As ICS-CERT published its ICS-ALERT-14-281-01B alert, it triggered the question of the attackers’ goal when compromising ICS networks. In order to acquire better understanding of their intentions, we analyzed a series of samples related to the BlackEnergy family of malwares.
The most interesting sample that produced the findings in this report was BlackEnergy 3, which is probably a private modification of the publicly available BlackEnergy DDOS Bot. After analyzing the malware, we found clues that the attackers might be leveraging the initial infection in order to perform data exfiltration from the inner parts of these networks. The module that led us to this conclusion has the ability of serving RPC functions to remote clients in the same network, which means it is able to send commands to the deeper ends of the same network.
When harnessing these capabilities inside ICS environments, which might be considered isolated, exfiltration of valuable data can take place, allowing attackers to gain insights regarding network structure and operational processes. This data is considered highly valuable when targeting such networks, and it is a necessary step before starting a large scale operation.