Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com)

Posted by samzenpus on from the new-weapon dept.

itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.

11 of 50 comments (clear)

  1. after usa/isreali stuxnet all things allowed by sittingnut · · Score: 2

    stuxnet was typical short sighted policy from usa/isreali establishment. they should have known that such weapons do more damage to the more technologically advanced nations than those less advanced.
    now suffer the consequences of there being no longer a moral high ground for anyone in west(which being democratic means sins of government cannot be transfered to few dictators/elite) with regard to these. all things allowed.

    1. Re: after usa/isreali stuxnet all things allowed by arth1 · · Score: 2

      Are you sure? If I remember correctly, it was distributed by USB sticks, left at public places. Within the targeted country. Could someone have just found one and tried it? Was it in a debris field?

      Sure, but it targetted PCs that ran Siemens Step7 software controlling programmable logic controllers. That's not something that regular users have on their PC.

  2. Yeah, that's December 22 by CajunArson · · Score: 5, Funny

    On the eve of Dec. 23,

    Or, as those of us who aren't from the 17th century would say, December 22.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  3. An interesting feature of cyber warfare by Registered+Coward+v2 · · Score: 5, Interesting

    is that, in some cases, once you attack a target you leave behind the weapon you used; so that the target can repurpose it to launch a strike against who they perceive as the perpetrator of the attack. While that would require some sophistication on the target's part, it would not surprise me to see someone launch an counter strike using the original weapon; the challenge being determining who launched the initial attack. Of course, some targets may not worry too much about verifying the source but simply retaliating against a non or perceived enemy.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  4. hmmm by sociocapitalist · · Score: 5, Insightful

    "...district in Ukraine suffered a power outage."

    This wouldn't be Russia's 'deniable' response to Ukraine cutting electricity to Crimea...?

    --
    blindly antisocialist = antisocial
  5. How by invictusvoyd · · Score: 2

    did it enter the grid.

  6. Installs itself through SndVol.exe by xxxJonBoyxxx · · Score: 5, Informative

    This thing is actually pretty neat. It installs itself when SndVol.exe runs because there's a backwards-compatibility thing in Windows that elevates that "safe" executable (around UAC), and SndVol.exe is then used to execute the "arbitrary code" that gets the ball rolling.
    (https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf - Page 8)

  7. Dropbear by gb7djk · · Score: 3, Informative

    Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.

  8. Grammatical ambiguity [Re:Dropbear] by XXongo · · Score: 3, Informative

    Could I gently point out that Dropbear is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt routers.

    The sentence from the article was "Another recent addition to the group's arsenal is a backdoored version of a SSH server called Dropbear."

    This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

    That is, it's not clear whether the SSH server is called Dropbear, and it has been backdoored, or whether it is the backdoored version that is called Dropbear.

  9. Re:Still Struggling To Understand by xxxJonBoyxxx · · Score: 4, Interesting

    >> why critical infrastructure control systems like generation and grid control would not be air-gapped

    It often IS, so sophisticated malware authors (e.g., StuxNet) sometimes write malware that targets computers that are temporarily plugged into critical infrastructure (such as a tech's diagnostic laptop), because those machines are also often plugged into another network to get updates (where they can be attacked and infected). This page has a nice summary: http://www.sagedatasecurity.co...

  10. Some more info on the incident by Bob+the+Super+Hamste · · Score: 3, Interesting

    For those looking for some more info on the attack you can find it here. It is basically what some investigators have uncovered thus far and as a bonus it isn't in Ukrainian.

    --
    Time to offend someone