Industrial control systems (ICS) underly many aspects of our critical infrastructure, and there are concerns that they are becoming more vulnerable to hackers. The Cipher Brief has covered the threats to these systems, but recently there have been reports that Russia-affiliated hackers were able to cause power outages in Ukraine by attacking their ICS. We spoke with Kurt Baumgartner from Kaspersky Lab, a cybersecurity company, to find out more about the BlackEnergy malware used in the cyber-attack in Ukraine. According to him, the problem isn’t the malware, it’s the hackers who keep upgrading it to make it more effective.
The Cipher Brief: A malware program called BlackEnergy has been in the news recently in connection with cyber attacks in the Ukraine. What is BlackEnergy, and what does it do?
Kurt Baumgartner: BlackEnergy the tool is almost a decade old and is a commodity cybercrime malware used by various groups that was re-coded in 2008, adopted by and consistently used by an advanced persistent threat (APT) we called BE, also known as Sandworm APT. In 2010, our research team reviewed some of these major changes the development team made to it in 2008, adding plugin functionality. We have been detecting it and various components as “Backdoor.Win32.Blakken.”
TCB: How much of a threat does BlackEnergy pose to critical infrastructure both in the United States and elsewhere? Why are industrial control systems vulnerable to this type of malware?
KB: It’s not so much that BlackEnergy the malware poses a threat to critical infrastructure in the U.S. and elsewhere. It’s more the danger that the BE APT poses in deploying and making efficient use of their BlackEnergy plugin set functionality. It’s now a somewhat robust platform that includes plugins to interface with all sorts of assets, like routers, MIPS, and ARM-based and Linux-embedded devices that you would find in ICS.
This APT is a demonstrated risk to ICS on a global level. As we said in our 2010 post discussing the potential danger presented by the 2008 BlackEnergy code overhaul, “Initially, the Black Energy bot was created with the aim of conducting DDoS attacks, but with the implementation of plugins in the bot’s second version, the potential of this malware family has become virtually unlimited.”
TCB: Are there other malware threats to industrial control systems or power grids besides BlackEnergy?
KB: Yes, of course there are other malware threats to ICS. The BE APT uses this particular platform with a specific target set, making its plugin support very useful. They develop on the fly, and appear to have an active development effort adapting to target ICS environments, which are not homogenous and present changing sets of requirements to attackers. They could just switch to another platform, and there have been other groups deploying “platforms” supporting plugins effectively as well that pose a risk.
In some cases, it becomes very difficult for researchers to understand ICS-related malcode from other APT, because national labs and CERTs may not share information about collected malcode with researchers. It’s my belief that there is quite a bit of unidentified activity and code targeting ICS environments that is not discussed publicly, and is somewhat understood by only a very small group of organizations.
TCB: How has this threat changed over time, and how do you see it changing in the future?
KB: The most agile part of the BE APT operations appears to be their plugin development, which changes quickly according to requirements in priority target environments. With that in place, I see them improving their server side and exploitation tactics, which have remained comparably static in the past.
TCB: What can be done to counter threats like BlackEnergy? What can be done to mitigate cyber-threats to critical infrastructure more broadly?
KB: The Australian DSD published a list of mitigation strategies that significantly reduce the risk of intrusion. Our approach to proper ICS security is to isolate components and properly control communications, which can be generally applied to positive effect as well.