Cyberespionage Group Adds Disk Wiper and SSH Backdoor To Its Arsenal (csoonline.com) 50
itwbennett writes: A cyberespionage group known in the security community as Sandworm or BlackEnergy, after its primary malware tool, has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server. On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations. Researchers from antivirus vendor ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one. 'As well as being able to delete system files to make the system unbootable — functionality typical for such destructive trojans — the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,' the ESET researchers said in a blog post.
after usa/isreali stuxnet all things allowed (Score:2)
stuxnet was typical short sighted policy from usa/isreali establishment. they should have known that such weapons do more damage to the more technologically advanced nations than those less advanced.
now suffer the consequences of there being no longer a moral high ground for anyone in west(which being democratic means sins of government cannot be transfered to few dictators/elite) with regard to these. all things allowed.
Re: after usa/isreali stuxnet all things allowed (Score:1)
Are you sure? If I remember correctly, it was distributed by USB sticks, left at public places. Within the targeted country. Could someone have just found one and tried it? Was it in a debris field?
So, again, why attack a country, thru its power grid? To disrupt...military, who are not dependent on a power grid? That is an attack on civilians, against the world combat rules. A war crime. It should be punished as a war crime. Not whoo rah, but procequeted.
Re: (Score:3)
Are you sure? If I remember correctly, it was distributed by USB sticks, left at public places. Within the targeted country. Could someone have just found one and tried it? Was it in a debris field?
Sure, but it targetted PCs that ran Siemens Step7 software controlling programmable logic controllers. That's not something that regular users have on their PC.
Re: (Score:2)
Yeah, like Russia would've not used such a thing anyway. And compared to stuxnet, this is used against civilians. Stuxnet was against nuclear weapons.
It was against centrifuges. But talking about nuclear weapons just makes it scarier, eh?
Re: (Score:2)
It was against centrifuges used for the production of nuclear weapons.
You use, there are two uranium isotopes - U-235 and U-238. U-238 makes up the vast majority of uranium mined (over 99%) while U-235 is around half a percent or so. For a nuclear reactor, depending on its design, it may be able to run on unenriched uranium, or enriched to around 3%.
Nuclear weapons use weapons-grade enriched uranium, which requires 90%
Re: (Score:2)
"It was against centrifuges that were being used for the production of nuclear weapons."
FTFY
Re: (Score:2)
> stuxnet was typical short sighted policy from usa/isreali establishment.
Stuxnet was a way for the US to put pressure on Iran nuclear program without actually bombing the shit out of it, which was what Israel pushed for years. Stuxnet may very well have adverted a war between these countries. Do you think the US would have the "moral high ground" had this happen?
Yeah, that's December 22 (Score:5, Funny)
On the eve of Dec. 23,
Or, as those of us who aren't from the 17th century would say, December 22.
An interesting feature of cyber warfare (Score:5, Interesting)
Re: (Score:1)
I am no expert, as my posts will attest, but I'm not seeing anything major to complain about. It's a bit complex but I don't see any complaint other than it is a bit complex. The grammar, spelling, and punctuation look not just fine but exceptionally fine, considering that it is just a Slashdot post.
hmmm (Score:5, Insightful)
"...district in Ukraine suffered a power outage."
This wouldn't be Russia's 'deniable' response to Ukraine cutting electricity to Crimea...?
How (Score:3)
Re: (Score:2)
How did it enter the grid.
I'll bet some loser demanded realtime monitoring and/or control from his office and MS Windows PC instead of maintaining the careful airgap specified by the people who designed the systems in place.
The main point in the past of having the "remote interface" as a telephone to the guy in the control room was so the guy on the spot could see which instructions were utterly stupid before they could be implemented.
Installs itself through SndVol.exe (Score:5, Informative)
This thing is actually pretty neat. It installs itself when SndVol.exe runs because there's a backwards-compatibility thing in Windows that elevates that "safe" executable (around UAC), and SndVol.exe is then used to execute the "arbitrary code" that gets the ball rolling.
(https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf - Page 8)
I'm not falling for that (Score:2)
Very droll.
Re: (Score:1)
PDF/A is an open standard and completely safe. Nobody forces you to use an unsafe reader (like those from Adobe).
Re: (Score:1)
Re: (Score:2)
Re:Still Struggling To Understand (Score:5, Interesting)
>> why critical infrastructure control systems like generation and grid control would not be air-gapped
It often IS, so sophisticated malware authors (e.g., StuxNet) sometimes write malware that targets computers that are temporarily plugged into critical infrastructure (such as a tech's diagnostic laptop), because those machines are also often plugged into another network to get updates (where they can be attacked and infected). This page has a nice summary: http://www.sagedatasecurity.co... [sagedatasecurity.com]
Dropbear (Score:4, Informative)
Grammatical ambiguity [Re:Dropbear] (Score:4, Informative)
Could I gently point out that Dropbear [ucc.asn.au] is not, per se, a "trojaned ssh server". It is just a small opensource sshd implementation that is used for embedded applications, including things such as OpenWrt [openwrt.org] routers.
The sentence from the article was "Another recent addition to the group's arsenal is a backdoored version of a SSH server called Dropbear."
This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".
That is, it's not clear whether the SSH server is called Dropbear, and it has been backdoored, or whether it is the backdoored version that is called Dropbear.
Re: (Score:2)
This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".
Without a comma before "called", it's not all that ambiguous.
But it should be "an SSH server".
Re: (Score:1)
But it should be "an SSH server".
You mean it's not pronounced "Ssssss-shhhhhh Server"?
Next you'll be telling me it isn't "earl" (URL) or "irk"(IRC).
And don't even get me started on .GIF
Re: (Score:2)
Remember when laptops had puckmuckia ports?
Re: (Score:1)
Re: (Score:2)
This is ambigous. It could be read either as "(a backdoored version of a SSH server) (called Dropbear)" or "(a backdoored version of) (a SSH server called Dropbear)".
Without a comma before "called", it's not all that ambiguous.
A comma would have removed the ambiguity by inserting a grammatical break.
Without the comma, there is no grammatical break, and the reader has to decide where the break goes.
Some more info on the incident (Score:4, Interesting)