A cyber espionage group called Black Vine is targeting multiple industries including energy, aerospace and healthcare, researchers said.
The most prominent attack came to light last year when healthcare provider, Anthem, suffered a breach and over 80 million records ended up stolen. That attack came to light when an administrator noticed multiple queries running from the account, but someone else had executed the queries. That discovery of the database queries soon led Anthem to realize that it was under attack from an advanced cyber espionage group.
The breach, conducted by Black Vine, was only one of several targeted campaigns, which spread across multiple industries, according to a report by security provider Symantec. Since 2012, Black Vine has conducted targeted attacks against multiple industries, including the energy, aerospace, and healthcare sectors.
The group, in existence since 2012, uses advanced custom-developed malware, Zero Day exploits, and other tactics, techniques and procedures (TTPs) typically associated with highly capable, organized attackers, the Symantec report said.
Symantec went on to study Black Vine’s known attacks since 2012. Connecting multiple Black Vine campaigns over time not only shows the group’s previous operations, but also demonstrates how the attackers have rolled with the times.
After researching Black Vine’s attacks over time, Symantec identified the following key findings:
• Black Vine is responsible for carrying out cyber espionage campaigns against multiple industries, including energy, aerospace, and healthcare.
• Black Vine conducts watering-hole attacks targeting legitimate energy- and aerospace-related websites to compromise the sites’ visitors with custom malware.
• Black Vine appears to have access to the Elderwood framework, used to distribute Zero Day exploits among threat groups that specialize in cyber espionage.
• Black Vine uses custom-developed malware and has resources to frequently update and modify its malware to avoid detection.
Symantec research found Black Vine is an attack group with working relationships with multiple cyber espionage groups. The group has solid funding, well organized, and consists of at least a few members, some of which may have a past or present association with a China-based IT security organization called Topsec.
Over the course of the Black Vine investigation, Symantec identified a number of targeted companies across several verticals. They found analysis of attack data alone is misleading because of Black Vine’s attack vectors. Black Vine frequently conducts watering-hole attacks, which is when a legitimate website ends up compromised by an attacker and forced to serve malware to visitors of the website.
As a result, an analysis of compromised computers alone does not portray an accurate picture of Black Vine’s targeting objectives, Symantec said. Instead, it showed the industries with the highest infection rates of Black Vine’s malware.
To further determine Black Vine’s intended target industries, Symantec assessed the companies who own the affected websites. Symantec also investigated attacks conducted by Black Vine which didn’t involve watering-hole attacks. After assessing multiple attack verticals, Symantec believes Black Vine’s primary targeted industries have been aerospace and healthcare. It is likely that other affected industries may have been secondary targets.
Black Vine’s targets are across several regions, based on the IP address locations of the compromised computers. The vast majority of affected companies are in the U.S., followed by China, Canada, Italy, Denmark, and India.
Black Vine used three variants of malware throughout the years known as Hurix, Sakurel, and Mivast. All three variants originated from one malware family likely created and updated by the same author or developer, Symantec said. Each variant ended up updated to add features and re-hashed to avoid detection.
In a number of attacks, the malware ended up delivered onto the victim’s computer after Black Vine has exploited a Zero Day vulnerability primarily through watering-hole attacks. The Zero Day exploits used in these attacks went out via the Elderwood distribution framework.
The goal of all analyzed Black Vine campaigns has been cyber espionage.
Click here for the full report.