BlackEnergy cyberespionage group targets Linux systems and Cisco routers

Kaspersky Lab researchers found BlackEnergy malware modules designed for ARM and MIPS systems running Linux

A cyberespionage group that has built its operations around a malware program called BlackEnergy has been compromising routers and Linux systems based on ARM and MIPS architectures in addition to Windows computers.

Security researchers from antivirus vendor Kaspersky Lab released a report Monday detailing some of the custom modules that the group has developed for BlackEnergy, a tool originally created and used by cybercriminals to launch distributed denial-of-service attacks.

Variants of the BlackEnergy plug-ins developed by the cyberespionage group were discovered for both Windows and Linux systems. They enhance the malware program with capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping.

Different selections of plug-ins are deployed from command-and-control servers for every victim, depending on the group's goals and the victim's systems, the Kaspersky researchers said.

In one case, attackers downloaded and executed a BlackEnergy plug-in called dstr that destroyed data on an organization's Windows computers.

"By all appearances, the attackers pushed the 'dstr' module when they understood that they were revealed, and wanted to hide their presence on the machines," the Kaspersky Lab researchers said. "Some machines already launched the plugin, lost their data and became unbootable."

In another incident, an organization that also had data from some of its Windows machines destroyed found that it was no longer able to access its Cisco routers via telnet. When they investigated, they found several "farewell" scripts left on the routers by the BlackEnergy group, the Kaspersky researchers said.

Those scripts had been used to clean traces of what the attackers did on the compromised routers. One script had the description "Cisc0 API Tcl extension for B1ack En3rgy b0t" and contained a vulgar message for Kaspersky researchers.

The group seems particularly interested in targeting organizations that run industrial control systems, especially from the energy sector. Victims identified by Kaspersky include power generation operators, power facilities construction companies, suppliers and manufacturers of heavy power-related materials, and energy sector investors.

This matches recent findings by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security. In a security alert last week, ICS-CERT warned that multiple companies running HMI (human-machine interface) products from General Electric, Siemens and BroadWin/Advantech had their systems infected with BlackEnergy. HMIs are software applications that provide a graphical user interface for monitoring and interacting with industrial control systems.

Aside from its apparent interest in ICS operators, the group has been known to target high-level government organizations, municipal offices, federal emergency services, national standards bodies, banks, academic research institutions, property holdings and other organizations. Victims were identified in at least 20 countries.

On Oct. 14 researchers from security firm iSight Partners released a report about one of the group's recent attack campaigns that targeted the Ukrainian government and a U.S.-based organization by leveraging a zero-day -- unpatched -- vulnerability in Microsoft Windows.

The iSight researchers dubbed the cyberespionage group the Sandworm team and believe that it's operating out of Russia. However, the Kaspersky researchers said that it's unclear whose interests the group serves, noting that a DDoS attack launched by the group targeted an IP address that belongs to the Russian Ministry of Defense.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusionsecurityiSight Partnersspywaremalwarekaspersky labICS-CERT

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?