Fuxnet Malware Fuxnet is a piece of industrial control system (ICS) malware recently used by the Ukrainian hacking group Blackjack against Russian infrastructure. This malware is designed to target sensor gateways and cause significant disruption to industrial systems. Fuxnet represents a significant leap in the capabilities of malware designed to disrupt industrial control systems (ICS). Unlike traditional cyber threats that primarily focus on data theft or network disruption, it is engineered to cause physical damage and operational paralysis in critical infrastructure. Its deployment against Russian underground infrastructure has already led to widespread disruptions, showcasing its destructive potential. Who is Blackjack? The Blackjack hacker group has emerged as a significant cyber threat, employing sophisticated strategies to target prominent organizations throughout Russia. Through a series of carefully planned attacks, Blackjack has caused widespread disruption, impacting government agencies, critical infrastructure providers, and major corporations. Figure 1: Blackjack Hacker Group Timeline of Blackjack Hacker Group’s Attacks In November 2023, the Ministry of Labor and Social Protection of the Russian Federation became a victim of Blackjack’s cyber campaign. The group successfully breached the ministry’s security measures, gaining unauthorized access to a vast array of sensitive documents. Among the compromised data were statistics related to the “SVO”, as well as personal information belonging to military personnel. Additionally, reports intended for the President of Russia were compromised in this breach. The incursion raised serious concerns about national security and highlighted the vulnerabilities present within government institutions. The following month, Rosvodokanal, a crucial water utility company serving millions of Russians, found itself targeted by Blackjack. The hackers launched a highly damaging assault, compromising the security of over 6,000 computers within the company’s network. As a result, more than 50 terabytes of critical data were erased, dealing a significant blow to the infrastructure of the nation. This attack disrupted essential services and underscored the audacious nature and extensive capabilities of the Blackjack group. In subsequent attacks, Blackjack continued to demonstrate its proficiency in cyber warfare. In January 2024, the group targeted M9 Telecom, a prominent Russian Internet Service Provider (ISP). Utilizing their expertise, the hackers successfully deleted 20 terabytes of data from M9 Telecom’s systems, causing internet outages for numerous residents in Moscow. Shortly thereafter, Blackjack set its sights on a Russian state enterprise involved in construction projects for the president’s military initiatives. The group’s infiltration efforts yielded over 1.2 terabytes of classified data, including maps detailing more than 500 military bases across Russia and regions in Ukraine under Russian control. The stolen information was subsequently transmitted to Ukraine’s Security and Defense Forces, prompting concerns about international security and diplomatic tensions. Download Sectrio’s 2024 global threat landscape assessment and analysis report. As the months progressed, Blackjack’s attacks intensified, targeting critical infrastructure and strategic assets. In April 2024, the group launched a devastating assault on OwenCloud.ru, a data centre utilized by Russia’s military, energy, and telecommunications sectors. The attack resulted in the destruction of 300 terabytes of data stored across 400 virtual and 42 physical servers, severely impacting Russia’s operational capabilities. Moscollector, a vital Moscow-based company responsible for constructing and managing underground water, sewage, and communications infrastructure, fell victim to Blackjack’s malicious activities. By deploying the destructive malware Fuxnet, the group disabled 87,000 sensors and control systems (OT and ICS systems), disrupting essential services and causing widespread chaos. In each instance, Blackjack demonstrated its proficiency in executing coordinated cyberattacks, targeting key entities, and exploiting vulnerabilities within their systems. The group’s actions have underscored the critical importance of bolstering cybersecurity measures and enhancing resilience against evolving threats in the digital age. As authorities continue to grapple with the challenges posed by Blackjack and similar cybercriminal organizations, vigilance and collaboration remain paramount in safeguarding against future attacks and mitigating their potential impact on society. Date Target Damage Nov 29, 2023 Ministry of Labor and Social Protection of the Russian Federation Blackjack gains access to sensitive documents including statistics on “SVO,” personal data of military personnel, reports to the President of Russia, and certificates of the number of prosthetics. Dec 20, 2023 Rosvodokanal, a Russian water utility company Blackjack attacks over 6,000 computers, deleting more than 50 terabytes of data, and compromising internal documents, correspondence, cyber protection services, and backups. Jan 10, 2024 M9 Telecom, Russian ISP Blackjack deletes 20 terabytes of data, disrupting internet services for Moscow residents. Jan 19, 2024 Russian state enterprise involved in construction work for the President’s military Blackjack obtains over 1.2 terabytes of classified data, including maps of Russian military bases, and transfers it to Ukrainian Security and Defense Forces, disabling 150 computers. Apr 08, 2024 OwenCloud.ru data centre, used by the Russian military, energy, and telecommunications industries Blackjack destroys 300 terabytes of data on 400 virtual and 42 physical servers, crippling Russia’s operational capabilities. Apr 15, 2024 Moscollector, a Moscow-based infrastructure company Blackjack disables 87,000 sensors and controls, including those in airports, subways, and gas pipelines. Fuxnet deployed to physically destroy sensory equipment. Floods RS485serial communications M-Bus, sending random commands to embedded control systems. All servers and routers are wiped, and access to the office building is disabled. Blackjack defaces the Moscollector webpage. 1,700 sensor routers were destroyed, and databases, backups, and email servers were wiped, totalling 30 terabytes of data. Table 1: Timelines of Blackjack hacker group Fuxnet Attack Path Fuxnet malware targeted Industrial Control System (ICS) gateways, likely exploiting remote access protocols (SSH or SBK) to infiltrate Moscolector’s systems. Once inside, it escalated privileges, wiped or corrupted critical files, and disrupted communication protocols. This effectively bricked the gateways, potentially damaging connected sensors as well. While the exact number remains debated, this attack disabled hundreds or thousands of devices crucial to monitoring Moscow’s sewage system. Figure 2: Fuxnet Attack Diagram Initial Access The initial point of access for Fuxnet is through RL22w 3G routers manufactured by the Russian company iRZ. These routers, which use the OpenWRT operating system, were compromised using SSH and Telnet services. Once located, the attackers employ brute-force attacks to guess the passwords, often exploiting the fact that many devices still operate with