BlackEnergy fingered for suspected attacks on Siemens’ SCADA software

The US Department of Homeland Security (DHS) is urging users of Siemens’ industrial control software to update their systems after finding signs the notorious BlackEnergy malware exploited recently patched flaws.

In late November, German industrial giant Siemens released fixes for two critical SCADA flaws that allowed remote attackers to extract files from WinCC SCADA servers and execute arbitrary code on them. WinCC SCADA servers are used by large firms in industries such as the energy and chemical sectors.

At the time, the DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned that “indicators exist that this vulnerability may have been exploited during a recent campaign”. Symantec appeared to have been the company that flagged the potential attacks, according to Siemens’ advisory.

The two flaws affected Siemens SIMATIC WinCC SCADA servers and two other products TIA Portal and PCS7. Both flaws could be remotely exploited.

In an update on Thursday, ICS-CERT reported that Siemens-based SCADA servers were likely to have been exploited by the BlackEnergy malware — a notorious piece of malware that’s been known to target Windows and Linux systems used by large industrial firms.

Siemens was one of the vendors in ISC’CERT’s October alert that warned of BlackEnergy attacks. Other products targeted included General Electric's Cimplicity HMI and BroadWin's WebAccess. However, at the time Siemens had not released patches for the flaws.

BlackEnergy malware can conduct port scans, steal passwords, gather system information, steal digital certificates, connect remotely to a target and wipe hard disks.

With patches available and indicators that BlackEnergy did exploit them, ICS-CERT now “strongly encourages” users of Siemens’ WinCC, TIA Portal, and PCS7 — the products patched in November — to update the latest versions of software.

“While ICS-CERT lacks definitive information on how WinCC systems are being compromised by BlackEnergy, there are indications that one of the vulnerabilities fixed with the latest update for SIMATIC WinCC may have been exploited by the BlackEnergy malware,” ICS-CERT said.

Links to the relevant advisories can be found .

An analysis of the malware by Russian security vendor Kaspersky noted that targets included power generation operators, power facilities construction companies, suppliers and manufacturers of heavy power-related materials, and energy sector investors.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today

Tags Enex TestLabmalwareCSO AustraliaIndustrial Control Systems Cyber Emergency Response Team (ICS-CERT)Department of Homeland Security (DHS)WinCC SCADABlackEnergyBroadWin's WebAccessSiemens’SCADA software

Show Comments