Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com)

← Back to Stories (view on slashdot.org)

Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com)

Posted by samzenpus on Tuesday January 5, 2016 @01:12AM from the new-weapon dept.

itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.

50 comments

Min score:

Reason:

Sort:

after usa/isreali stuxnet all things allowed by sittingnut · 2016-01-05 01:20 · Score: 2

stuxnet was typical short sighted policy from usa/isreali establishment. they should have known that such weapons do more damage to the more technologically advanced nations than those less advanced.
now suffer the consequences of there being no longer a moral high ground for anyone in west(which being democratic means sins of government cannot be transfered to few dictators/elite) with regard to these. all things allowed.
1. Re:after usa/isreali stuxnet all things allowed by Anonymous Coward · 2016-01-05 01:32 · Score: 0
  
  Yeah, like Russia would've not used such a thing anyway. And compared to stuxnet, this is used against civilians. Stuxnet was against nuclear weapons.
2. Re:after usa/isreali stuxnet all things allowed by ZouPrime · 2016-01-05 01:53 · Score: 1
  
  > stuxnet was typical short sighted policy from usa/isreali establishment.
  Stuxnet was a way for the US to put pressure on Iran nuclear program without actually bombing the shit out of it, which was what Israel pushed for years. Stuxnet may very well have adverted a war between these countries. Do you think the US would have the "moral high ground" had this happen?
3. Re: after usa/isreali stuxnet all things allowed by Anonymous Coward · 2016-01-05 02:23 · Score: 1
  
  Are you sure? If I remember correctly, it was distributed by USB sticks, left at public places. Within the targeted country. Could someone have just found one and tried it? Was it in a debris field?
  So, again, why attack a country, thru its power grid? To disrupt...military, who are not dependent on a power grid? That is an attack on civilians, against the world combat rules. A war crime. It should be punished as a war crime. Not whoo rah, but procequeted.
4. Re: after usa/isreali stuxnet all things allowed by Anonymous Coward · 2016-01-05 02:35 · Score: 0
  
  So, again, why attack a country, thru its power grid? To disrupt...military, who are not dependent on a power grid? That is an attack on civilians, against the world combat rules. A war crime. It should be punished as a war crime. Not whoo rah, but procequeted.
  Did i not say that? I think i said it (the BlackEnergy) is used against civilians.
5. Re: after usa/isreali stuxnet all things allowed by arth1 · 2016-01-05 02:46 · Score: 2
  
  Are you sure? If I remember correctly, it was distributed by USB sticks, left at public places. Within the targeted country. Could someone have just found one and tried it? Was it in a debris field?
  Sure, but it targetted PCs that ran Siemens Step7 software controlling programmable logic controllers. That's not something that regular users have on their PC.
6. Re:after usa/isreali stuxnet all things allowed by kilfarsnar · 2016-01-05 03:32 · Score: 1
  
  Yeah, like Russia would've not used such a thing anyway. And compared to stuxnet, this is used against civilians. Stuxnet was against nuclear weapons.
  It was against centrifuges. But talking about nuclear weapons just makes it scarier, eh?
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
7. Re: after usa/isreali stuxnet all things allowed by Anonymous Coward · 2016-01-05 04:04 · Score: 0
  
  The USB stick had to be physically taken into the Iranian centrifuge facility to infect their systems. Most likely a security agent working for Israel or the US. The stuxnet code that was detected on the Internet was only a test of the delivery mechanism and did not include any of the control system code that infected the centrifuges. The public code also helped muddy the water as to whom released it.
8. Re:after usa/isreali stuxnet all things allowed by tlhIngan · 2016-01-05 04:54 · Score: 1
  
  It was against centrifuges. But talking about nuclear weapons just makes it scarier, eh?
  It was against centrifuges used for the production of nuclear weapons.
  You use, there are two uranium isotopes - U-235 and U-238. U-238 makes up the vast majority of uranium mined (over 99%) while U-235 is around half a percent or so. For a nuclear reactor, depending on its design, it may be able to run on unenriched uranium, or enriched to around 3%.
  Nuclear weapons use weapons-grade enriched uranium, which requires 90% U-235.
  The only way to separate U-235 from U-238 is through a centrifuge which works only because of the slightly higher mass of U-238.
  Enriching uranium for nuclear reactor use doesn't require a whole lot of work - if at all since there are designs meant to operate on unenriched uranium. So if you see a bunch of centrifuges in operation, there really is only one reason - nuclear weapons. Enrichment is expensive, to weapons grade even more so, so you don't want to bother if you're just going to make electricity from it.
  Considering how many centrifuges they were running, it was pretty obvious - if you want to get weapons grade, it takes a LOT of them.
9. Re: after usa/isreali stuxnet all things allowed by Anonymous Coward · 2016-01-05 05:22 · Score: 0
  
  Since apparently jews and US govt workers are all greedy whores this is very logical.
10. Re:after usa/isreali stuxnet all things allowed by Anonymous Coward · 2016-01-05 06:07 · Score: 0
  
  Are you seriously comparing delaying the development of nuclear weapons by a crazy theocracy with sabotaging a country's electricity network?
11. Re:after usa/isreali stuxnet all things allowed by Anonymous Coward · 2016-01-05 06:53 · Score: 0
  
  Sounds to me like you're upset that you're not part of the Chosen People.
  Get over it. Become a moral person and you don't have to be forgiven.
12. Re:after usa/isreali stuxnet all things allowed by Anonymous Coward · 2016-01-05 08:18 · Score: 0
  
  It was against centrifuges that could also be used for the production of nuclear weapons.
  FTFY
13. Re:after usa/isreali stuxnet all things allowed by LWATCDR · 2016-01-05 09:13 · Score: 1
  
  "It was against centrifuges that were being used for the production of nuclear weapons."
  FTFY
  
  --
  See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Yeah, that's December 22 by CajunArson · 2016-01-05 01:24 · Score: 5, Funny

On the eve of Dec. 23,
Or, as those of us who aren't from the 17th century would say, December 22.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:Yeah, that's December 22 by Anonymous Coward · 2016-01-05 02:46 · Score: 0
  
  Christmas eve eve eve.
2. Re:Yeah, that's December 22 by Anonymous Coward · 2016-01-06 03:31 · Score: 0
  
  Please, 22nd of december, if you don't mind...
An interesting feature of cyber warfare by Registered+Coward+v2 · 2016-01-05 01:39 · Score: 5, Interesting

is that, in some cases, once you attack a target you leave behind the weapon you used; so that the target can repurpose it to launch a strike against who they perceive as the perpetrator of the attack. While that would require some sophistication on the target's part, it would not surprise me to see someone launch an counter strike using the original weapon; the challenge being determining who launched the initial attack. Of course, some targets may not worry too much about verifying the source but simply retaliating against a non or perceived enemy.

--
I'm a consultant - I convert gibberish into cash-flow.
1. Re:An interesting feature of cyber warfare by KGIII · 2016-01-05 17:50 · Score: 1
  
  I am no expert, as my posts will attest, but I'm not seeing anything major to complain about. It's a bit complex but I don't see any complaint other than it is a bit complex. The grammar, spelling, and punctuation look not just fine but exceptionally fine, considering that it is just a Slashdot post.
  
  --
  "So long and thanks for all the fish."
hmmm by sociocapitalist · 2016-01-05 01:39 · Score: 5, Insightful

"...district in Ukraine suffered a power outage."
This wouldn't be Russia's 'deniable' response to Ukraine cutting electricity to Crimea...?

--
blindly antisocialist = antisocial
How by invictusvoyd · 2016-01-05 01:40 · Score: 2

did it enter the grid.
1. Re:How by dbIII · 2016-01-05 02:39 · Score: 1
  
  How did it enter the grid.
  I'll bet some loser demanded realtime monitoring and/or control from his office and MS Windows PC instead of maintaining the careful airgap specified by the people who designed the systems in place.
  The main point in the past of having the "remote interface" as a telephone to the guy in the control room was so the guy on the spot could see which instructions were utterly stupid before they could be implemented.
2. Re:How by Anonymous Coward · 2016-01-05 06:48 · Score: 0
  
  They deorbited a satellite into a power line
Who would've thought by Anonymous Coward · 2016-01-05 01:48 · Score: 0

That we don't bomb ourselves back into the stone age, but just turn off our technology remotely.
Installs itself through SndVol.exe by xxxJonBoyxxx · 2016-01-05 01:57 · Score: 5, Informative

This thing is actually pretty neat. It installs itself when SndVol.exe runs because there's a backwards-compatibility thing in Windows that elevates that "safe" executable (around UAC), and SndVol.exe is then used to execute the "arbitrary code" that gets the ball rolling.
(https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf - Page 8)
Still Struggling To Understand by Anonymous Coward · 2016-01-05 02:00 · Score: 0

I'm still struggling to understand why critical infrastructure control systems like generation and grid control would not be air-gapped from the rest of the planet.
I wonder if this event will cause them to re-architect their network, or if they'll simply add MalwareBytes to their AVG Free "protected" computers.
1. Re:Still Struggling To Understand by ole_timer · 2016-01-05 02:08 · Score: 1
  
  cost. it's cheaper to manage multiple sites over the Internet than to send a tech each time. Utility Commissions don't or won't authorize the additional cost.
  
  --
  nothing to see here - move along
2. Re:Still Struggling To Understand by bobbied · 2016-01-05 02:47 · Score: 1
  
  In the Ukraine perhaps. In the rest of the world? I think the story is a bit different.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
3. Re:Still Struggling To Understand by xxxJonBoyxxx · 2016-01-05 02:50 · Score: 4, Interesting
  
  >> why critical infrastructure control systems like generation and grid control would not be air-gapped
  It often IS, so sophisticated malware authors (e.g., StuxNet) sometimes write malware that targets computers that are temporarily plugged into critical infrastructure (such as a tech's diagnostic laptop), because those machines are also often plugged into another network to get updates (where they can be attacked and infected). This page has a nice summary: http://www.sagedatasecurity.co...
4. Re: Still Struggling To Understand by Anonymous Coward · 2016-01-05 05:29 · Score: 0
  
  Airgapped (no internet access) is like saying my windows box is protected because the firewall is running.
  https://hn.algolia.com/?query=airgapped&sort=byPopularity&prefix&page=0&dateRange=all&type=story
Dropbear by gb7djk · 2016-01-05 02:13 · Score: 3, Informative

Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.
1. Re:Dropbear by Anonymous Coward · 2016-01-05 04:10 · Score: 0
  
  Yah, I was wondering why one would need to backdoor a server that is doing exactly what it is supposed to be doing, but it is interesting that they use dropbear and not Microsoft's own RDP server.
Grammatical ambiguity [Re:Dropbear] by XXongo · 2016-01-05 02:27 · Score: 3, Informative

Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.
The sentence from the article was "Another recent addition to the group's arsenal is a backdoored version of a SSH server called Dropbear."
This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".
That is, it's not clear whether the SSH server is called Dropbear, and it has been backdoored, or whether it is the backdoored version that is called Dropbear.
1. Re:Grammatical ambiguity [Re:Dropbear] by arth1 · 2016-01-05 02:52 · Score: 1
  
  This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".
  
  Without a comma before "called", it's not all that ambiguous.
  But it should be "an SSH server".
2. Re:Grammatical ambiguity [Re:Dropbear] by Anonymous Coward · 2016-01-05 03:25 · Score: 1
  
  But it should be "an SSH server".
  You mean it's not pronounced "Ssssss-shhhhhh Server"?
  Next you'll be telling me it isn't "earl" (URL) or "irk"(IRC).
  And don't even get me started on .GIF
3. Re:Grammatical ambiguity [Re:Dropbear] by XXongo · 2016-01-05 03:44 · Score: 1
  
  This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".
  Without a comma before "called", it's not all that ambiguous.
  A comma would have removed the ambiguity by inserting a grammatical break.
  Without the comma, there is no grammatical break, and the reader has to decide where the break goes.
4. Re:Grammatical ambiguity [Re:Dropbear] by arth1 · 2016-01-05 05:45 · Score: 1
  
  Remember when laptops had puckmuckia ports?
5. Re:Grammatical ambiguity [Re:Dropbear] by requerdanos · 2016-01-05 07:02 · Score: 1
  
  Stood for, as a WaveLAN vendor once told me, "People Can't Memorize Computer Industry Acronyms."
6. Re:Grammatical ambiguity [Re:Dropbear] by Anonymous Coward · 2016-01-05 10:13 · Score: 0
  
  There is an SSH server.
  The server is called Dropbear.
  The server has been backdoored.
  I don't understand how you can fail to understand these points given the sentence.
  Is the server the "real" Dropbear, which has been modified? Or is the server some other server which someone named "Dropbear" in order to confuse the grammar Nazis on Slashdot? The world may never know.
I'm not falling for that by Thud457 · 2016-01-05 02:30 · Score: 1

Nice one, linking to a PDF in a story about malware.
Very droll.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
1. Re:I'm not falling for that by Anonymous Coward · 2016-01-05 04:20 · Score: 0
  
  I know right? Every other link on /. malware articles is something I really wonder about clicking on. Nobody monitors this shit.
2. Re:I'm not falling for that by Anonymous Coward · 2016-01-05 05:05 · Score: 0
  
  Get off the fucking internet, you're being port scanned by chinese bots. You might catch a cold.
3. Re:I'm not falling for that by Anonymous Coward · 2016-01-05 06:23 · Score: 1
  
  PDF/A is an open standard and completely safe. Nobody forces you to use an unsafe reader (like those from Adobe).
Get your generators ready by Anonymous Coward · 2016-01-05 02:39 · Score: 0

I wonder which country's grid will be subject to the next attack.
Agreed by Anonymous Coward · 2016-01-05 03:59 · Score: 0

How did it enter the grid.
I agree with this statement.
Some more info on the incident by Bob+the+Super+Hamste · 2016-01-05 04:23 · Score: 3, Interesting

For those looking for some more info on the attack you can find it here. It is basically what some investigators have uncovered thus far and as a bonus it isn't in Ukrainian.

--
Time to offend someone
Cost? by Anonymous Coward · 2016-01-05 06:01 · Score: 0

I've worked with a coupe of U.S. utility companies. One small cooperative and another much larger utility.
In both cases, generation and switching(grid) equipment were on their own private network. That network spanned the entirety of their infrastructure thanks to their own fiber plant running everywhere on their own poles. The entire infrastructure could be managed form any of their facilities, as you would expect with a network, but there was no Layer2 or 3 connection between that management network and the ultimately internet connected corporate network that handled back office, accounting/billing, email, web...
It was impossible to switch the grid or impact generation from the internet or corporate network.
When you're already blanketing an area with poles and cables, it's virtually no additional cost to include fiber and copper communication cables. Cost is not even remotely viable as an excuse for connecting the grid o the internet.
P.S. The fiber plant is a profit center thanks to the leasing of fiber pairs and lambdas.