Overview[]
In October 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced that several industrial control systems had been infected by a variant of a Trojan horse malware program called BlackEnergy.[1] Originally designed for "nuisance spam attacks," the software for BlackEnergy was first reported in 2007 and is designed to target critical energy infrastructure.
BlackEnergy is a special concern for critical infrastructure companies because the software is being used in an Advanced Persistent Threat (APT) form ostensibly to gather information.
“ | BlackEnergy specifically targets human machine interface (“HMI”) software, which enables users to monitor and interact with industrial control systems such as heating, ventilation, and air conditioning systems through a dashboard or other type of graphical interface. HMI software is typically running 24/7, can be remotely accessed, and is rarely updated, thus making it a favorite target for opportunistic hackers.41 | ” |
While no attempts to “damage, modify, or otherwise disrupt the victim systems’ control processes were found,” the ICS-CERT alert indicates that this APT variant of BlackEnergy is a special concern because it is a modular malware capable moving through network files onto removable storage media.
“ | [T]ypical malware deployments have included modules that search out any network- connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims.42 | ” |
Hackers are reported to have used the BlackEnergy Trojan horse to deliver plug-in modules used for several purposes, including keylogging, audio recording, and grabbing screenshots. Researchers looking at the BlackEnergy malware are reported to have identified a plug-in that can destroy hard disks, and believe that the attackers will activate the module once they are discovered in order to hide their presence.43