Sandworm Black Energy “ongoing campaign”

scrrenshot of ICS-CERT Web site

This past week ICS-CERT released what I consider to be its first public foray into incident response intelligence. It is unclear exactly how ICS-CERT learned of the breaches, but they seem to be engaged in the response/analysis at some level.

I have a couple of observations to share:

1. ICS-CERT is emphasizing the “automated” nature of attacks against Internet-connected ICS (especially GE Cimplicity), but hasn’t said much about how the attacks are “automated”. At present, the attacks do not appear quite as advanced as what we saw with Havex/Yeti/Dragonfly — which looks for ICS on the internal network.

2. It is also interesting that GE’s advisory on the issue mentions: 1) attacks against GE Cimplicity software connected to the business network; and, 2) phishing attacks trying to get users to load malicious CIMPLICITY software files. The ICS-CERT Alert has not
mentioned those techniques.

Critical Intelligence has provided granular analysis of this “campaign” and the GE vulnerabilities that are apparently being exploited in it’s Core Cyber Situational Awareness Service offering.