Sectrio

Fuxnet: the Industrial Control System Malware

By Sectrio
June 19, 2024
a water with a bridge and buildings in the background

Summary


In the ever-evolving cybersecurity landscape, a new and formidable threat has emerged: Fuxnet. This sophisticated malware, reminiscent of the infamous Stuxnet, has recently been deployed by the Ukrainian hacker group Blackjack, targeting critical Russian infrastructure. The incident involved a significant cyberattack on Moscollector, a Moscow-based company tasked with overseeing critical infrastructure, including water supply, sewage treatment, and communication systems.

Fuxnet Malware 

Fuxnet is a piece of industrial control system (ICS) malware recently used by the Ukrainian hacking group Blackjack against Russian infrastructure. This malware is designed to target sensor gateways and cause significant disruption to industrial systems. 

Fuxnet represents a significant leap in the capabilities of malware designed to disrupt industrial control systems (ICS). Unlike traditional cyber threats that primarily focus on data theft or network disruption, it is engineered to cause physical damage and operational paralysis in critical infrastructure. Its deployment against Russian underground infrastructure has already led to widespread disruptions, showcasing its destructive potential. 

Who is Blackjack? 

The Blackjack hacker group has emerged as a significant cyber threat, employing sophisticated strategies to target prominent organizations throughout Russia. Through a series of carefully planned attacks, Blackjack has caused widespread disruption, impacting government agencies, critical infrastructure providers, and major corporations. 

fuxnet,blackjac,ICS malware

Figure 1: Blackjack Hacker Group 

Timeline of Blackjack Hacker Group’s Attacks 

In November 2023, the Ministry of Labor and Social Protection of the Russian Federation became a victim of Blackjack’s cyber campaign. The group successfully breached the ministry’s security measures, gaining unauthorized access to a vast array of sensitive documents. Among the compromised data were statistics related to the “SVO”,  as well as personal information belonging to military personnel. Additionally, reports intended for the President of Russia were compromised in this breach. The incursion raised serious concerns about national security and highlighted the vulnerabilities present within government institutions. 

The following month, Rosvodokanal, a crucial water utility company serving millions of Russians, found itself targeted by Blackjack. The hackers launched a highly damaging assault, compromising the security of over 6,000 computers within the company’s network. As a result, more than 50 terabytes of critical data were erased, dealing a significant blow to the infrastructure of the nation. This attack disrupted essential services and underscored the audacious nature and extensive capabilities of the Blackjack group. 

In subsequent attacks, Blackjack continued to demonstrate its proficiency in cyber warfare. In January 2024, the group targeted M9 Telecom, a prominent Russian Internet Service Provider (ISP). Utilizing their expertise, the hackers successfully deleted 20 terabytes of data from M9 Telecom’s systems, causing internet outages for numerous residents in Moscow. 

 Shortly thereafter, Blackjack set its sights on a Russian state enterprise involved in construction projects for the president’s military initiatives. The group’s infiltration efforts yielded over 1.2 terabytes of classified data, including maps detailing more than 500 military bases across Russia and regions in Ukraine under Russian control. The stolen information was subsequently transmitted to Ukraine’s Security and Defense Forces, prompting concerns about international security and diplomatic tensions. 

Download Sectrio’s 2024 global threat landscape assessment and analysis report

As the months progressed, Blackjack’s attacks intensified, targeting critical infrastructure and strategic assets. In April 2024, the group launched a devastating assault on OwenCloud.ru, a data centre utilized by Russia’s military, energy, and telecommunications sectors. The attack resulted in the destruction of 300 terabytes of data stored across 400 virtual and 42 physical servers, severely impacting Russia’s operational capabilities. 

 Moscollector, a vital Moscow-based company responsible for constructing and managing underground water, sewage, and communications infrastructure, fell victim to Blackjack’s malicious activities. By deploying the destructive malware Fuxnet, the group disabled 87,000 sensors and control systems (OT and ICS systems), disrupting essential services and causing widespread chaos. 

 In each instance, Blackjack demonstrated its proficiency in executing coordinated cyberattacks, targeting key entities, and exploiting vulnerabilities within their systems. The group’s actions have underscored the critical importance of bolstering cybersecurity measures and enhancing resilience against evolving threats in the digital age. As authorities continue to grapple with the challenges posed by Blackjack and similar cybercriminal organizations, vigilance and collaboration remain paramount in safeguarding against future attacks and mitigating their potential impact on society. 

Date Target Damage 
Nov 29, 2023 Ministry of Labor and Social Protection of the Russian Federation Blackjack gains access to sensitive documents including statistics on “SVO,” personal data of military personnel, reports to the President of Russia, and certificates of the number of prosthetics. 
Dec 20, 2023 Rosvodokanal, a Russian water utility company Blackjack attacks over 6,000 computers, deleting more than 50 terabytes of data, and compromising internal documents, correspondence, cyber protection services, and backups. 
Jan 10, 2024 M9 Telecom, Russian ISP Blackjack deletes 20 terabytes of data, disrupting internet services for Moscow residents. 
Jan 19, 2024 Russian state enterprise involved in construction work for the President’s military Blackjack obtains over 1.2 terabytes of classified data, including maps of Russian military bases, and transfers it to Ukrainian Security and Defense Forces, disabling 150 computers. 
Apr 08, 2024 OwenCloud.ru data centre, used by the Russian military, energy, and telecommunications industries Blackjack destroys 300 terabytes of data on 400 virtual and 42 physical servers, crippling Russia’s operational capabilities. 
Apr 15, 2024 Moscollector, a Moscow-based infrastructure company Blackjack disables 87,000 sensors and controls, including those in airports, subways, and gas pipelines.

Fuxnet deployed to physically destroy sensory equipment.  Floods RS485serial communications M-Bus, sending random commands to embedded control systems. 

All servers and routers are wiped, and access to the office building is disabled. Blackjack defaces the Moscollector webpage. 1,700 sensor routers were destroyed, and databases, backups, and email servers were wiped, totalling 30 terabytes of data. 

Table 1: Timelines of Blackjack hacker group 

Fuxnet Attack Path 

Fuxnet malware targeted Industrial Control System (ICS) gateways, likely exploiting remote access protocols (SSH or SBK) to infiltrate Moscolector’s systems. Once inside, it escalated privileges, wiped or corrupted critical files, and disrupted communication protocols. This effectively bricked the gateways, potentially damaging connected sensors as well. While the exact number remains debated, this attack disabled hundreds or thousands of devices crucial to monitoring Moscow’s sewage system.  

fuxnet,blackjac,ICS malware

Figure 2: Fuxnet Attack Diagram 

Initial Access 

The initial point of access for Fuxnet is through RL22w 3G routers manufactured by the Russian company iRZ. These routers, which use the OpenWRT operating system, were compromised using SSH and Telnet services. 

Once located, the attackers employ brute-force attacks to guess the passwords, often exploiting the fact that many devices still operate with their factory-default settings. By gaining root access through SSH or Telnet, the attackers establish a strong foothold within the network.  

fuxnet,blackjac,ICS malware

Figure 3: Default password used on SBK console 

Malware Deployment 

The attackers create a list of target sensor gateway IPs along with detailed descriptions of their physical locations. This information is crucial for the precise deployment of the malware. 

fuxnet,blackjac,ICS malware

Figure 4: Deploying Fuxnet malware on sensors 

fuxnet,blackjac,ICS malware

Figure 5: Sensor information 

The deployment script is executed via SSH or the sensor protocol (SBK) on port 4321, allowing the malware to be distributed to each targeted gateway. 

Payload Execution 

Device Lockdown and File System Corruption

  • Filesystem Remounting: Once the malware is on a target device, it remounts the filesystem with write access. 
  • Deletion of Critical Files: Fuxnet begins deleting critical files and directories, which include system files necessary for device operation. 
  • Disabling Remote Access: The malware shuts down remote access services such as SSH, HTTP, Telnet, and SNMP, preventing remote restoration attempts. 
  • Corrupting Routing Tables: By deleting routing table information, Fuxnet effectively cuts off communication between the compromised device and other network devices. 
fuxnet,blackjac,ICS malware

Figure 6: Devices and Destroying the Filesystem 

NAND Memory Attack

Bit-Flip Operations: Fuxnet performs bit-flip operations on the NAND memory chips of the target devices. This process involves repeatedly writing and rewriting memory until it exceeds its write cycles, leading to physical damage. 

Memory Failure: The continuous writing causes the NAND chips to fail, making the device inoperable and requiring physical replacement or re-flashing of the firmware. 

fuxnet,blackjac,ICS malware
Figure 7. Memory Failure

fuxnet,blackjac,ICS malware

Figure 8: Snip code of the NAND Attack

UBI Volume Corruption

Volume Overwriting: Fuxnet overwrites the UBI (Unsorted Block Image) volume with junk data, which includes writing fewer bytes than declared, causing the device to wait indefinitely for the rewrite to finish. 

fuxnet,blackjac,ICS malware

Figure 9: USB volume corruption 

The corrupted UBI volume renders the filesystem unstable and prevents the device from rebooting properly. 

Meter-Bus/RS485 Flooding: The malware sends random data over the Meter-Bus (M-Bus) and RS485 channels, overloading the communication pathways between sensors and the gateways. Below snip of the code used for the M-Bus packet flood. 

fuxnet,blackjac,ICS malware

Figure 10: A snippet of code that was used for the M-Bus Flood 

Communication Disruption: This flooding action disrupts normal communication, effectively disabling the sensor data acquisition process and causing operational paralysis. 

Impact on Industrial Operations 

By targeting and disabling sensor gateways, Fuxnet cuts off the flow of critical telemetry data from physical sensors to central monitoring systems. 

The widespread geographic distribution of these gateways means that recovery efforts are extensive and time-consuming, requiring either a physical replacement or firmware re-flashing of each affected device. 

Know more from our malware reports

The attack affects various critical infrastructure components, including water, sewage, communication systems, gas pipelines, and emergency response systems. 

The need to repair or replace numerous gateways scattered across large areas adds to the complexity and duration of recovery operations, leading to prolonged operational disruptions. 

TTPs (Tactics, Techniques, and Procedures)  

In the table below, you’ll find a detailed breakdown of the Tactics, Techniques, and Procedures (TTPs). 

Tactic Tactic ID Technique Technique ID Matrix Description 
Initial Access TA0001 Valid Accounts T1078 Enterprise Blackjack obtained root passwords for RL22w 3G routers and sensor gateways, using them to gain unauthorized access via SSH. 
Initial Access TA0011 External Remote Services T1133 ICS Blackjack used SSH and Telnet to gain access to IoT gateways with default or weak credentials. 
Execution TA0002 Command and Scripting Interpreter T1059 Enterprise After gaining access, Blackjack used SSH commands to deploy Fuxnet and execute its payload on target devices. 
Execution TA0012 Command-Line Interface T1059 ICS Fuxnet used scripts executed via SSH to deploy the malware to targeted sensor gateways. 
Persistence TA0003 Boot or Logon Initialization Scripts T1037 Enterprise Fuxnet modifies boot scripts to ensure they run on device startup, maintaining persistence. 
Persistence TA0013 Valid Accounts T1078 ICS Maintained access using valid accounts with elevated privileges to ensure persistence. 
Privilege Escalation TA0004 Exploitation for Privilege Escalation T1068 Enterprise Blackjack exploited vulnerabilities in the OpenWRT operating system on iRZ routers to escalate privileges to root. 
Privilege Escalation TA0014 Exploitation of Vulnerability T1068 ICS Exploited vulnerabilities in router firmware and gained root access. 
Defence Evasion TA0005 Indicator Removal on Host T1070 Enterprise Fuxnet deletes critical files and directories, including logs, to avoid detection. 
Defence Evasion TA0015 Masquerading T1036 ICS Deleted logs and used legitimate services to avoid detection. 
Credential Access TA0006 OS Credential Dumping T1003 Enterprise Blackjack obtained root credentials from compromised devices, allowing further access and deployment. 
Discovery TA0007 Network Service Scanning T1046 Enterprise Blackjack used network scanning to identify and target additional vulnerable devices on the network. 
Discovery TA0017 System Information Discovery T1082 ICS Gathered information about network configurations and connected devices. 
Lateral Movement TA0008 Remote Services T1021 Enterprise Using SSH and other remote services, Blackjack moved laterally across the network to infect more devices. 
Lateral Movement TA0018 Remote Services T1021 ICS Used SSH tunnelling to move laterally across the network to other devices. 
Collection TA0009 Data from Network Shared Drive T1039 Enterprise Fuxnet exfiltrates sensitive data from compromised network devices, including configuration and operational data. 
Command and Control TA0011 Encrypted Channel T1573 Enterprise Fuxnet communicates with command-and-control servers using encrypted channels to avoid interception. 
Impact TA0040 Inhibit System Recovery T1490 Enterprise Fuxnet corrupts the filesystem, NAND memory, and UBI volume, making system recovery difficult or impossible. 
Impact TA0040 Service Stop T1489 Enterprise Fuxnet stops critical services, including remote access services, to disable device recovery and maintenance. 
Impact TA0040 Data Destruction T1485 Enterprise The malware deletes critical files and directories, including routing tables and configuration files, effectively destroying data necessary for device operation. 
Impact TA0040 Direct Network Flood T1498.001 Enterprise By overloading the serial bus (RS485/M-Bus), Fuxnet disrupts the communication between sensors and gateways, leading to a widespread denial of service across the network. 
Impact TA0040 Data Destruction T1485 ICS Fuxnet deleted critical files, corrupted NAND memory, and disrupted communication protocols to cause operational disruption. 
Table 2: Mitre TTPs of Fuxnet malware 

Recommendation 

  • Assess your current  OT/ICS and IoT cybersecurity through a risk assessment and gap analysis.  
  • Secure your OT/ICS defenses with a robust NIDS/NIPS solution such as Sectrio, before they breach your network. 
  • Sectrio recommends not to use default passwords for any OT devices or any devices that are on the OT network and assess your network for any insecure remote access connectivity. 
  • Implementing network segmentation to isolate SCADA systems from other networks. 
  • Stay steps ahead of Blackjack using our advanced Sectrio NIDS/NIPS, harnessing AI and behavioral analysis to proactively detect and deflect their targeted attacks.  
  • Take an inventory of assets and data, identifying authorized and unauthorized devices and software. Leverage Sectrio’s Asset Intelligence module for a comprehensive OT/ICS asset inventory and vulnerability management solution. 
  • Sectrio recommends Continuously Monitoring your OT/ICS networks and assets for any behavioral deviations and process deviations at the most granular levels.  Sectrio recommends disabling the command line and scripting. 
  • Sectrio recommends restricting the use of PowerShell. 

Contact Sectrio and find out how our solutions can add value and enhance your OT/ICS security posture significantly. Contact us now

This blog is attributed to Yash Mehta from Sectrio’s threat research team.

Summary


In the ever-evolving cybersecurity landscape, a new and formidable threat has emerged: Fuxnet. This sophisticated malware, reminiscent of the infamous Stuxnet, has recently been deployed by the Ukrainian hacker group Blackjack, targeting critical Russian infrastructure. The incident involved a significant cyberattack on Moscollector, a Moscow-based company tasked with overseeing critical infrastructure, including water supply, sewage treatment, and communication systems.

Summary


In the ever-evolving cybersecurity landscape, a new and formidable threat has emerged: Fuxnet. This sophisticated malware, reminiscent of the infamous Stuxnet, has recently been deployed by the Ukrainian hacker group Blackjack, targeting critical Russian infrastructure. The incident involved a significant cyberattack on Moscollector, a Moscow-based company tasked with overseeing critical infrastructure, including water supply, sewage treatment, and communication systems.
a water with a bridge and buildings in the background

Read More

Protecting your critical assets is only a few steps away

Scroll to Top