Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems

Researchers from Claroty’s Team82 detailed the Blackjack hacking group, believed to be affiliated with Ukrainian intelligence services, and claims to have carried out a cyberattack that has damaged emergency detection and response capabilities in Moscow and beyond the Russian capital. Additionally, the website ‘ruexfil.com’ hosts a trove of extensive information about the Moscollector attack, including the Fuxnet malware Blackjack said it used to damage the Moscollector network operations center. The attackers also posted screenshots of monitoring systems, servers, and databases they say have been wiped and rendered unusable.

Furthermore, the ‘ruexfil’ website also claims the destruction of 87,000 remote sensors and IoT collectors dispersed across Moscow and beyond. Team82 believes that the sensors and collectors are likely intact and that only 500 or more sensor gateways were damaged. Each would have to be individually replaced or have their firmware re-flashed.

The group, linked to cyberattacks this year against a Russian internet provider and Russian military infrastructure, released information this week about an attack it claims to have carried out against Moscollector, a Moscow-based company, that is responsible for the construction and monitoring of underground water and sewage and communications infrastructure.

“Team82 and Claroty have not been able to confirm the attackers’ claims, nor whether a cyberattack has had an impact on the Russian government’s emergency response capabilities,” Team82 wrote in a Friday blog post. “What follows is our analysis of the Fuxnet malware and claims made by Blackjack, based on the information shared by the attackers.”

For example, Blackjack claims to have damaged or destroyed 87,000 remote sensors and IoT collectors, the post added. “However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact. If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed.”

The post also identified that Blackjack claims its initial compromise of Moscollector began in June 2023, and since then the group said it has worked slowly in an attempt to cripple the industrial sensors and monitoring infrastructure managed by the company. “On Tuesday, the hackers publicly released information about their activities against Moscollector and the information stolen in the attack on the ‘ruexfil’ website,” it added. 

Some of their claims include gaining access to Russia’s 112 emergency service number; hacking and bricking sensors and controllers in critical infrastructure (including airports, subways, gas pipelines), all of which have been disabled; sharing details about and code from the Fuxnet malware used in the attack; and disabling network appliances such as routers and firewalls. Other claims include deleting servers, workstations, and databases; 30 TB of data has been wiped, including backup drives; disabling access to the Moscollector office building (all keycards have been invalidated); and dumping passwords from multiple internal services. 

Team82 identified that screenshots released by the attackers indicate that the impacted sensors are manufactured by a company named AO SBK, a Russian company that manufactures a variety of sensor types, ranging from gas measurement sensors to environmental monitoring equipment. “The array of sensors are used in different types of environments, including within fire alarms, gas monitoring systems, lighting controls, and more,” it added. 

They added that the sensors collect physical data, such as temperature, and transmit it via a serial/bus such as an RS485/Meter-Bus to a gateway. All the sensors are connected to a gateway, which is a transmission unit that enables telemetry to be sent over the internet to a global monitoring system that allows operators visibility into these systems.

According to the leaked data by the attackers (including screenshots and JSON exports), two types of AO SBK gateways were hacked during the attack. They include MPSB designed for information exchange with external devices through various interfaces and supports ethernet and serial communication protocols including CAN, RS-232, and RS-485; and TMSB, which is similar to MPSB; includes a built-in 3/4G modem that enables it to transmit data over the internet to a remote system. The end goal is to transmit data to a global monitoring system.

Blackjack’s alleged attack against Moscollector, a key provider to civilian infrastructure in Moscow and beyond, and its impact on emergency detection and response capabilities cannot be confirmed beyond information leaked by the hacker group and published reports from Ukrainian media. 

Team82’s analysis of the published information from the attack, including the Fuxnet malware demonstrates an understanding of the connected devices critical to these services operated and managed by Moscollector. 

The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes, and other actions that further disrupted the operation of these gateways. 

Last month, the researchers disclosed the presence of critical hardware vulnerabilities in Unitronics UniStream integrated PLC/HMI products, leading the vendor to update the product line. The vulnerabilities could allow an attacker to bypass authentication and enable remote code execution on devices directly connected to the internet.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.