CybersecurityRussian government hackers insert malware in U.S. critical infrastructure control software

Investigators have uncovered a Trojan Horse named BlackEnergy in the software that runs much of the U.S. critical infrastructure. In a worst case scenario, the malware could shut down oil and gas pipelines, power transmission grids, water distribution and filtration systems, and wind turbines, causing an economic catastrophe. Some industry insiders learned of the intrusion last week via a DHS alert bulletin issued by the agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to ABC News, the BlackEnergy penetration had recently been detected by several companies.

DHS officials say they now have evidence that the malware was inserted by hackers believed to be sponsored by the Russian government. BlackEnergy is the same malware which was used earlier this year by Russian cyber-spy group, Sandworm, to target NATO and some critical infrastructure firms in Europe . The Homeland Security News Wire reported last week that researchers at Silicon Valley-based computer security firm, FireEye, have connected the Russian government to cyber espionage efforts around the world, specifically those targeting key infrastructure firms in Europe. “Analysis of the technical findings in the two reports shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor,” the DHS bulletin read.

The BlackEnergy hacking campaign has been ongoing since 2011, but no attempt has been made to activate the malware to “damage, modify, or otherwise disrupt” affected systems, DHS said. ICS-CERT officials believe that Russian intelligence agencies helped place the malware in key U.S. systems as a threat or a deterrent to a U.S. cyberattack on Russian systems — mutual assured destruction from a cold war-era playbook.

According to PowerMag, hackers were targeting industrial systems’ Human Machine Interface (HMI) software, which allows designated workers to control industrial processes through a computer or a mobile device. According to ICS-CERT, “Analysis of victim system artifacts has determined that the actors have been exploiting a vulnerability in GE’s Cimplicity HMI product since at least January 2012.” While General Electric has urged affected users to update to its most recent version of the software, which includes a patch addressing previous vulnerabilities, the malware has also targeted HMI products from other vendors. In the latest alert, ICS-CERT “strongly encourages taking immediate defensive action to secure ICS systems using defense-in-depth principles,” the bulletin read. “Asset owners should not assume that their control systems are deployed securely or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.”