The Department of Homeland Security has reported detection of a Trojan horse virus that could wipe out the country’s power grids and infrastructure. Since 2011, the malware program has been lurking in computers that control complex industrial operations, such as power transmission grids, water distribution and filtration systems, nuclear plants, wind turbines, and oil and gas pipelines. Hundreds of thousands of Americans would be severely impacted if these essential public utilities are damaged or shut down.
BlackEnergy is a malware program originally created by cybercriminals to launch distributed denial-of-service (DDOS) attacks. A cyberespionage group that has focused its activities on creating variants of BlackEnergy has been infecting routers and Linux systems based on MIPS and ARM architectures, as well as Windows computers. They run on network devices and can render infected computers unbootable.
Some of capabilities of the custom modules developed by the group include:
While BlackEnergy was originally created to launch DDOS attacks, it later became used as crimeware for funneling banking credentials. In the past year, it’s been used in espionage that targeted the North Atlantic Treaty Organization, Polish and Ukrainian government agencies, and various sensitive European industries. In its latest form, BlackEnergy was sometimes installed through a previously undiscovered vulnerability in Microsoft Windows systems.
The security firm Kaspersky Lab recently released a report detailing the widened powers of BlackEnergy. The cyberespionage group seems focused on targeting organizations that run industrial control systems, particularly those in the energy sector. Kaspersky identified victims, including power facilities construction companies, energy sector investors, suppliers and manufacturers of heavy power-related materials, and. power generation operators.
These findings match those of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security (DHS). ICS-CERT recently issued a security alert, warning that various companies running HMI (human-machine interface) products like GE Cimplicity, Siemens WinCC, and Advantech/Broadwin WebAccess had been infected with BlackEnergy. HMIs are software programs that provide a graphical user interface used for handling industrial control systems.
In addition to ICS operators, the group has targeted federal emergency services, banks, high-level government organizations, municipal offices, academic researchers, and others. Victims in at least 20 countries have been identified. While some believe the hackers are sponsored by the Russian government, Kapersky reported that an IP address belonging to the Russian Ministry of Defense was targeted.
Defenses against cyberattacks are implemented through coordination between government and industry groups, incident response, and legal standards. The nuclear industry and electric utilities are the only two sectors facing hefty fines from the Federal Energy Regulatory Commission for not following mandatory cybersecurity standards.
DHS spokesman S.Y. Lee confirmed that several entities affected by the malware were contacted by the department, but didn’t specify how many. He also stated that the agency believes there are several entities that have been hacked and don’t know it.
The DHS’s recent threat alert included information on detecting the malware and mitigation strategies, including firewall protection, tracking administrator accounts used by third party vendors, and keeping control system devices off the Internet.
While companies have been alerted to this latest threat, it’s not possible for every threat to be detected or prevented. Therefore, it’s also critical to plan for a quick recovery after an attack. Hopefully, if a potential threat is unable to be detected, the recovery plans will allow an attack to be more of a nuisance than a disaster. For our nation’s future, we definitely all hope so.