Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Technology

Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com) 50

itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.
This discussion has been archived. No new comments can be posted.

Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal

Comments Filter:
  • stuxnet was typical short sighted policy from usa/isreali establishment. they should have known that such weapons do more damage to the more technologically advanced nations than those less advanced.
    now suffer the consequences of there being no longer a moral high ground for anyone in west(which being democratic means sins of government cannot be transfered to few dictators/elite) with regard to these. all things allowed.

    • > stuxnet was typical short sighted policy from usa/isreali establishment.

      Stuxnet was a way for the US to put pressure on Iran nuclear program without actually bombing the shit out of it, which was what Israel pushed for years. Stuxnet may very well have adverted a war between these countries. Do you think the US would have the "moral high ground" had this happen?

  • by CajunArson ( 465943 ) on Tuesday January 05, 2016 @09:24AM (#51241011) Journal

    On the eve of Dec. 23,

    Or, as those of us who aren't from the 17th century would say, December 22.

  • by Registered Coward v2 ( 447531 ) on Tuesday January 05, 2016 @09:39AM (#51241075)
    is that, in some cases, once you attack a target you leave behind the weapon you used; so that the target can repurpose it to launch a strike against who they perceive as the perpetrator of the attack. While that would require some sophistication on the target's part, it would not surprise me to see someone launch an counter strike using the original weapon; the challenge being determining who launched the initial attack. Of course, some targets may not worry too much about verifying the source but simply retaliating against a non or perceived enemy.
  • hmmm (Score:5, Insightful)

    by sociocapitalist ( 2471722 ) on Tuesday January 05, 2016 @09:39AM (#51241077)

    "...district in Ukraine suffered a power outage."

    This wouldn't be Russia's 'deniable' response to Ukraine cutting electricity to Crimea...?

  • by invictusvoyd ( 3546069 ) on Tuesday January 05, 2016 @09:40AM (#51241081)
    did it enter the grid.
    • by dbIII ( 701233 )

      How did it enter the grid.

      I'll bet some loser demanded realtime monitoring and/or control from his office and MS Windows PC instead of maintaining the careful airgap specified by the people who designed the systems in place.
      The main point in the past of having the "remote interface" as a telephone to the guy in the control room was so the guy on the spot could see which instructions were utterly stupid before they could be implemented.

  • by xxxJonBoyxxx ( 565205 ) on Tuesday January 05, 2016 @09:57AM (#51241135)

    This thing is actually pretty neat. It installs itself when SndVol.exe runs because there's a backwards-compatibility thing in Windows that elevates that "safe" executable (around UAC), and SndVol.exe is then used to execute the "arbitrary code" that gets the ball rolling.
    (https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf - Page 8)

  • Dropbear (Score:4, Informative)

    by gb7djk ( 857694 ) * on Tuesday January 05, 2016 @10:13AM (#51241209) Homepage
    Could I gently point out that Dropbear [ucc.asn.au] is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt [openwrt.org] routers.
    • by XXongo ( 3986865 ) on Tuesday January 05, 2016 @10:27AM (#51241271) Homepage

      Could I gently point out that Dropbear [ucc.asn.au] is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt [openwrt.org] routers.

      The sentence from the article was "Another recent addition to the group's arsenal is a backdoored version of a SSH server called Dropbear."

      This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

      That is, it's not clear whether the SSH server is called Dropbear, and it has been backdoored, or whether it is the backdoored version that is called Dropbear.

      • by arth1 ( 260657 )

        This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

        Without a comma before "called", it's not all that ambiguous.
        But it should be "an SSH server".

        • by Anonymous Coward

          But it should be "an SSH server".

          You mean it's not pronounced "Ssssss-shhhhhh Server"?

          Next you'll be telling me it isn't "earl" (URL) or "irk"(IRC).

          And don't even get me started on .GIF

        • by XXongo ( 3986865 )

          This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".

          Without a comma before "called", it's not all that ambiguous.

          A comma would have removed the ambiguity by inserting a grammatical break.

          Without the comma, there is no grammatical break, and the reader has to decide where the break goes.

  • by Bob the Super Hamste ( 1152367 ) on Tuesday January 05, 2016 @12:23PM (#51241813) Homepage
    For those looking for some more info on the attack you can find it here [sans.org]. It is basically what some investigators have uncovered thus far and as a bonus it isn't in Ukrainian.

"When the going gets weird, the weird turn pro..." -- Hunter S. Thompson

Working...