Blackjack group used ICS malware Fuxnet against Russian targets


Ukrainian Blackjack group used ICS malware Fuxnet against Russian targets

Pierluigi Paganini
Blackjack group used ICS malware Fuxnet against Russian targets April 15, 2024

Blackjack group used ICS malware Fuxnet against Russian targets

The Ukrainian hacking group Blackjack used a destructive ICS malware dubbed Fuxnet in attacks against Russian infrastructure.

Industrial and enterprise IoT cybersecurity firm Claroty reported that the Ukrainian Blackjack hacking group claims to have damaged emergency detection and response capabilities in Moscow and beyond the Russian capital using a destructive ICS malware dubbed Fuxnet.

The Blackjack group is believed to be affiliated with Ukrainian intelligence services that carried out other attacks against Russian targets, including an internet provider and a military infrastructure.

The group claims to have attacked Moscollector, a Moscow-based company, that is responsible for the construction and monitoring of underground water and sewage and communications infrastructure. 

The website ruexfil.com provided detailed information about the attacks against Moscollector, the hackers also published screenshots of monitoring systems, servers, and databases they claim to have compromised.

Fuxnet malware
Blackjack group used ICS malware Fuxnet against Russian targets 4

The site also hosts password dumps allegedly stolen from the Russian company.

Below is the timeline of the attack published on ruexfil.com:

Initial access June 2023.
- Access to 112 Emergency Service.
- 87,000 sensors and controls have been disabled (including Airports, subways, gas-pipelines, ...).
- Fuxnet (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment
(by NAND/SSD exhaustion and introducing bad CRC into the firmware). (YouTube Video 1, YouTube Video 2).
- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded
control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).
- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including
the admins workstations) have been deleted.
- Access to the office building has been disabled (all key-cards have been invalidated).
- Moscollector has recently been certified by the FSB for being 'secure & trusted' (picture included)
- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)

The website reported that Blackjack destroyed about 1,700 sensor routers deployed at airports, subways, gas-pipelines. The group also disrupted the central command-dispatcher and database. The attack brought all 87,000 sensors offline, threat actors also wiped databases, backups, and email servers, a total of 30TB of data.

“Fuxnet has now started to flood the RS485/MBus and is sending ‘random’ commands to 87,000 embedded control and sensory systems (carefully excluding hospitals, airports, …and other civilian targets).” states the website.

Team82 and Claroty have been unable to verify the attackers’ claims, however, they conducted a detailed analysis of the Fuxnet malware relying on information provided by the attackers.

“For example, Blackjack claims to have damaged or destroyed 87,000 remote sensors and IoT collectors. However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact.” reads the analysis published by Claroty. “If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed.”

The attack chain sees hackers targeting a list of sensor gateways IPs. Threat actors distributed their malware to each target, likely either through remote-access protocols such as SSH or the sensor protocol (SBK) over port 4321.

Upon running on the target device, the malware initiates a new child process to lock out the device. The malicious code remounts the filesystem with write access, then delete essential filesystem files and directories and disables remote access services such as SSH, HTTP, telnet, and SNMP. This prevents remote access for restoring operations even if the router remains functional.

Subsequently, the threat actors erase the router’s routing table, rendering its communication with other devices non-functional. Finally, the malware deletes the filesystem and rewrites the flash memory using the operating system’s mtdblock devices.

Once it has corrupted the file system and isolated the device, the malware attempts to destroy the NAND memory chip physically and rewrites the UBI volume to prevent rebooting. 

“In order to ensure the sensor does not reboot again, the malware rewrites the UBI volume. First, the malware uses the IOCTL interface UBI_IOCVOLUP allowing it to interact with the management layer controlling the flash memory, which tells the kernel that the UBI volume will be rewritten, and that x-number of bytes will be written.” continues the report. “In its normal behavior, the kernel will know that the rewrite is finished only when x-number of bytes were written. However, the malware will not write x-number of bytes to the UBI, instead it will write fewer bytes than it declares, causing the device to wait for the rewrite to finish indefinitely.”  

The malware overwrites the UBI volume with junk data (0xFF), making the UBI useless and the filesystem becomes unstable.

The malware also tries to disrupt gateway-connected sensors by flooding serial channels with random data, overloading the serial bus and the sensors.

“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways.” concludes the report.

(SecurityAffairs – hacking, Fuxnet)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini







Source link