Researchers noted that the Sandworm Team (referred to as "BE2 APT" by Kasperksy) apparently “protected their servers by keeping their non-Windows hacker tools and plug-in in separate servers or server folders.”
“Finally, each CnC server hosts a different set of plug-ins, meaning that each server works with different victims and uses plug-ins based on its current needs,” the blog post continued.
In its findings, Kaspersky said that Sandworm holds an “expansive interest” in industrial control system organizations, like power generation site owners and operators, large suppliers and manufacturers of heavy power related materials, and ICS investors.
Kurt Baumgartner, one of the authors of the blog post, who serves as a principal security specialist with Kaspersky Lab, said in Tuesday email correspondence with SCMagazine.com that BlackEnergy's ability to attack ARM and MIPS platforms demonstrates how the APT group has created “new avenues of attack and delivery.”
“They can hop onto routers and other larger embedded equipment,” he wrote. “They can launch DDoS from equipment that cannot easily come down for business uptime reasons or possibly hop across previously unreachable network segments like SCADA environments,” Baumgartner continued. “This new support also changes ICS operators' assumptions, and translates into additional mitigation efforts.”
In the report, researchers point out varying versions of BlackEnergy – BE2 and BE3 – in attacks, but Baumgartner said that BlackEnergy3 “seems to have been a delivery vehicle for BlackEnergy2 at a victim site.”
Included in the report were indicators of compromise (IOCs) for BE2 and BE3, along with attack methods Sandworm Team used to target four unnamed victim organizations.