PALO ALTO, California, May 27, 2015 /PRNewswire/ --
In a report released today, CyberX reveals that their research team has found indicators that the attackers behind BlackEnergy 3 aim to perform data exfiltration from ICS Networks.
As ICS-CERT published its ICS-ALERT-14-281-01B alert, it triggered the question of the attackers' goal when compromising ICS networks. The most interesting sample that produced the findings in this report was BlackEnergy 3. After analyzing the malware, CyberX found clues that the attackers might be leveraging the initial infection in order to perform data exfiltration from the inner parts of these networks.
Nir Giller, Co-Founder and CTO elaborates: "The module that led us to this conclusion has the ability of serving RPC functions to remote clients in the same network, which means it is able to send commands to the deeper ends of the same network."
When harnessing these capabilities inside ICS environments, which might be considered isolated, exfiltration of valuable data can take place, allowing attackers to gain insights regarding network structure and operational processes. This data is considered highly valuable when targeting such networks, and it is a necessary step before starting a large scale operation.
Giller adds: "Our research has led us to the conclusion that there may be other undiscovered plugins, which would be responsible for the reconnaissance and data exfiltration from the deeper parts of the organizational network."
CyberX was founded in 2013 by Omer Schneider and Nir Giller, both veterans of the Israeli Defense Force (IDF) Elite Cyber Security Unit, with extensive experience in securing OT Networks. Once they learned about the state of security in the civilian Industrial Internet, they decided to commit themselves to making a difference and founded CyberX, introducing real-time security into the Industrial Internet.