BlackEnergy malware has compromised industrial control systems for two years

THE US DEPARTMENT OF HOMELAND SECURITY Computer Emergency Response Team (US-CERT) has warned that industrial control systems (ICS) in the US have been compromised by the BlackEnergy malware for at least two years.
The BlackEnergy family of malware is believed to be the same used in the cyber attack against Georgia in 2008.
It uses a malicious decoy document to hide its activities, making it easier for the hackers to mount follow-up attacks.
US-CERT said the malware campaign is sophisticated and "ongoing", and attackers taking advantage of it have compromised unnamed ICS operators, planting it on internet-facing human machine interfaces (HMI) including those from GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.
It is currently unknown whether other vendors' products have also been targeted, according to US-CERT.
"At this time, Industrial Control Systems-CERT has not identified any attempts to damage, modify or otherwise disrupt the victim systems' control processes," said the team in an alert.
"ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system.
"However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment."
US-CERT describes the malware as "highly modular", and said that not all functionality is deployed to all victims.
An analysis run by the team identified the probable initial infection vector for systems running GE's Cimplicity HMI with a direct connection to the internet.
"Analysis of victim system artefacts has determined that the actors have been exploiting a vulnerability (CVE-2014-0751) in GE's Cimplicity HMI product since at least January 2012," the alert read.
On Monday, US-CERT also warned of attacks spreading the Dyre banking malware, which steals victims' credentials.
The department said that, since mid-October, a phishing campaign had targeted "a wide variety of recipients", but elements, such as the exploits, email themes, and claimed senders of the campaign, "vary from target to target".
"A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services," the alert warned.