Patrick Coyle writing on his Chemical Facility Security blog notes a long term campaign that has been compromising industrial control system security. The following is from his blog. Check out his site.
This evening the DHS ICS-CERT published an alert about a long term anti-ICS campaign that has been compromising various control systems from multiple vendors since at least 2011. ICS-CERT is reporting that, at a minimum, HMI from GE, Advantech and Siemens have been compromised in this campaign. They are not currently reporting any damage to control systems or to operations that are controlled by those systems.
ICS-CERT is publicly providing detailed information about how these compromised HMI can be identified and it is asking all potentially affected system owners to check their systems and notify ICS-CERT if evidence of compromise exists.
As one would suspect with something that is apparently as serious as this, ICS-CERT has released an alert (ICS-ALERT-14-281-01P) on the US-CERT secure portal and has already published an update to that alert. ICS-CERT is also taking the unusual step of publicly describing that alert and notifying “US critical infrastructure asset owners and operators” that they can request a copy of the alert by email ( [email protected]).
As I have already mentioned on TWITTER, this is the most detailed ICS-CERT alert that I have ever seen, especially on an initial publication. This is the type of information that we should be able to expect from ICS-CERT. This is also the type problem that we really need to be able to expect them to delve deeply into. I suspect, however, that we will be receiving the bulk of our information on this from private sector researchers who will have more resources and expertise to throw at this problem. That would be a good topic for a congressional investigation.
BTW: Here is an interesting question about this issue from Chris Sistrunk: “Could the BlackEnergy ICS malware be related to the vulns discovered by Z0mb1E and amisto0x07 from ZDI and the Metasploit mods they wrote?”
BTW: The alert contains a link to the GE security page. Nothing specific there except a brief note that: “The CIMPLICITY Webview server that existed in prior versions of CIMPLICITY, has been removed due to security concerns.” No further information available.