{"id":61078,"date":"2025-09-26T11:14:46","date_gmt":"2025-09-26T11:14:46","guid":{"rendered":"https:\/\/becolve.com\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/"},"modified":"2025-09-26T11:14:46","modified_gmt":"2025-09-26T11:14:46","slug":"sandworm-the-latest-apt-that-threatens-industrial-control-systems","status":"publish","type":"blog","link":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/","title":{"rendered":"Sandworm: the Latest APT that Threatens Industrial Control Systems"},"content":{"rendered":"

Sandworm is an APT that affected transactional systems of government bodies (NATO, Ukrainian government, etc.), acting between June and October 2014, and is currently using certain SCADA systems as an attack vector to compromise industrial environments.<\/p>\n

Sandworm in transactional environments<\/strong><\/p>\n

Sandworm appears as a zero-day vulnerability (in trojan\/self-executable format) that exploited the vulnerability CVE-2014-4114<\/a> associated with different versions of MS Windows (Vista, 7, 8, 2008, 2012).<\/p>\n

The official name of the vulnerability was “Windows OLE Remote Code Execution Vulnerability\u201d and the name of the payload that was downloaded was Black Energy. It has now been resolved through a patch published in bulletin MS14-060<\/a> of October 2014. <\/p>\n

What was the attack vector?<\/strong><\/p>\n

The attack vector used was spear-fishing and the mere sharing of a Power Point file. What appeared to be a .ppt file was actually an .INF that called a remote file through a UNC path (that is, the path indicates the server or host of an internal network where the file is located, such as \\\\SERVERSHAREFILE.TXT or in the case of the host \\\\198.51.100.5REMOTE.DAT).<\/p>\n

In principle, Windows should block this type of path from being launched from Power Point. However, here is the vulnerability, Sandworm found a way to avoid this blocking. <\/p>\n

At this point, the .INF file connected to the C2 and downloaded two malicious files with these names slides.inf and slide1.gif (as if they were part of the PPT presentation).<\/p>\n

 <\/p>\n

\"sandworm\"<\/p>\n

 <\/p>\n

The slides.inf file renamed the slide1.gif file and converted it to slide1.gif.exe<\/p>\n

The next time the Power Point application was executed, an auto-executable (drive-by-install) that installed the malicious malware (known as Black Energy) automatically opened in the background.<\/p>\n

<\/strong><\/p>\n

Sandworm in industrial environments<\/strong><\/p>\n

After correcting this vulnerability that used files with the .INF extension, the Sandworm team has continued to \u201cwork\u201d and is currently using .cim and .bcl type files to achieve its objectives.<\/p>\n

These types of files are used by the CIMPLICITY HMI Solution Suite from General Electric. In fact, Sandworm deposits this type of file in the CIMPLICITY installation directory using the %CIMPATH% path. <\/p>\n

At the time the communication with the C2 is carried out, a file called config.bak appears. This file is a CimEdit\/CimView object (faceplate type) that CIMPLICITY normally uses to manage the SCADA application. <\/p>\n

 <\/p>\n

\"sandworm<\/p>\n

 <\/p>\n

Two events are defined in the config.bak file: OnOpenExecCommand and ScreenOpenDispatch<\/p>\n

These allow maintaining communication with the C2 and downloading different payloads: Spiskideputatovdone.pps and Slide1.gif.exe<\/p>\n

In particular, the latter deposits the FONTCACHE.DAT file, which is a version of BlackEnergy.<\/p>\n

The latest news indicates that, like CIMPLICITY, the Sandworm team could use the CCProjectMgrStubEx.dll files to achieve its objectives<\/p>\n

This type of file is similar to the one found in Siemens’ WinCC solution (CCProjectMgr.exe), this type of application being a clear target for downloading Black Energy.<\/p>\n

The ICS-CERT has echoed these attacks on systems belonging to two major automation industries (General Electric and Siemens). In fact, it has published the following alert: https:\/\/ics-cert.us-cert.gov\/alerts\/ICS-ALERT-14-281-01A<\/a> <\/p>\n

It is important to note that this is an attack vector that may compromise the network in which the HMI systems are located, but does not directly affect the operation of the SCADA.<\/p>\n

 <\/p>\n

Some recommended links:<\/strong><\/p>\n

https:\/\/nakedsecurity.sophos.com\/2014\/10\/15\/the-sandworm-malware-what-you-need-to-know\/<\/a><\/p>\n

http:\/\/www.isightpartners.com\/2014\/10\/cve-2014-4114\/<\/a><\/p>\n

http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/sandworm-to-blacken-the-scada-connection\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Sandworm is an APT that affected transactional systems of government bodies. What was the attack vector?<\/p>\n","protected":false},"author":31,"featured_media":61081,"menu_order":0,"template":"","categories":[1371],"tags":[],"arquitectura":[1839],"area":[],"sector":[],"experto":[1396],"weborigen":[157],"productos-tax":[],"soluciones-tax":[],"marcas-tax":[],"coauthors":[],"class_list":["post-61078","blog","type-blog","status-publish","has-post-thumbnail","hentry","category-cybersecurity","arquitectura-industrial-cybersecurity","experto-industrial-cybersecurity-total-availability","weborigen-ciberseguridadlogitek-com"],"acf":[],"yoast_head":"\nSandworm: the latest threat to industrial control systems<\/title>\n<meta name=\"description\" content=\"Sandworm is an APT that affected transactional systems of government bodies. What was the attack vector?\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sandworm: the latest threat to industrial control systems\" \/>\n<meta property=\"og:description\" content=\"Sandworm is an APT that affected transactional systems of government bodies. What was the attack vector?\" \/>\n<meta property=\"og:url\" content=\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/\" \/>\n<meta property=\"og:site_name\" content=\"Becolve Digital\" \/>\n<meta property=\"og:image\" content=\"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/Sandworm-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"620\" \/>\n\t<meta property=\"og:image:height\" content=\"250\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@Logitek_es\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"Becolve Digital\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/\",\"url\":\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/\",\"name\":\"Sandworm: the latest threat to industrial control systems\",\"isPartOf\":{\"@id\":\"https:\/\/becolve.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/Sandworm-1.jpg\",\"datePublished\":\"2025-09-26T11:14:46+00:00\",\"description\":\"Sandworm is an APT that affected transactional systems of government bodies. What was the attack vector?\",\"breadcrumb\":{\"@id\":\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#primaryimage\",\"url\":\"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/Sandworm-1.jpg\",\"contentUrl\":\"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/Sandworm-1.jpg\",\"width\":620,\"height\":250},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/becolve.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog Items\",\"item\":\"https:\/\/becolve.com\/en\/blog\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Sandworm: the Latest APT that Threatens Industrial Control Systems\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/becolve.com\/en\/#website\",\"url\":\"https:\/\/becolve.com\/en\/\",\"name\":\"Becolve Digital\",\"description\":\"Transformaci\u00f3n digital en industria e infraestructuras\",\"publisher\":{\"@id\":\"https:\/\/becolve.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/becolve.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/becolve.com\/en\/#organization\",\"name\":\"Becolve Digital\",\"url\":\"https:\/\/becolve.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/becolve.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/becolve-logo-h-black_200.png\",\"contentUrl\":\"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/becolve-logo-h-black_200.png\",\"width\":200,\"height\":64,\"caption\":\"Becolve Digital\"},\"image\":{\"@id\":\"https:\/\/becolve.com\/en\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/Logitek_es\",\"https:\/\/www.linkedin.com\/company\/becolve-digital\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sandworm: the latest threat to industrial control systems","description":"Sandworm is an APT that affected transactional systems of government bodies. What was the attack vector?","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/","og_locale":"en_US","og_type":"article","og_title":"Sandworm: the latest threat to industrial control systems","og_description":"Sandworm is an APT that affected transactional systems of government bodies. What was the attack vector?","og_url":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/","og_site_name":"Becolve Digital","og_image":[{"width":620,"height":250,"url":"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/Sandworm-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@Logitek_es","twitter_misc":{"Est. reading time":"3 minutes","Written by":"Becolve Digital"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/","url":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/","name":"Sandworm: the latest threat to industrial control systems","isPartOf":{"@id":"https:\/\/becolve.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#primaryimage"},"image":{"@id":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#primaryimage"},"thumbnailUrl":"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/Sandworm-1.jpg","datePublished":"2025-09-26T11:14:46+00:00","description":"Sandworm is an APT that affected transactional systems of government bodies. What was the attack vector?","breadcrumb":{"@id":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#primaryimage","url":"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/Sandworm-1.jpg","contentUrl":"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/Sandworm-1.jpg","width":620,"height":250},{"@type":"BreadcrumbList","@id":"https:\/\/becolve.com\/en\/blog\/sandworm-the-latest-apt-that-threatens-industrial-control-systems\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/becolve.com\/en\/"},{"@type":"ListItem","position":2,"name":"Blog Items","item":"https:\/\/becolve.com\/en\/blog\/"},{"@type":"ListItem","position":3,"name":"Sandworm: the Latest APT that Threatens Industrial Control Systems"}]},{"@type":"WebSite","@id":"https:\/\/becolve.com\/en\/#website","url":"https:\/\/becolve.com\/en\/","name":"Becolve Digital","description":"Transformaci\u00f3n digital en industria e infraestructuras","publisher":{"@id":"https:\/\/becolve.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/becolve.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/becolve.com\/en\/#organization","name":"Becolve Digital","url":"https:\/\/becolve.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/becolve.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/becolve-logo-h-black_200.png","contentUrl":"https:\/\/becolve.com\/wp-content\/uploads\/2023\/04\/becolve-logo-h-black_200.png","width":200,"height":64,"caption":"Becolve Digital"},"image":{"@id":"https:\/\/becolve.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Logitek_es","https:\/\/www.linkedin.com\/company\/becolve-digital\/"]}]}},"_links":{"self":[{"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/blog\/61078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/users\/31"}],"version-history":[{"count":0,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/blog\/61078\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/media\/61081"}],"wp:attachment":[{"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/media?parent=61078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/categories?post=61078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/tags?post=61078"},{"taxonomy":"arquitectura","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/arquitectura?post=61078"},{"taxonomy":"area","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/area?post=61078"},{"taxonomy":"sector","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/sector?post=61078"},{"taxonomy":"experto","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/experto?post=61078"},{"taxonomy":"weborigen","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/weborigen?post=61078"},{"taxonomy":"productos-tax","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/productos-tax?post=61078"},{"taxonomy":"soluciones-tax","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/soluciones-tax?post=61078"},{"taxonomy":"marcas-tax","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/marcas-tax?post=61078"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/becolve.com\/en\/wp-json\/wp\/v2\/coauthors?post=61078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}