Malware targets GE and Siemens HMI software
The US Government’s industrial controls cyber-security agency, ICS-Cert, has uncovered a “sophisticated” malware campaign that, it says, has compromised numerous industrial control systems (ICSs) using a variant of the malware known as BlackEnergy. Analysis suggests that this campaign has been underway since at least 2011.
ICS-Cert (the Industrial Control Systems Cyber Emergency Response Team) reports that “multiple companies” that it is working with have identified the malware on Internet-connected HMI systems running software including GE Cimplicity, Siemens WinCC, and Advantech/Broadwin WebAccess. It is currently unknown whether other vendor’s products have also been targeted. ICS-Cert is working with the affected vendors to evaluate the activity and to notify their users.
So far, ICS-Cert has not identified any attempts to damage, modify, or otherwise disrupt the victims’ control processes, and it has not been able to verify whether the intruders expanded access beyond the compromised HMI into the rest of the control system. However, typical malware deployments have included modules that search out network-connected file shares and removable media. The malware is highly modular and not all of its functions are deployed to all of its victims.
ICS-Cert is “strongly” encouraging owners and operators to look for signs of compromise in their control systems. It has issued an alert containing details of its findings and recommendations.