Sandworm Team – Targeting SCADA Systems


October 21, 2014

iSIGHT Partners

Sandworm Team – Targeting SCADA Systems

These details provided in collaboration with Drew Robinson…my thanks for his continued hard work.

UPDATE on Sandworm Team Targeting SCADA Systems

Since our disclosure last week of Sandworm Team, the cyber espionage operators who were using the CVE-2014-4114 zero-day, excellent work by others in the community has shed new light on aspects of their behavior we were previously unaware of. We are still uncovering new facets of this campaign, such as targeting, malware, and innovative command and control methods, but perhaps most disconcerting is their interest in the software which runs critical infrastructure.

Late last week, through some excellent sleuthing, TrendMicro obtained evidence that Sandworm Team was targeting industrial control systems. More specifically, while searching an open command and control server, they found a file associated with CIMPLICITY, HMI and SCADA software designed by GE. The file is CIMPLICITY file which contains instructions for downloading and executing a BlackEnergy payload which is saved to a path used only by the SCADA software. The malware installation would not function if the victim system lacked CIMPLICITY software.

Broader Targeting

After taking another look, we also found a second file which suggests targeting of WinCC, Siemens HMI and SCADA software. The file, CCProjectMgrStubEx.dll is very similar to CCProjectMgr.exe a WinCC executable. WinCC may sound familiar to some involved in cyber security as it is the same software program previously targeted by the Stuxnet intrusions.

Though we now believe Sandworm Team is targeting ICS systems, we are still attempting to unravel their ultimate intent for them. Other Sandworm Team activity is almost certainly designed to collect intelligence on military and diplomatic adversaries, and there are good reasons for Russian actors to monitor competing energy interests.

However, given the function of these systems, and historical precedents such as Stuxnet and destructive incidents in the Gulf, we are still weighing the possibility that these intrusions could be reconnaissance-for-attack.

We will continue to monitor the activities of this team and provide updates for the community as they become available.

For access to the full report on the Sandworm Team – including technical indicators – please request the report here

To watch an on-demand version of the Sandworm Team briefing we provided to interested parties last week, please go here