14 DAY TRIAL // The operator behind BlackEnergy advanced persistent threat has been spotted to express particular interest in industrial control systems, but there are many targets outside this sector.
Last week, on Wednesday, the US ICS-CERT issued an alert about an ongoing espionage campaign that relied on a version of the BlackEnergy toolkit in its activity and aimed at Internet-facing human-machine interfaces (HMI) from different vendors.
Industrial control systems are just a part of the victims
Security researchers from Kaspersky also noticed a proclivity for the industrial sector, but they also saw numerous victims from other fields of activity, government organizations, property holding, academic research, financial sector and technology companies being present on the list of the threat actor, too.
The threat actor, known under the name of Sandworm, seems to be interested in objectives with a wide geographic distribution, although BlackEnergy has been detected mostly in countries in Western and Eastern Europe, Asia and the Middle East, according to Kaspersky’s Kurt Baumgartner and Maria Garnaeva.
However, the security researchers that analyzed the components of the malware and its modus operandi admit that the number of victims and targets is larger than what they observed, evidence being the US ICS-CERT alert last week.
One surprising country is Russia, where the IP of the Ministry of Defense has been observed among the targets for DDoS attacks; in reports from other security companies analyzing different BlackEnergy campaigns it was suggested that the threat actor originates from Russia.
Other countries recording victims of this malware are Ukraine, Poland, Lithuania, Belarus, Azerbaijan, Kazakhstan, Iran, Israel, Turkey, Kuwait, Taiwan, Vietnam, India, Croatia, Germany, Belgium and Sweden.
BlackEnergy is wielded by professional threat actors
During the summer of 2014, Baumgartner and Garnaeva had the chance to analyze how Sandworm conducted their attacks and pointed out at the cases of a few victims where interesting particularities had been observed.
In one organization, the threat actors penetrated the defenses through a spear-phishing attack that contained a malicious attachment; the payload was hidden due to a flaw in WinRAR that allowed making ZIP archives appear with a different name and extension (an executable posing as a document).
Also, the attackers would resort to wiping the hard disk using a specific plug-in, if they realized that someone was on to them.
In a second organization, BlackEnergy operators had compromised Cisco routers with different IOS operating system versions, preventing Telnet access to them.
It appears that the attackers left a message for Kaspersky researchers, saying that they would never get a fresh BlackEnergy sample. At the same time, they dropped hints on how access to the routers was obtained: built-in backdoors and zero-day vulnerabilities.
Kaspersky warns that the BlackEnergy threat actor is resourceful and highly skilled, being able to conduct carefully planned attacks that include a contingency plan for covering their tracks. They say that the second version of the malware has been developed for several years and there is evidence that a next generation is being used.