Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com)

Posted by samzenpus on from the new-weapon dept.

itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.

5 of 50 comments (clear)

  1. Yeah, that's December 22 by CajunArson · · Score: 5, Funny

    On the eve of Dec. 23,

    Or, as those of us who aren't from the 17th century would say, December 22.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  2. An interesting feature of cyber warfare by Registered+Coward+v2 · · Score: 5, Interesting

    is that, in some cases, once you attack a target you leave behind the weapon you used; so that the target can repurpose it to launch a strike against who they perceive as the perpetrator of the attack. While that would require some sophistication on the target's part, it would not surprise me to see someone launch an counter strike using the original weapon; the challenge being determining who launched the initial attack. Of course, some targets may not worry too much about verifying the source but simply retaliating against a non or perceived enemy.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  3. hmmm by sociocapitalist · · Score: 5, Insightful

    "...district in Ukraine suffered a power outage."

    This wouldn't be Russia's 'deniable' response to Ukraine cutting electricity to Crimea...?

    --
    blindly antisocialist = antisocial
  4. Installs itself through SndVol.exe by xxxJonBoyxxx · · Score: 5, Informative

    This thing is actually pretty neat. It installs itself when SndVol.exe runs because there's a backwards-compatibility thing in Windows that elevates that "safe" executable (around UAC), and SndVol.exe is then used to execute the "arbitrary code" that gets the ball rolling.
    (https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf - Page 8)

  5. Re:Still Struggling To Understand by xxxJonBoyxxx · · Score: 4, Interesting

    >> why critical infrastructure control systems like generation and grid control would not be air-gapped

    It often IS, so sophisticated malware authors (e.g., StuxNet) sometimes write malware that targets computers that are temporarily plugged into critical infrastructure (such as a tech's diagnostic laptop), because those machines are also often plugged into another network to get updates (where they can be attacked and infected). This page has a nice summary: http://www.sagedatasecurity.co...