The U.S. Government’s Industrial Control System CERT (ICS-CERT) said on Thursday that a campaign targeting industrial control system (ICS) software began in January, 2012 and targeted industrial systems that were directly connected to the public Internet.
ICS-CERT said in an alert published on Wednesday that “HMI” (or Human-Machine Interfaces) products from vendors including GE, Advantech/Broadwin and Siemens may have been infected with variants of the BlackEnergy malware since January, 2012.
Infected firms were running versions of the GE’s Cimplicity, Advantech/Broadwin’s WebAccess or Siemens’ WinCC with what ICS-CERT called a “direct Internet connection.” In some cases, as with the GE Cimplicity attacks, hackers exploited a known vulnerability in the Cimplicity software to gain access. In others (as with WebAccess and WinCC) the method by which the software was compromised isn’t known, ICS-CERT said.
CERT said it hasn’t documented any cases of control processes being modified by the malware. However, BlackEnergy is typically used to canvas victim networks and to move laterally: searching out file shares and other removable media.
“The malware is highly modular and not all functionality is deployed to all victims,” ICS-CERT warned.
|Check out Security Ledger coverage of critical infrastructure security here.|
That, and the length of time that ICS networks may have been compromised (“dwell time” in industry parlance) are bad news for affected organizations.
So far, ICS-CERT hasn’t confirmed that infections on the ICS networks extends beyond compromised HMI systems. ICS CERT offered some caution around reports that the infections began with exploitation of a Windows “zero day” using malicious Office documents (CVE-2014-4114). That campaign, dubbed “Sandworm” in the media is believed to have operated between June and October, 2014. ICS-CERT did not confirm that any infections began with an exploitation of that vulnerability in control system environments. However, forensic evidence from two victims suggests links between the two campaigns, including shared command and control infrastructure. That suggests that “part of a broader campaign by the same threat actor,” ICS-CERT said.
ICS-CERT urged asset owners and operators to look for signs of compromise within their control systems environments and report any positive or suspected findings.