DOCSLIB.ORG

Analysis Report Blackenergy

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis Report Blackenergy Analysis Report iTrust-Analysis-001 May 2016 BlackEnergy - Malware for Cyber-Physical Attacks About iTrust iTrust is a multidisciplinary research centre located in the Singapore University of Technology and Design (SUTD), established collaboratively by SUTD and the Ministry of Defence, Singapore (MINDEF). The focus of iTrust is on cyber security, spanning across three research areas: a. Cyber Physical System (CPS); b. Enterprise Networking / Security; and c. Internet of Things (IoT). iTrust researchers focus on the development of advanced tools and methodologies to ensure security and safety of current and future cyber physical systems and Internet of Things (IoT) systems. Systems of interest include large infrastructure of national importance such as power grid, water treatment, and oil refineries as well as cyber-devices such as smart watches, pacemakers, defibrillators, insulin pumps, and VNS implants. Cyber physical systems is one of the many areas we are working on. The focus of the proposed research is to improve our understanding of cyber threats to CPSs and to develop and experiment with strategies to mitigate such threats. Our approach is based on well understood technical foundations borrowed from the interdisciplinary fields of control theory, artificial intelligence, game theory, networking, and software engineering. The techniques propose will be evaluated against, and demonstrated in our Secure Water Treatment (SWaT) Testbed, Water Distribution System (WADI) testbed, and Electric Power and Intelligent Control (EPIC) testbed. Similarly, shielded room laboratory for IoT research. iTrust researchers are drawn from across SUTD and with a strong collaboration with Massachusetts Institute of Technology (MIT), enrich the depth, breadth, and quality of research. Academic collaborators include MIT, Imperial College, University of Illinois at Urbana-Champaign (UIUC)/Advanced Digital Sciences Center (ADSC), Ben Gurion University, Israel and Nanyang Technological University, Singapore (NTU). For more information, please refer to http://itrust.sutd.edu.sg. Thank you. iTrust, Centre for Research in Cyber Security Singapore University of Technology and Design Malware for Cyber-Physical Attacks Siddhant Shrivastava, iTrust Centre for Research in Cyber Security yber-Physical Systems are increasingly 5.7 BlackEnergy in the Ukraine Attacks 8 being used in critical infrastructures. 5.7.1 Media Industry . 8 CRecent attacks on these systems have 5.7.2 Power Industry . 8 resulted in adverse consequences on an international level. Contemporary malware 6 Ukraine Power Sector Attacks 9 has expanded its scope from conventional 6.1 Events Timeline . 10 cyberspace to the physical space by attacking 6.2 Attack Workflow . 10 Cyber-Physical Systems. One such popular 6.3 Impact on CPS . 11 malware family, BlackEnergy, is studied in 6.4 Analysis . 11 detail here to better understand the scope 6.5 Open-Source Knowledge . 11 of Malware in facilitating Cyber-Physical 6.6 Significance . 13 Attacks. 7 Current State of ICS Security 13 7.1 Defence Mechanisms . 13 Contents 7.2 Security by Design . 13 1 Introduction 1 8 Conclusion 13 2 Cyber-Physical Systems 2 1 Introduction 3 Critical Infrastructure 2 3.1 Threats to Public Infrastructure . 2 Recent malware-facilitated attacks on criticial public 3.2 Points of Attack . 2 infrastructure bolster the need to understand the relation between malware and cyber-physical attacks. 4 Malware 3 This report studies the BlackEnergy malware family 4.1 Types of Malware . 3 in detail and its involvement in attacks on industries 4.2 Attack Strategies Used . 4 in Ukraine (media, power). The uniqueness of the attack strategies lies in the employment of different 5 BlackEnergy 4 versions of the same malware family to achieve 5.1 Infection Vectors and Targets . 4 different end results. The attacks in this paper 5.2 Architecture . 5 are reportedly the first in the history of power- 5.3 Features . 6 sector related cyber-physical attacks. It is important 5.4 Versions . 7 to note that the versatility of the BlackEnergy 5.4.1 Version 1.0 . 7 malware family enables it to be a persistent threat 5.4.2 Version 2.0 . 7 to the industries. The attacks were coordinated 5.4.3 Version 3.0 . 7 with much fewer resources and lesser sophistication 5.5 Attacks . 8 than previous attacks on critical infrastructure by 5.6 KillDisk Component . 8 malware such as Stuxnet. Page 1 of 15 The report is organised as follows. Section 3 Critical Infrastructure 2 discusses concepts of cyber-physical systems. Criticial Infrastructures and Malware are considered CPS is increasingly being utilised for designing in Sections 3 and 4 respectively. A comprehensive and engineering Critical Infrastructures. Critical study of the BlackEnergy malware family is Infrastructure [23] is a set of commonly accessible described in Section 5. Details about the Ukraine services that fulfills the basic needs of a nation's Power Sector Attacks are mentioned in Section 6. society and economy. Every country has certain Finally, the current state of the security landscape services that fall under the Critical National is discussed in Section 7. Infrastructure. ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) [30] has defined 16 sectors as critical infrastructures as 2 Cyber-Physical Systems shown in Table 2. Cyber-Physical Systems (CPS) entail all possible systems which exist in the cyber Domain as 3.1 Threats to Public Infrastructure well as the physical Domain. Examples include intelligent transportation systems, water treatment Due to distributed design, increased network and distribution systems, automobiles, pacemakers connectivity and technology readiness, contemporary and the power grid. CPS integrates computing, critical infrastructures face the following threats: networking, and physical processes. The physical process is integrated, monitored and controlled • Cyber Attacks - An attack purely in the by computers [17]. The intelligence programmed cyber domain, in which one of confidentiality, in the cyber domain decides the steps that the integrity, availability is compromised physical process should take given the state of the system. This enables automation, control and • CPS Attacks - An attack in the cyber domain quality assurance of processes which would otherwise with consequences in the physical domain, require humans in the loop. Thus, cybersecurity e.g., unauthorised actuation, espionage, delayed becomes increasingly important in the case of CPS actuation as all critical infrastructures are built on this model. The security of CPS depends on more factors than • Physical Attacks - An attack purely in the conventional networked cyber systems. A secure physical domain, e.g., drilling a hole in a water CPS has at least the following features: tank • Confidentiality • Physical-Cyber Attacks - An attack in the physical domain with consequences in the cyber • Integrity domain, e.g., pulling out wires connecting to the historian server • Availability • Authenticity These attacks may not be mutually exclusive; the overlap between these domains is represented in Figure 1. Thus, it suffices to say that an insecure cyber Note that even further specialised types of attack system is also a vulnerable CPS. The risk is not such as cyber-physical-cyber can be carried out by limited to data and services but includes physical a determined adversary. However, the impact of the and biological risks to the people who are affected by malware on CPS domains is the primary focus of the CPS. Since the physical process can be attacked this report. physically by adversaries, defence mechanisms need to take physical security into consideration as well. Components of CPS are referred in Table 1. The 3.2 Points of Attack vulnerable points of entry of attack are identified in Figure 2. CPS technology is increasingly being The points of attack for a generic CPS are utilised as the model for designing and engineering represented in Figure 2. For a specific CPS, the public critical infrastructures of nations. descriptions are presented in Table 1. Page 2 of 15 Table 1: Examples of CPS. CPS Sensors/ Control Utility Systems Actuators Devices Devices Water Treatment Level sensor, SCADA workstation, PLCs SCADA System Pumps, Flow sensor Historian server Pulse monitor, Mobile application, Pacemaker Timing controller Pulse amplifier Pulse logger ECUs using Dashboard computer, Automobile Odometer / Throttle CAN Bus, i2c, Mobile application FlexRay Table 2: Critical Infrastructures defined by ICS-CERT. Energy Water Chemical Finance Food and Agriculture Communications Commerce Government Nuclear Defence Manufacturing Dams Transportation Information Technology Emergency Services Healthcare 4 Malware • Worm - A computer software written for self-replication without an external trigger Malware is a portmanteau for malicious software, and it spreads from machine to machine and refers to all the practices that are meant to cause over the network until it reaches the harm to the normal operations of a cyber-system. desired host. Historically, worms have been Malware can be classed as a source of cyber-physical identified for their notoriety in CPS Attacks - attacks when used against a CPS. Stuxnet(centrifuges), Slammer(nuclear plant) and most recently BlackEnergy (power) 4.1 Types of Malware • Botnet - A malware strategy in which a set of The most common types of malware are listed below: compromised infected computer nodes act as • Rootkit - Programmes which utilise privilege unaware victims for a C&C Server.
Load more

Recommended publications
  • Xbt.Doc.248.2.Pdf
    MAY 25, 2018 United States District Court Southern District of Florida Miami Division CASE NO. 1:17-CV-60426-UU ALEKSEJ GUBAREV, XBT HOLDING S.A., AND WEBZILLA, INC., PLAINTIFFS, VS BUZZFEED, INC. AND BEN SMITH, DEFENDANTS Expert report of Anthony J. Ferrante FTI Consulting, Inc. 4827-3935-4214v.1 0100812-000009 Table of Contents Table of Contents .............................................................................................................................................. 1 Qualifications ..................................................................................................................................................... 2 Scope of Assignment ......................................................................................................................................... 3 Glossary of Important Terms ............................................................................................................................. 4 Executive Summary ........................................................................................................................................... 7 Methodology ..................................................................................................................................................... 8 Technical Investigation ................................................................................................................................ 8 Investigative Findings .......................................................................................................................................
    [Show full text]
  • Tstable of Content
    ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2017 North Atlantic Treaty Organization London International Model United Nations 18th Session | 2017 tsTable of Content 1 ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2017 Table of Contents Table of Contents WELCOME TO THE NORTH ATLANTIC TREATY ORGANIZATION .............................................................. 3 INTRODUCTION TO THE COMMITTEE .................................................................................................................. 4 TOPIC A: FORMING A NATO STRATEGY IN CYBERSPACE ............................................................................. 5 INTRODUCTION ............................................................................................................................................................... 5 HISTORY OF THE PROBLEM ............................................................................................................................................. 6 Timeline of notable attacks ....................................................................................................................................... 7 1998 – 2001 “MOONLIGHT MAZE” ....................................................................................................................... 7 2005 – 2011 TITAN RAIN & BYZANTINE HADES .................................................................................................. 8 2007 Estonia DDoS Campaigns ...............................................................................................................................
    [Show full text]
  • Security > Automotive > Blockchain > Virtual and Augmented Reality
    > Security > Automotive > Blockchain > Virtual and Augmented Reality AUGUST 2018 www.computer.org CALL FOR NOMINEES Education Awards Nominations Taylor L. Booth Education Award Computer Science and Engineering Undergraduate Teaching Award A bronze medal and US$5,000 honorarium are awarded for an outstanding record in computer science and engineering A plaque, certificate and a stipend of US$2,000 is education. The individual must meet two or more of the awarded to recognize outstanding contributions to following criteria in the computer science and engineering field: undergraduate education through both teaching and service and for helping to maintain interest, increase the • Achieving recognition as a teacher of renown. visibility of the society, and making a statement about the • Writing an influential text. importance with which we view undergraduate education. • Leading, inspiring or providing significant education content during the creation of a curriculum in the field. The award nomination requires a minimum of three • Inspiring others to a career in computer science and endorsements. engineering education. Two endorsements are required for an award nomination. See the award information at: See the award details at: www.computer.org/web/awards/booth www.computer.org/web/awards/cse-undergrad-teaching Deadline: 1 October 2018 Nomination Site: awards.computer.org r5p77.indd 77 5/9/18 3:30 PM IEEE COMPUTER SOCIETY computer.org • +1 714 821 8380 STAFF Editor Managers, Editorial Content Meghan O’Dell Brian Brannon, Carrie Clark Contributing Staff Publisher Christine Anthony, Lori Cameron, Cathy Martin, Chris Nelson, Robin Baldwin Dennis Taylor, Rebecca Torres, Bonnie Wylie Senior Advertising Coordinator Production & Design Debbie Sims Carmen Flores-Garvey Circulation: ComputingEdge (ISSN 2469-7087) is published monthly by the IEEE Computer Society.
    [Show full text]
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX
    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
    [Show full text]
  • Investigative Techniques of N-Way Vendor Agreement and Network Analysis Demonstrated with Fake Antivirus
    2014 Annual ADFSL Conference on Digital Forensics, Security and Law Proceedings May 29th, 2:40 PM Investigative Techniques of N-Way Vendor Agreement and Network Analysis Demonstrated with Fake Antivirus Gary Warner The University of Alabama at Birmingham, [email protected] Mike Nagy The University of Alabama at Birmingham, [email protected] Kyle Jones The University of Alabama at Birmingham, [email protected] Kevin Mitchem The University of Alabama at Birmingham, [email protected] Follow this and additional works at: https://commons.erau.edu/adfsl Part of the Aviation Safety and Security Commons, Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, and the Social Control, Law, Crime, and Deviance Commons Scholarly Commons Citation Warner, Gary; Nagy, Mike; Jones, Kyle; and Mitchem, Kevin, "Investigative Techniques of N-Way Vendor Agreement and Network Analysis Demonstrated with Fake Antivirus" (2014). Annual ADFSL Conference on Digital Forensics, Security and Law. 3. https://commons.erau.edu/adfsl/2014/thursday/3 This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an (c)ADFSL authorized administrator of Scholarly Commons. For more information, please contact [email protected]. ADFSL Conference on Digital Forensics, Security and Law, 2014 INVESTIGATIVE TECHNIQUES OF N-WAY VENDOR AGREEMENT AND NETWORK ANALYSIS DEMONSTRATED WITH FAKE ANTIVIRUS Gary Warner [email protected] Mike Nagy [email protected] Kyle Jones [email protected] Kevin Mitchem [email protected] The University of Alabama at Birmingham Birmingham, AL ABSTRACT Fake AntiVirus (FakeAV) malware experienced a resurgence in the fall of 2013 after falling out of favor after several high profile arrests.
    [Show full text]
  • Yokogawa Innovative Plant Automation Security Solutions
    White Paper : Yokogawa Innovative Plant Automation Security Solutions Contents 1. Industrial Automation and Business Network Integration .......... 2 1.1. Necessity of IA System Security ................................................................................... 2 1.2. Yokogawa Cyber Security for Industrial Control System ............................................... 3 1.3. IA System Security Priorities .......................................................................................... 4 2. Continuous Security Concept ........................................................ 6 2.1. What are the Demands ................................................................................................. 6 2.2. Security Lifecycle Approach ........................................................................................... 6 2.3. Defense in Depth ........................................................................................................... 8 2.4. Yokogawa Security Competency Laboratories .............................................................. 8 3. Security Design and Implementation Solutions ........................... 9 3.1. Typical Network Architecture.......................................................................................... 9 3.2. Standardized Security Solutions .................................................................................. 10 3.3. Secure Designed Products .......................................................................................... 15 4. Security Operation
    [Show full text]
  • ESET THREAT REPORT Q3 2020 | 2 ESET Researchers Reveal That Bugs Similar to Krøøk Affect More Chip Brands Than Previously Thought
    THREAT REPORT Q3 2020 WeLiveSecurity.com @ESETresearch ESET GitHub Contents Foreword Welcome to the Q3 2020 issue of the ESET Threat Report! 3 FEATURED STORY As the world braces for a pandemic-ridden winter, COVID-19 appears to be losing steam at least in the cybercrime arena. With coronavirus-related lures played out, crooks seem to 5 NEWS FROM THE LAB have gone “back to basics” in Q3 2020. An area where the effects of the pandemic persist, however, is remote work with its many security challenges. 9 APT GROUP ACTIVITY This is especially true for attacks targeting Remote Desktop Protocol (RDP), which grew throughout all H1. In Q3, RDP attack attempts climbed by a further 37% in terms of unique 13 STATISTICS & TRENDS clients targeted — likely a result of the growing number of poorly secured systems connected to the internet during the pandemic, and possibly other criminals taking inspiration from 14 Top 10 malware detections ransomware gangs in targeting RDP. 15 Downloaders The ransomware scene, closely tracked by ESET specialists, saw a first this quarter — an attack investigated as a homicide after the death of a patient at a ransomware-struck 17 Banking malware hospital. Another surprising twist was the revival of cryptominers, which had been declining for seven consecutive quarters. There was a lot more happening in Q3: Emotet returning 18 Ransomware to the scene, Android banking malware surging, new waves of emails impersonating major delivery and logistics companies…. 20 Cryptominers This quarter’s research findings were equally as rich, with ESET researchers: uncovering 21 Spyware & backdoors more Wi-Fi chips vulnerable to KrØØk-like bugs, exposing Mac malware bundled with a cryptocurrency trading application, discovering CDRThief targeting Linux VoIP softswitches, 22 Exploits and delving into KryptoCibule, a triple threat in regard to cryptocurrencies.
    [Show full text]
  • Giant List of Web Browsers
    Giant List of Web Browsers The majority of the world uses a default or big tech browsers but there are many alternatives out there which may be a better choice. Take a look through our list & see if there is something you like the look of. All links open in new windows. Caveat emptor old friend & happy surfing. 1. 32bit https://www.electrasoft.com/32bw.htm 2. 360 Security https://browser.360.cn/se/en.html 3. Avant http://www.avantbrowser.com 4. Avast/SafeZone https://www.avast.com/en-us/secure-browser 5. Basilisk https://www.basilisk-browser.org 6. Bento https://bentobrowser.com 7. Bitty http://www.bitty.com 8. Blisk https://blisk.io 9. Brave https://brave.com 10. BriskBard https://www.briskbard.com 11. Chrome https://www.google.com/chrome 12. Chromium https://www.chromium.org/Home 13. Citrio http://citrio.com 14. Cliqz https://cliqz.com 15. C?c C?c https://coccoc.com 16. Comodo IceDragon https://www.comodo.com/home/browsers-toolbars/icedragon-browser.php 17. Comodo Dragon https://www.comodo.com/home/browsers-toolbars/browser.php 18. Coowon http://coowon.com 19. Crusta https://sourceforge.net/projects/crustabrowser 20. Dillo https://www.dillo.org 21. Dolphin http://dolphin.com 22. Dooble https://textbrowser.github.io/dooble 23. Edge https://www.microsoft.com/en-us/windows/microsoft-edge 24. ELinks http://elinks.or.cz 25. Epic https://www.epicbrowser.com 26. Epiphany https://projects-old.gnome.org/epiphany 27. Falkon https://www.falkon.org 28. Firefox https://www.mozilla.org/en-US/firefox/new 29.
    [Show full text]
  • Table of Content
    ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018 World Conference on Cybersecurity (WCC) London International Model United Nations 19th Session | 2018 Table of Content I ZZ LONDON INTERNATIONAL MODEL UNITED NATIONS 2018 Table of Contents Introduction Letters .................................................................................................... 1 Yuji DEVELLE ........................................................................................................ 1 Chloe AMELLAL .................................................................................................... 1 Isabel VICARÍA BARKER ..................................................................................... 2 Introduction to the Committee ................................................................................... 3 Topic A: Defining Cyberspace and Classifying Cyber-attacks .............................. 5 Introduction .............................................................................................................. 5 Key Concepts ............................................................................................................ 6 Cyberspace .............................................................................................................. 6 Cyber warfare vs. cyber crime................................................................................ 8 Cyber-attacks ........................................................................................................ 10 Hacking ................................................................................................................
    [Show full text]
  • Ant Download Manager (Antdm) V.2.3.2
    English Ant Download Manager (AntDM) v.2.4.0 Some of the contents in this manual may differ from the software, as software development continues. User Guide 2021 Table of Contents Overview ....................................................................................................................................................4 System Requirements .........................................................................................................................5 Installation ..................................................................................................................................................6 Uninstall .............................................................................................................................................11 Premium Link Generators (Debrids) .......................................................................................................12 Torrents ....................................................................................................................................................14 Browser Integration ..................................................................................................................................15 Google Chrome .................................................................................................................................16 Chromium Clones ........................................................................................................................17 Mozilla Firefox ....................................................................................................................................18
    [Show full text]
  • Internet Security 6.3 Software Version 6.3
    Comodo Internet Security 6.3 Software Version 6.3 User Guide Guide Version 6.3.111114 Comodo Security Solutions 1255 Broad Street Clifton, NJ, 07013 United States Comodo Internet Security 6.3 - User Guide Table of Contents 1.Introduction to Comodo Internet Security...............................................................................................................................6 1.1.Special Features...............................................................................................................................................................10 1.2.System Requirements.......................................................................................................................................................13 1.3.Installation.........................................................................................................................................................................13 1.3.1.CIS Premium - Installation........................................................................................................................................14 1.3.2.CIS Pro - Installation and Activation.........................................................................................................................27 1.3.3.CIS Complete - Installation and Activation...............................................................................................................39 1.3.4.Activating CIS Pro/Complete Services after Installation...........................................................................................52
    [Show full text]
  • Cyber-Terrorism Activities Report No. 16 January
    ICT Cyber-Desk PERIODIC REVIEW Cyber-Terrorism Activities Report No. 16 January – March 2016 Highlights This report covers the period of January - March 2016 and covers two main subjects: cyber-terrorism (offensive, defensive, and the media, and the main topics of jihadist discourse) and cyber-crime, whenever and wherever it is linked to jihad (funding, methods of attack). The following are among the issues covered in this report: The continuing trend of publishing information security guidelines and recommendations, including information and recommendations for correct methods of operation and software manuals, or services with a high encryption or anonymity level. Terrorist organizations continue to publish information about the dangers of intelligence and law enforcement officials who operate on the Internet to search for and locate terrorism supporters. In addition, all supporters are called on to continue spreading the organizations’ messages and guidelines for proper work. Officials in jihadist organizations continue to spread Best Practice guidebooks on the Internet and guidelines for using software and applications to increase information security. These are mainly used to encrypt data on the device and/or for data trafficking and maintaining the anonymity of Internet users. In addition, manuals for video processing are found. As previously stated, in recent years organizations have been using a wide range of software in order to create visual content at a professional level. Terrorists and terrorism supporters continue to hack Internet sites, especially as part of defacement attacks. In January 2016, Islamic State activists tried to recruit hackers to hack into government databases for pay. In February 2016, a television interview in Lebanon reported the existence of a Shi’ite hacker group, affiliated with Hezbollah, named Kadimon (translation – we are coming).
    [Show full text]