Fuxnet Malware
Fuxnet is a piece of industrial control system (ICS) malware recently used by the Ukrainian hacking group Blackjack against Russian infrastructure. This malware is designed to target sensor gateways and cause significant disruption to industrial systems.
Fuxnet represents a significant leap in the capabilities of malware designed to disrupt industrial control systems (ICS). Unlike traditional cyber threats that primarily focus on data theft or network disruption, it is engineered to cause physical damage and operational paralysis in critical infrastructure. Its deployment against Russian underground infrastructure has already led to widespread disruptions, showcasing its destructive potential.
Who is Blackjack?
The Blackjack hacker group has emerged as a significant cyber threat, employing sophisticated strategies to target prominent organizations throughout Russia. Through a series of carefully planned attacks, Blackjack has caused widespread disruption, impacting government agencies, critical infrastructure providers, and major corporations.
Figure 1: Blackjack Hacker Group
Timeline of Blackjack Hacker Group’s Attacks
In November 2023, the Ministry of Labor and Social Protection of the Russian Federation became a victim of Blackjack’s cyber campaign. The group successfully breached the ministry’s security measures, gaining unauthorized access to a vast array of sensitive documents. Among the compromised data were statistics related to the “SVO”, as well as personal information belonging to military personnel. Additionally, reports intended for the President of Russia were compromised in this breach. The incursion raised serious concerns about national security and highlighted the vulnerabilities present within government institutions.
The following month, Rosvodokanal, a crucial water utility company serving millions of Russians, found itself targeted by Blackjack. The hackers launched a highly damaging assault, compromising the security of over 6,000 computers within the company’s network. As a result, more than 50 terabytes of critical data were erased, dealing a significant blow to the infrastructure of the nation. This attack disrupted essential services and underscored the audacious nature and extensive capabilities of the Blackjack group.
In subsequent attacks, Blackjack continued to demonstrate its proficiency in cyber warfare. In January 2024, the group targeted M9 Telecom, a prominent Russian Internet Service Provider (ISP). Utilizing their expertise, the hackers successfully deleted 20 terabytes of data from M9 Telecom’s systems, causing internet outages for numerous residents in Moscow.
Shortly thereafter, Blackjack set its sights on a Russian state enterprise involved in construction projects for the president’s military initiatives. The group’s infiltration efforts yielded over 1.2 terabytes of classified data, including maps detailing more than 500 military bases across Russia and regions in Ukraine under Russian control. The stolen information was subsequently transmitted to Ukraine’s Security and Defense Forces, prompting concerns about international security and diplomatic tensions.
Download Sectrio’s 2024 global threat landscape assessment and analysis report.
As the months progressed, Blackjack’s attacks intensified, targeting critical infrastructure and strategic assets. In April 2024, the group launched a devastating assault on OwenCloud.ru, a data centre utilized by Russia’s military, energy, and telecommunications sectors. The attack resulted in the destruction of 300 terabytes of data stored across 400 virtual and 42 physical servers, severely impacting Russia’s operational capabilities.
Moscollector, a vital Moscow-based company responsible for constructing and managing underground water, sewage, and communications infrastructure, fell victim to Blackjack’s malicious activities. By deploying the destructive malware Fuxnet, the group disabled 87,000 sensors and control systems (OT and ICS systems), disrupting essential services and causing widespread chaos.
In each instance, Blackjack demonstrated its proficiency in executing coordinated cyberattacks, targeting key entities, and exploiting vulnerabilities within their systems. The group’s actions have underscored the critical importance of bolstering cybersecurity measures and enhancing resilience against evolving threats in the digital age. As authorities continue to grapple with the challenges posed by Blackjack and similar cybercriminal organizations, vigilance and collaboration remain paramount in safeguarding against future attacks and mitigating their potential impact on society.
Date | Target | Damage |
Nov 29, 2023 | Ministry of Labor and Social Protection of the Russian Federation | Blackjack gains access to sensitive documents including statistics on “SVO,” personal data of military personnel, reports to the President of Russia, and certificates of the number of prosthetics. |
Dec 20, 2023 | Rosvodokanal, a Russian water utility company | Blackjack attacks over 6,000 computers, deleting more than 50 terabytes of data, and compromising internal documents, correspondence, cyber protection services, and backups. |
Jan 10, 2024 | M9 Telecom, Russian ISP | Blackjack deletes 20 terabytes of data, disrupting internet services for Moscow residents. |
Jan 19, 2024 | Russian state enterprise involved in construction work for the President’s military | Blackjack obtains over 1.2 terabytes of classified data, including maps of Russian military bases, and transfers it to Ukrainian Security and Defense Forces, disabling 150 computers. |
Apr 08, 2024 | OwenCloud.ru data centre, used by the Russian military, energy, and telecommunications industries | Blackjack destroys 300 terabytes of data on 400 virtual and 42 physical servers, crippling Russia’s operational capabilities. |
Apr 15, 2024 | Moscollector, a Moscow-based infrastructure company | Blackjack disables 87,000 sensors and controls, including those in airports, subways, and gas pipelines. Fuxnet deployed to physically destroy sensory equipment. Floods RS485serial communications M-Bus, sending random commands to embedded control systems. All servers and routers are wiped, and access to the office building is disabled. Blackjack defaces the Moscollector webpage. 1,700 sensor routers were destroyed, and databases, backups, and email servers were wiped, totalling 30 terabytes of data. |
Table 1: Timelines of Blackjack hacker group
Fuxnet Attack Path
Fuxnet malware targeted Industrial Control System (ICS) gateways, likely exploiting remote access protocols (SSH or SBK) to infiltrate Moscolector’s systems. Once inside, it escalated privileges, wiped or corrupted critical files, and disrupted communication protocols. This effectively bricked the gateways, potentially damaging connected sensors as well. While the exact number remains debated, this attack disabled hundreds or thousands of devices crucial to monitoring Moscow’s sewage system.
Figure 2: Fuxnet Attack Diagram
Initial Access
The initial point of access for Fuxnet is through RL22w 3G routers manufactured by the Russian company iRZ. These routers, which use the OpenWRT operating system, were compromised using SSH and Telnet services.
Once located, the attackers employ brute-force attacks to guess the passwords, often exploiting the fact that many devices still operate with their factory-default settings. By gaining root access through SSH or Telnet, the attackers establish a strong foothold within the network.
Figure 3: Default password used on SBK console
Malware Deployment
The attackers create a list of target sensor gateway IPs along with detailed descriptions of their physical locations. This information is crucial for the precise deployment of the malware.
Figure 4: Deploying Fuxnet malware on sensors
Figure 5: Sensor information
The deployment script is executed via SSH or the sensor protocol (SBK) on port 4321, allowing the malware to be distributed to each targeted gateway.
Payload Execution
Device Lockdown and File System Corruption:
- Filesystem Remounting: Once the malware is on a target device, it remounts the filesystem with write access.
- Deletion of Critical Files: Fuxnet begins deleting critical files and directories, which include system files necessary for device operation.
- Disabling Remote Access: The malware shuts down remote access services such as SSH, HTTP, Telnet, and SNMP, preventing remote restoration attempts.
- Corrupting Routing Tables: By deleting routing table information, Fuxnet effectively cuts off communication between the compromised device and other network devices.
Figure 6: Devices and Destroying the Filesystem
NAND Memory Attack:
Bit-Flip Operations: Fuxnet performs bit-flip operations on the NAND memory chips of the target devices. This process involves repeatedly writing and rewriting memory until it exceeds its write cycles, leading to physical damage.
Memory Failure: The continuous writing causes the NAND chips to fail, making the device inoperable and requiring physical replacement or re-flashing of the firmware.
Figure 8: Snip code of the NAND Attack
UBI Volume Corruption:
Volume Overwriting: Fuxnet overwrites the UBI (Unsorted Block Image) volume with junk data, which includes writing fewer bytes than declared, causing the device to wait indefinitely for the rewrite to finish.
Figure 9: USB volume corruption
The corrupted UBI volume renders the filesystem unstable and prevents the device from rebooting properly.
Meter-Bus/RS485 Flooding: The malware sends random data over the Meter-Bus (M-Bus) and RS485 channels, overloading the communication pathways between sensors and the gateways. Below snip of the code used for the M-Bus packet flood.
Figure 10: A snippet of code that was used for the M-Bus Flood
Communication Disruption: This flooding action disrupts normal communication, effectively disabling the sensor data acquisition process and causing operational paralysis.
Impact on Industrial Operations
By targeting and disabling sensor gateways, Fuxnet cuts off the flow of critical telemetry data from physical sensors to central monitoring systems.
The widespread geographic distribution of these gateways means that recovery efforts are extensive and time-consuming, requiring either a physical replacement or firmware re-flashing of each affected device.
Know more from our malware reports
The attack affects various critical infrastructure components, including water, sewage, communication systems, gas pipelines, and emergency response systems.
The need to repair or replace numerous gateways scattered across large areas adds to the complexity and duration of recovery operations, leading to prolonged operational disruptions.
TTPs (Tactics, Techniques, and Procedures)
In the table below, you’ll find a detailed breakdown of the Tactics, Techniques, and Procedures (TTPs).
Tactic | Tactic ID | Technique | Technique ID | Matrix | Description |
Initial Access | TA0001 | Valid Accounts | T1078 | Enterprise | Blackjack obtained root passwords for RL22w 3G routers and sensor gateways, using them to gain unauthorized access via SSH. |
Initial Access | TA0011 | External Remote Services | T1133 | ICS | Blackjack used SSH and Telnet to gain access to IoT gateways with default or weak credentials. |
Execution | TA0002 | Command and Scripting Interpreter | T1059 | Enterprise | After gaining access, Blackjack used SSH commands to deploy Fuxnet and execute its payload on target devices. |
Execution | TA0012 | Command-Line Interface | T1059 | ICS | Fuxnet used scripts executed via SSH to deploy the malware to targeted sensor gateways. |
Persistence | TA0003 | Boot or Logon Initialization Scripts | T1037 | Enterprise | Fuxnet modifies boot scripts to ensure they run on device startup, maintaining persistence. |
Persistence | TA0013 | Valid Accounts | T1078 | ICS | Maintained access using valid accounts with elevated privileges to ensure persistence. |
Privilege Escalation | TA0004 | Exploitation for Privilege Escalation | T1068 | Enterprise | Blackjack exploited vulnerabilities in the OpenWRT operating system on iRZ routers to escalate privileges to root. |
Privilege Escalation | TA0014 | Exploitation of Vulnerability | T1068 | ICS | Exploited vulnerabilities in router firmware and gained root access. |
Defence Evasion | TA0005 | Indicator Removal on Host | T1070 | Enterprise | Fuxnet deletes critical files and directories, including logs, to avoid detection. |
Defence Evasion | TA0015 | Masquerading | T1036 | ICS | Deleted logs and used legitimate services to avoid detection. |
Credential Access | TA0006 | OS Credential Dumping | T1003 | Enterprise | Blackjack obtained root credentials from compromised devices, allowing further access and deployment. |
Discovery | TA0007 | Network Service Scanning | T1046 | Enterprise | Blackjack used network scanning to identify and target additional vulnerable devices on the network. |
Discovery | TA0017 | System Information Discovery | T1082 | ICS | Gathered information about network configurations and connected devices. |
Lateral Movement | TA0008 | Remote Services | T1021 | Enterprise | Using SSH and other remote services, Blackjack moved laterally across the network to infect more devices. |
Lateral Movement | TA0018 | Remote Services | T1021 | ICS | Used SSH tunnelling to move laterally across the network to other devices. |
Collection | TA0009 | Data from Network Shared Drive | T1039 | Enterprise | Fuxnet exfiltrates sensitive data from compromised network devices, including configuration and operational data. |
Command and Control | TA0011 | Encrypted Channel | T1573 | Enterprise | Fuxnet communicates with command-and-control servers using encrypted channels to avoid interception. |
Impact | TA0040 | Inhibit System Recovery | T1490 | Enterprise | Fuxnet corrupts the filesystem, NAND memory, and UBI volume, making system recovery difficult or impossible. |
Impact | TA0040 | Service Stop | T1489 | Enterprise | Fuxnet stops critical services, including remote access services, to disable device recovery and maintenance. |
Impact | TA0040 | Data Destruction | T1485 | Enterprise | The malware deletes critical files and directories, including routing tables and configuration files, effectively destroying data necessary for device operation. |
Impact | TA0040 | Direct Network Flood | T1498.001 | Enterprise | By overloading the serial bus (RS485/M-Bus), Fuxnet disrupts the communication between sensors and gateways, leading to a widespread denial of service across the network. |
Impact | TA0040 | Data Destruction | T1485 | ICS | Fuxnet deleted critical files, corrupted NAND memory, and disrupted communication protocols to cause operational disruption. |
Recommendation
- Assess your current OT/ICS and IoT cybersecurity through a risk assessment and gap analysis.
- Secure your OT/ICS defenses with a robust NIDS/NIPS solution such as Sectrio, before they breach your network.
- Sectrio recommends not to use default passwords for any OT devices or any devices that are on the OT network and assess your network for any insecure remote access connectivity.
- Implementing network segmentation to isolate SCADA systems from other networks.
- Stay steps ahead of Blackjack using our advanced Sectrio NIDS/NIPS, harnessing AI and behavioral analysis to proactively detect and deflect their targeted attacks.
- Take an inventory of assets and data, identifying authorized and unauthorized devices and software. Leverage Sectrio’s Asset Intelligence module for a comprehensive OT/ICS asset inventory and vulnerability management solution.
- Sectrio recommends Continuously Monitoring your OT/ICS networks and assets for any behavioral deviations and process deviations at the most granular levels. Sectrio recommends disabling the command line and scripting.
- Sectrio recommends restricting the use of PowerShell.
Contact Sectrio and find out how our solutions can add value and enhance your OT/ICS security posture significantly. Contact us now
This blog is attributed to Yash Mehta from Sectrio’s threat research team.