control system operations running human-machine interface software from a handful of vendors are being targeted by a hacking campaign making use of the BlackEnergy malware.

The United States Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory on Tuesday warning about malware found at a number of companies running Internet-connected HMI software. HMI software provides a visualization of industrial control and manufacturing processes. These interfaces communicate with programmable logic controllers and manage processes from a central interface, usually a Windows-based system. Those processes can include turning pumps on and off, modifying temperature control and other functions.

The ICS-CERT alert identified three HMI products in harm’s way: GE Cimplicity; Advantech/Broadwin WebAccess; and Siemens WinCC. The advisory did not rule out the possibility that the malware affects HMI products from other vendors.

“At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system,” the alert said. “However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims.”

Two weeks ago, researchers at iSIGHT Partners outed a Russian espionage campaign that was using BlackEnergy to exploit a since-patched Windows zero-day vulnerability (CVE-2014-4114) to steal data from government agencies, defense and energy firms, as well as NATO and telecommunications providers. The attackers, nicknamed Sandworm by iSIGHT, used malicious PowerPoint files loaded with exploit code attached to a spear phishing email to attack those organizations. Those attacks were localized to Poland, Ukraine and Western Europe, and ICS-CERT said the attacks against HMI installations are not exploiting the same vulnerability. It did find a connection between the two operations in a shared command and control infrastructure, suggesting the same centralized group is behind both campaigns.

Attacks against GE Cimplicity HMI deployments have been ongoing since January 2012, ICS-CERT said, adding that the vulnerability is CVE-2014-0751 and was disclosed in December 2013. The advisory said the attackers were able to execute a malicious Cimplicity screen file, a .cim extension, hosted on the C&C server. The .cim file contains an embedded script that executes and downloads the BlackEnergy installer CimWrapPNPS.exe that deletes itself once the malware is on the compromised system.

ICS-CERT said it has fewer details on attacks against the WinCC and Advantech/Broadwin products, but in the case of WinCC, it has seen a potentially malicious file in the same folder hosting the malicious Cimplicity .cim file that mimics legitimate WinCC files.

A number of indicators of compromise, including a Yara signature, were published by ICS-CERT.

Suggested articles