Two dangerous malware tools targeting Industrial Control Systems (ICS) and Operational Technology (OT) environments in Europe are the latest manifestations of the cyber fallout from the war in Ukraine.
One of the instruments, nicknamed “Cape Town,” appears linked to Sandworm, a prolific Russian state-backed threat actor that Google’s Mandiant security group this week described as the country’s main perpetrator main cyber attack unit in Ukraine. Security researchers at the Finnish company WithSecure have identified the backdoor present in 2023 attacks against an Estonian logistics company and other targets in Eastern Europe and perceive it as an active and ongoing threat.
Destructive malware
The other malware, nicknamed somewhat colorfully Fuxnet — is a tool that the Ukrainian government-backed threat group Blackjack likely used in a recent destructive attack against Moskollector, a company that maintains a large network of sensors monitoring Moscow’s sewer system. The attackers used Fuxnet to successfully block what they claimed were a total of 1,700 sensor gateways on Moskollector’s network and in the process disabled approximately 87,000 sensors connected to these gateways.
“The main functionality of the Fuxnet ICS malware was to corrupt and block access to sensor gateways and attempt to corrupt physical sensors as well,” says Sharon Brizinov, director of vulnerability research at the ICS security firm Claroty, which recently investigated about Blackjack’s attack. Following the attack, Moskollector will likely have to physically reach each of the thousands of affected devices and replace them individually, Brizinov says. “Restore [Moskollector’s] ability to monitor and manage the sewer system throughout Moscow, they will have to procure and restore the entire system.”
Kapeka and Fuxnet are examples of the broader cyber fallout of the conflict between Russia and Ukraine. Since the war between the two countries began in February 2022, and even long before that, hacker groups on both sides have developed and used a number of malware tools against each other. Many of the tools, including wipers and ransomware, were destructive or destructive in nature and primarily targeted critical infrastructure, ICS and OT environments in both countries.
But on several occasions there have been attacks involving tools stemming from the long-standing conflict between the two countries it affected a wider range of victims. The most notable example remains NotPetya, a malware tool that the Sandworm group originally developed for use in Ukraine, but which ended up affecting tens of thousands of systems worldwide in 2017. In 2023, the UK National Center for Cyber Security (NCSC) and the United States National Security Agency (NSA) has warned of a Sandworm malware toolset dubbed “Infamous Chisel” that poses a threat to Android users around the world.
Kapeka: A Sandworm Replacement for GreyEnergy?
According to WithSecure, Kapeka is a new backdoor that attackers can use as an early-stage toolkit and to enable long-term persistence on the victim system. The malware includes a dropper component to drop the backdoor on a target computer and then remove itself. “Kapeka supports all the basic features that allow it to operate as a flexible backdoor into the victim’s assets,” says Mohammad Kazem Hassan Nejad, researcher at WithSecure.
Its capabilities include reading and writing files to and from disk, executing shell commands, and launching malicious payloads and processes, including binaries that live above ground. “After gaining initial access, the Kapeka operator can use the backdoor to perform a wide variety of tasks on the victim’s computer, such as detection, distribution of additional malware, and organizing subsequent stages of the attack “, says Nejad.
According to Nejad, WithSecure managed to find evidence suggesting a link to Sandworm and the group GreyEnergy malware used in attacks on the Ukrainian power grid in 2018. “We believe Kapeka can replace GreyEnergy in Sandworm’s arsenal,” notes Nejad. Although the two malware samples do not come from the same source code, there is some conceptual overlap between Kapeka and GreyEnergy, just as there was some overlap between GreyEnergy and its predecessor, BlackEnergy. “This indicates that Sandworm may have updated its arsenal with new tools over time to adapt to the changing threat landscape,” Nejad says.
Fuxnet: a tool to disrupt and destroy
Meanwhile, Clarity’s Brizinov identifies Fuxnet as ICS malware intended to cause damage to specific Russian-made sensor equipment. The malware is intended for deployment on gateways that monitor and collect data from physical sensors for fire alarms, gas monitoring, lighting and similar use cases.
“Once deployed, the malware will block gateways by overwriting the NAND chip and disabling external remote access capabilities, preventing operators from remotely controlling devices,” says Brizinov.
A separate module then attempts to flood the physical sensors themselves with useless M-Bus traffic. M-Bus is a European communication protocol for the remote reading of gas, water, electricity and other meters. “One of the main purposes of the Blackjack Fuxnet ICS malware [is] “to attack and destroy the physical sensors themselves after gaining access to the sensor gateway,” Brizinov says. To do this, Blackjack chose to deactivate the sensors by sending them an unlimited number of M-Bus packets. “Essentially, BlackJack was hoping that by endlessly sending random M-Bus packets to the sensor, the packets would overwhelm them and potentially trigger a vulnerability that would corrupt the sensors and put them in an unusable state,” he says.
The key to dealing with such attacks for organizations is to pay attention to the fundamental aspects of security. Blackjack, for example, appears to have gained root access to target sensor gateways by abusing weak credentials on the devices. The attack highlights why “it’s important to uphold a good password policy, ensuring that devices don’t share the same credentials or use the default ones,” he says. “It is also important to implement good network sanitization and segmentation, ensuring that attackers are not able to move laterally within the network and distribute their malware across all edge devices.”