Fuxnet, a destructive ICS malware, was used by the Ukrainian hacking group Blackjack to disrupt Russian infrastructure.
Don’t be fooled by its name. Blackjack is not fun. This is the name of a group of Ukrainian hackers who used Fuxnet, an industrial control system (ICS) malware, to carry out an attack against Russia. It was Claroty, a company specializing in the cybersecurity of industrial IoT systems, which analyzed the facts.
Blackjack has launched attacks on several Russian organizations vital to the country’s economy, including Internet service providers, utilities, data centers and military installations.
And to further its desire for dominance, Blackjack recently revealed details of an alleged attack on Moscollector, a Moscow company responsible for underground infrastructure, including water, sanitation and communications systems.
After Russian hackers from the Sandworm group infiltrated a Ukrainian telecoms giant, it seems that cyberwar has been declared between the two countries, which have already been waging a battle on land and in the air since 2022.
Attack on Russian industrial infrastructure
The hackers said they neutralized Russia’s industrial surveillance and sensor infrastructure. They mentioned the deactivation of Russia’s Network Operations Center (NOC), which oversees various systems, including gas and water, as well as a wide range of remote IoT sensors and controllers. According to them, database, email, internal monitoring and data storage servers were wiped.
They also said they took out 87,000 sensors, including those linked to airports, subway systems and gas pipelines, using Fuxnet malware, which they liken to a ” Stuxnet on steroids ”, capable of physically destroying sensor equipment. They claim that Fuxnet flooded the RS485/MBus, sending random commands to 87,000 integrated control systems and sensors, while avoiding civilian targets such as hospitals and airports.
Blackjack has made public information about their activities against Moscollector and the information stolen during the attack on the ruexfil site. They claimed to have accessed the Russian emergency number 112 and hacked sensors and controllers in critical infrastructure, including airports, subways and gas pipelines, all of which were disabled. They also shared details and code of the Fuxnet malware used in the attack. They disabled network devices such as routers and firewalls, deleted servers, workstations and databases, wiping 30TB of data including backup drives. They disabled access to the Moscollector office building by invalidating all access cards and dumped passwords for several internal departments.
Analysis of the attack by Claroty
The hackers’ claims are questionable, but Claroty analyzed the Fuxnet malware using data provided by Blackjack. Claroty clarified that Moscollector’s sensors, which measure physical data such as temperature, would not have been affected by Fuxnet. The malware instead reportedly targeted around 500 sensor gateways, which relay sensor information via a serial bus such as RS-485/Meter-Bus and transmit the data via the Internet to the global monitoring system.
Claroty said that if these gateways were damaged, the repairs would be extensive, as the firmware of these devices, which are scattered across Moscow and its surrounding areas, would have to be replaced or reprogrammed. Analysis reveals that Fuxnet was allegedly deployed remotely, erasing crucial files and directories, disabling remote access services, and removing routing information to isolate devices. The malware then allegedly corrupted the file system and flash memory, attempted to destroy the NAND memory chip, and rewrote the UBI volume to block the reboot.
Additionally, Fuxnet would have disrupted the sensors by flooding the serial channels with random data, thus overloading the serial bus and the sensors. Claroty explains that the malware would have repeatedly written arbitrary data to the Meter-Bus channel, preventing the transmission and reception of data by the sensors and the gateway, rendering data collection inoperable. So, despite what the hackers say, it appears that only the sensor gateways were compromised, and not the sensors themselves.
Source : Security Affairs, Claroty
0