
Energy War
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins
Indicators of Compromise
Domains (34)
trojandropper.agent.sdadfs.kyivstar.onlinexre.popmonster.ruksbyz.jelikob.ruwww.kyivstar.onlinemoneybac.rulogin.kyivstar.onlinewww.recordedfuture.cowhatportis.comyugyuvyugguitgyuigtfyutdtoghghbbgyv.cxaccount.adfs.kyivstar.onlinewarzone.wskdr.zarkada.runirsoft.me6b4s.popmonster.rulogin.adfs.kyivstar.onlineinstallcb.onlineshell.runfr3d.hkkievstar.online+14 moreHashes (1319)
d1fe9f50b1cd3b5f6e5c9787e4c8441413b30249a6e4e4245dec2a68c44a808467f7028cf21f45a2159c3f7ba5b12e438e2d77595af23d4d9756fac731a0fcf1c4c02e2784fac72277e8be5fb28e0c646634cb194119a2612a656b10aac582d8899a91a1c8ccb15fca859bbbcb95fddb49ad26d7204a50d6f45539bc0c43d4c056fe3cf63114365ddf30dde2790d3b5963ac0c9bcf7db05d8d7dd903154f9a854ea5338b40ba0175f8bef72486a06db94a3a3536566f8214033e5abdf0f9a9448f7a0494d9bf6e11694bfce04007214a89b969fa7c46ed52cb171674d3d4eddf2a0e86872cea3fe3fa0ebd704fb6228c61faf0a19a39d1f79ab494dffa64e3c72a7c37dcd051615f9983bcfbea17cdb1609ecb46459b4f7e247bc54034c84aeb55eaaf8b7c5a7cc2ca86167674672de1dd18bc89c12da6d142ba9c2f3dd3bdcfc2250c560e0846138a201ef715e164101dc7f1e602713edf8a984b90dde0f4ad22fee2f854722285ebba6a3961b3f5a674c075a0230dd6846e1407ef4ac6132e2f9180bf3b7181d2897c48e8926edb0e9cc2acd4c01bee08ece668de285d5a8f233ad52617b0a431+1299 moreIPv4 (77)
65.108.213.210212.109.199.108109.248.11.240103.150.187.121217.77.221.19980.85.137.10545.140.146.7831.148.220.11277.232.43.7995.141.37.362.210.77.169109.200.202.745.87.3.17791.245.255.243138.124.186.12180.87.192.24937.59.14.9445.137.190.170176.31.116.140138.201.198.164+57 moreCVEs (3)
CVE-2021-44228CVE-2014-4114CVE-2013-3906APT Groups
ELECTRUM
Notes
<p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: "">ICS-CERT has determined that users of HMI products from various vendors have been targeted in this campaign, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC. It is currently unknown whether other vendor’s products have also been targeted. ICS‑CERT is working with the involved vendors to evaluate this activity and also notify their users of the linkages to this campaign.</p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: "">At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system. However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims.</p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: "">In addition, public reports<a class="see-footnote" id="footnoterefb_c9yf0tm" href="https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-14-281-01B#footnoteb_c9yf0tm" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">b</a> <a class="see-footnote" id="footnoterefc_0p0enr6" href="https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-14-281-01B#footnotec_0p0enr6" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">c</a> reference a BlackEnergy-based campaign against a variety of overseas targets leveraging vulnerability CVE-2014-4114<a class="see-footnote" id="footnoterefd_cgmoe24" href="https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-14-281-01B#footnoted_cgmoe24" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">d</a> (affecting Microsoft Windows and Windows Server 2008 and 2012). ICS-CERT has not observed the use of this vulnerability to target control system environments. However, analysis of the technical findings in the two report shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor.</p><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); font-family: "">ICS-CERT strongly encourages asset owners and operators to look for signs of compromise within their control systems environments. Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and correlation.</p><div><br></div><div style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: ""></div>
Mitigation
<div>ICS-CERT has published a TLP Amber version of this alert containing additional information about the malware, plug-ins, and indicators to the secure portal. ICS-CERT strongly encourages asset owners and operators to use these indicators to look for signs of compromise within their control systems environments. Asset owners and operators can request access to this information by emailing [email protected].</div><div><br></div><div>Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and correlation.</div><div><br></div><div>ICS-CERT strongly encourages taking immediate defensive action to secure ICS systems using defense-in-depth principles.CSSP Recommended Practices, https://ics-cert.us-cert.gov/Recommended-Practices, web site last accessed October 28, 2014. Asset owners should not assume that their control systems are deployed securely or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.</div><div><br></div><div>ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation due to this unsecure device configuration of these vulnerabilities. Specifically, users should:</div><div><br></div><div>Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.</div><div>Locate control system networks and devices behind firewalls, and isolate them from the business network.</div><div>If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.</div><div>Remove, disable, or rename any default system accounts wherever possible.</div><div>Apply patches in the ICS environment, when possible to mitigate known vulnerabilities.</div><div>Implement policies requiring the use of strong passwords.</div><div>Monitor the creation of administrator level accounts by third-party vendors.</div><div>ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.</div><div><br></div>