Industrial control systems in the United States have been compromised by the BlackEnergy malware toolkit for at least three years in a campaign the US Computer Emergency Response Team has dubbed "ongoing" and sophisticated.
Attackers had compromised unnamed industrial control system operators and implanted BlackEnergy on internet-facing human-machine interfaces including those from GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.
The latter system was often used by large plant operators including Iran's Natanz uranium facility at the time it was hosed by Stuxnet, however the latest attacks targeting the platform are suspected but not confirmed.
US-CERT had not identified attempts to damage or disrupt system processes but had not verified if hackers had pivoted laterally across the victim networks.
"However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment," US-CERT wrote.
"The malware is highly modular and not all functionality is deployed to all victims."
Many were running the Advantech/BroadWin WebAccess platform with direct net access but the attack vector had not yet been identified.
Attacks against Cimplicity were exploiting CVE-2014-0751 published by US-CERT in January.
It comes a month after Finnish malware researchers warned that the BlackEnergy crime box was being used by political hacking group Quedagh.
The modular kit was updated by the group over the last four years to include support for proxy servers, user account control bypass techniques, and driver signing features for 64-bit Windows systems (which was added within a month of the Windows 8.1 release).
BlackEnergy was first detailed by Arbor Networks in 2007 as a denial of service bot which in 2010 was upgraded with rootkit technology, support for plugins, remote code execution, and data exfiltration. ®