Earlier this year, the second largest health insurance provider in the US publicly disclosed that it had been the victim of a major cyber attack which is believed to be the work of a well-resourced cyber espionage group which Symantec calls ‘Black Vine’.
The attack against Anthem resulted in the largest known healthcare data breach to date, with 80 million patient records exposed.
Black Vine’s targets include gas turbine manufacturers, large aerospace and aviation companies, healthcare providers, and more. The group has access to zero-day exploits, most likely obtained through the Elderwood framework, and uses custom-developed back door malware.
This is how the attack group has evolved over the last three years.
Background
Black Vine’s attacks to date delivered exploits for the following zero-day vulnerabilities, primarily through watering-hole attacks:
- Microsoft Internet Explorer 'CDwnBindInfo' Use-After-Free Remote Code Execution Vulnerability (CVE-2012-4792)
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
In its campaigns, Black Vine compromised legitimate websites that were of interest to its targets in order to serve exploits to the sites’ visitors. If the zero-day exploits successfully worked against the vulnerable software on the victim’s computer, then they dropped Black Vine’s custom malware, providing the attackers with remote access to the computer. In addition to watering-hole attacks, Black Vine also sent spear-phishing emails that disguised its threats using technology-themed lures.
Black Vine has compromised companies in the following industries:
- Aerospace
- Healthcare
- Energy (gas & electric turbine manufacturing)
- Military and defense
- Finance
- Agriculture
- Technology
Black Vine’s targets are spread across several regions, based on the IP address locations of the compromised computers. The vast majority of infections affected companies in the US, followed by China, Canada, Italy, Denmark, and India.
Malware
Symantec observed Black Vine using three types of custom malware throughout its campaigns: Hurix and Sakurel (both detected as Trojan.Sakurel), and Mivast (detected asBackdoor.Mivast).
All three threats can perform the following actions:
- Open a back door
- Execute files and commands
- Delete, modify, and create registry keys
- Gather information from the infected computer
Our analysis suggests that Black Vine is well resourced, as the group is capable of frequently updating and modifying its malware to avoid detection.
The Elderwood connection
During our analysis, we noticed that Black Vine used certain zero-day exploits at the same time that other attack groups used them. The other campaigns have been previously investigated by Symantec, such as one by Hidden Lynx.
While these campaigns included the same zero-day exploits, they delivered different payloads unique to each attack group. The fact that these different adversaries simultaneously used the same exploits suggests that they all have access to a common zero-day exploit distribution framework.
Symantec has previously identified the framework in question as the Elderwood platform. We first researched the platform in 2012 and observed how it has been continuously updated with the latest zero-day exploits ever since. In 2014, we discovered that several attack groups were likely using the Elderwood framework, rather than just one. All of the campaigns that leveraged Elderwood’s zero-day exploits have been attributed to attackers based in China.
Other reports suggest that some of the actors involved in Black Vine’s activity may have had connections with a Beijing-based IT security firm called Topsec.
Conclusion
Black Vine is a formidable, highly resourced attack group which is equipped to conduct cyber espionage against targeted organizations. Based on our records of its past campaigns, Symantec believes that Black Vine’s malicious activity will continue.
We hope that our whitepaper will allow organizations to better understand the risk that this attack group poses, helping them to develop stronger defenses for their sensitive information.