Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal

itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.

An interesting feature of cyber warfare

[Registered+Coward+v2]

is that, in some cases, once you attack a target you leave behind the weapon you used; so that the target can repurpose it to launch a strike against who they perceive as the perpetrator of the attack. While that would require some sophistication on the target's part, it would not surprise me to see someone launch an counter strike using the original weapon; the challenge being determining who launched the initial attack. Of course, some targets may not worry too much about verifying the source but simply retaliating against a non or perceived enemy.

Re:Still Struggling To Understand

[xxxJonBoyxxx]

>> why critical infrastructure control systems like generation and grid control would not be air-gapped

It often IS, so sophisticated malware authors (e.g., StuxNet) sometimes write malware that targets computers that are temporarily plugged into critical infrastructure (such as a tech's diagnostic laptop), because those machines are also often plugged into another network to get updates (where they can be attacked and infected). This page has a nice summary: http://www.sagedatasecurity.co...

Some more info on the incident

[Bob+the+Super+Hamste]

For those looking for some more info on the attack you can find it here. It is basically what some investigators have uncovered thus far and as a bonus it isn't in Ukrainian.