BlackEnergy cyberespionage group targets Linux systems and Cisco routers

Kaspersky Lab researchers found BlackEnergy malware modules designed for ARM and MIPS systems running Linux

A cyberespionage group that has built its operations around a malware program called BlackEnergy has been compromising routers and Linux systems based on ARM and MIPS architectures in addition to Windows computers.

Security researchers from antivirus vendor Kaspersky Lab released a report Monday detailing some of the custom modules that the group has developed for BlackEnergy, a tool originally created and used by cybercriminals to launch distributed denial-of-service attacks.

Variants of the BlackEnergy plug-ins developed by the cyberespionage group were discovered for both Windows and Linux systems. They enhance the malware program with capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping.

Different selections of plug-ins are deployed from command-and-control servers for every victim, depending on the group's goals and the victim's systems, the Kaspersky researchers said.

In one case, attackers downloaded and executed a BlackEnergy plug-in called dstr that destroyed data on an organization's Windows computers.

"By all appearances, the attackers pushed the 'dstr' module when they understood that they were revealed, and wanted to hide their presence on the machines," the Kaspersky Lab researchers said. "Some machines already launched the plugin, lost their data and became unbootable."

In another incident, an organization that also had data from some of its Windows machines destroyed found that it was no longer able to access its Cisco routers via telnet. When they investigated, they found several "farewell" scripts left on the routers by the BlackEnergy group, the Kaspersky researchers said.

Those scripts had been used to clean traces of what the attackers did on the compromised routers. One script had the description "Cisc0 API Tcl extension for B1ack En3rgy b0t" and contained a vulgar message for Kaspersky researchers.

The group seems particularly interested in targeting organizations that run industrial control systems, especially from the energy sector. Victims identified by Kaspersky include power generation operators, power facilities construction companies, suppliers and manufacturers of heavy power-related materials, and energy sector investors.

This matches recent findings by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security. In a security alert last week, ICS-CERT warned that multiple companies running HMI (human-machine interface) products from General Electric, Siemens and BroadWin/Advantech had their systems infected with BlackEnergy. HMIs are software applications that provide a graphical user interface for monitoring and interacting with industrial control systems.

Aside from its apparent interest in ICS operators, the group has been known to target high-level government organizations, municipal offices, federal emergency services, national standards bodies, banks, academic research institutions, property holdings and other organizations. Victims were identified in at least 20 countries.

On Oct. 14 researchers from security firm iSight Partners released a report about one of the group's recent attack campaigns that targeted the Ukrainian government and a U.S.-based organization by leveraging a zero-day -- unpatched -- vulnerability in Microsoft Windows.

The iSight researchers dubbed the cyberespionage group the Sandworm team and believe that it's operating out of Russia. However, the Kaspersky researchers said that it's unclear whose interests the group serves, noting that a DDoS attack launched by the group targeted an IP address that belongs to the Russian Ministry of Defense.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurityiSight Partnersspywaremalwarekaspersky labICS-CERT

More about ARMGeneral ElectricKasperskyLinuxMicrosoftSiemens

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts