Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com)

Posted by samzenpus on from the new-weapon dept.

itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.

27 of 50 comments (clear)

  1. after usa/isreali stuxnet all things allowed by sittingnut · · Score: 2

    stuxnet was typical short sighted policy from usa/isreali establishment. they should have known that such weapons do more damage to the more technologically advanced nations than those less advanced.
    now suffer the consequences of there being no longer a moral high ground for anyone in west(which being democratic means sins of government cannot be transfered to few dictators/elite) with regard to these. all things allowed.

    1. Re:after usa/isreali stuxnet all things allowed by ZouPrime · · Score: 1

      > stuxnet was typical short sighted policy from usa/isreali establishment.

      Stuxnet was a way for the US to put pressure on Iran nuclear program without actually bombing the shit out of it, which was what Israel pushed for years. Stuxnet may very well have adverted a war between these countries. Do you think the US would have the "moral high ground" had this happen?

    2. Re: after usa/isreali stuxnet all things allowed by Anonymous Coward · · Score: 1

      Are you sure? If I remember correctly, it was distributed by USB sticks, left at public places. Within the targeted country. Could someone have just found one and tried it? Was it in a debris field?
      So, again, why attack a country, thru its power grid? To disrupt...military, who are not dependent on a power grid? That is an attack on civilians, against the world combat rules. A war crime. It should be punished as a war crime. Not whoo rah, but procequeted.

    3. Re: after usa/isreali stuxnet all things allowed by arth1 · · Score: 2

      Are you sure? If I remember correctly, it was distributed by USB sticks, left at public places. Within the targeted country. Could someone have just found one and tried it? Was it in a debris field?

      Sure, but it targetted PCs that ran Siemens Step7 software controlling programmable logic controllers. That's not something that regular users have on their PC.

    4. Re:after usa/isreali stuxnet all things allowed by kilfarsnar · · Score: 1

      Yeah, like Russia would've not used such a thing anyway. And compared to stuxnet, this is used against civilians. Stuxnet was against nuclear weapons.

      It was against centrifuges. But talking about nuclear weapons just makes it scarier, eh?

      --
      "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
    5. Re:after usa/isreali stuxnet all things allowed by tlhIngan · · Score: 1

      It was against centrifuges. But talking about nuclear weapons just makes it scarier, eh?

      It was against centrifuges used for the production of nuclear weapons.

      You use, there are two uranium isotopes - U-235 and U-238. U-238 makes up the vast majority of uranium mined (over 99%) while U-235 is around half a percent or so. For a nuclear reactor, depending on its design, it may be able to run on unenriched uranium, or enriched to around 3%.

      Nuclear weapons use weapons-grade enriched uranium, which requires 90% U-235.

      The only way to separate U-235 from U-238 is through a centrifuge which works only because of the slightly higher mass of U-238.

      Enriching uranium for nuclear reactor use doesn't require a whole lot of work - if at all since there are designs meant to operate on unenriched uranium. So if you see a bunch of centrifuges in operation, there really is only one reason - nuclear weapons. Enrichment is expensive, to weapons grade even more so, so you don't want to bother if you're just going to make electricity from it.

      Considering how many centrifuges they were running, it was pretty obvious - if you want to get weapons grade, it takes a LOT of them.

    6. Re:after usa/isreali stuxnet all things allowed by LWATCDR · · Score: 1

      "It was against centrifuges that were being used for the production of nuclear weapons."
      FTFY

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  2. Yeah, that's December 22 by CajunArson · · Score: 5, Funny

    On the eve of Dec. 23,

    Or, as those of us who aren't from the 17th century would say, December 22.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  3. An interesting feature of cyber warfare by Registered+Coward+v2 · · Score: 5, Interesting

    is that, in some cases, once you attack a target you leave behind the weapon you used; so that the target can repurpose it to launch a strike against who they perceive as the perpetrator of the attack. While that would require some sophistication on the target's part, it would not surprise me to see someone launch an counter strike using the original weapon; the challenge being determining who launched the initial attack. Of course, some targets may not worry too much about verifying the source but simply retaliating against a non or perceived enemy.

    --
    I'm a consultant - I convert gibberish into cash-flow.
    1. Re:An interesting feature of cyber warfare by KGIII · · Score: 1

      I am no expert, as my posts will attest, but I'm not seeing anything major to complain about. It's a bit complex but I don't see any complaint other than it is a bit complex. The grammar, spelling, and punctuation look not just fine but exceptionally fine, considering that it is just a Slashdot post.

      --
      "So long and thanks for all the fish."
  4. hmmm by sociocapitalist · · Score: 5, Insightful

    "...district in Ukraine suffered a power outage."

    This wouldn't be Russia's 'deniable' response to Ukraine cutting electricity to Crimea...?

    --
    blindly antisocialist = antisocial
  5. How by invictusvoyd · · Score: 2

    did it enter the grid.

    1. Re:How by dbIII · · Score: 1

      How did it enter the grid.

      I'll bet some loser demanded realtime monitoring and/or control from his office and MS Windows PC instead of maintaining the careful airgap specified by the people who designed the systems in place.
      The main point in the past of having the "remote interface" as a telephone to the guy in the control room was so the guy on the spot could see which instructions were utterly stupid before they could be implemented.

  6. Installs itself through SndVol.exe by xxxJonBoyxxx · · Score: 5, Informative

    This thing is actually pretty neat. It installs itself when SndVol.exe runs because there's a backwards-compatibility thing in Windows that elevates that "safe" executable (around UAC), and SndVol.exe is then used to execute the "arbitrary code" that gets the ball rolling.
    (https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf - Page 8)

  7. Re:Still Struggling To Understand by ole_timer · · Score: 1

    cost. it's cheaper to manage multiple sites over the Internet than to send a tech each time. Utility Commissions don't or won't authorize the additional cost.

    --
    nothing to see here - move along
  8. Dropbear by gb7djk · · Score: 3, Informative

    Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.

  9. Grammatical ambiguity [Re:Dropbear] by XXongo · · Score: 3, Informative

    Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.

    The sentence from the article was "Another recent addition to the group's arsenal is a backdoored version of a SSH server called Dropbear."

    This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

    That is, it's not clear whether the SSH server is called Dropbear, and it has been backdoored, or whether it is the backdoored version that is called Dropbear.

    1. Re:Grammatical ambiguity [Re:Dropbear] by arth1 · · Score: 1

      This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

      Without a comma before "called", it's not all that ambiguous.
      But it should be "an SSH server".

    2. Re:Grammatical ambiguity [Re:Dropbear] by Anonymous Coward · · Score: 1

      But it should be "an SSH server".

      You mean it's not pronounced "Ssssss-shhhhhh Server"?

      Next you'll be telling me it isn't "earl" (URL) or "irk"(IRC).

      And don't even get me started on .GIF

    3. Re:Grammatical ambiguity [Re:Dropbear] by XXongo · · Score: 1

      This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

      Without a comma before "called", it's not all that ambiguous.

      A comma would have removed the ambiguity by inserting a grammatical break.

      Without the comma, there is no grammatical break, and the reader has to decide where the break goes.

    4. Re:Grammatical ambiguity [Re:Dropbear] by arth1 · · Score: 1

      Remember when laptops had puckmuckia ports?

    5. Re:Grammatical ambiguity [Re:Dropbear] by requerdanos · · Score: 1

      Stood for, as a WaveLAN vendor once told me, "People Can't Memorize Computer Industry Acronyms."

  10. I'm not falling for that by Thud457 · · Score: 1

    Nice one, linking to a PDF in a story about malware.
    Very droll.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    1. Re:I'm not falling for that by Anonymous Coward · · Score: 1

      PDF/A is an open standard and completely safe. Nobody forces you to use an unsafe reader (like those from Adobe).

  11. Re:Still Struggling To Understand by bobbied · · Score: 1

    In the Ukraine perhaps. In the rest of the world? I think the story is a bit different.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  12. Re:Still Struggling To Understand by xxxJonBoyxxx · · Score: 4, Interesting

    >> why critical infrastructure control systems like generation and grid control would not be air-gapped

    It often IS, so sophisticated malware authors (e.g., StuxNet) sometimes write malware that targets computers that are temporarily plugged into critical infrastructure (such as a tech's diagnostic laptop), because those machines are also often plugged into another network to get updates (where they can be attacked and infected). This page has a nice summary: http://www.sagedatasecurity.co...

  13. Some more info on the incident by Bob+the+Super+Hamste · · Score: 3, Interesting

    For those looking for some more info on the attack you can find it here. It is basically what some investigators have uncovered thus far and as a bonus it isn't in Ukrainian.

    --
    Time to offend someone