Earlier this year, the second largest health insurance provider in the US publicly disclosed that it had been the victim of a major cyberattack. The attack against Anthem resulted in the largest known healthcare data breach to date, with 80 million patient records exposed.
Symantec believes that the attackers behind the Anthem breach are part of a highly resourceful cyberespionage group called Black Vine. The Anthem attack is only one of multiple campaigns that Symantec has attributed to this group.
Symantec’s latest whitepaper documents multiple Black Vine operations that have been occurring since 2012. Black Vine’s targets include gas turbine manufacturers, large aerospace and aviation companies, healthcare providers, and more. The group has access to zero-day exploits, most likely obtained through the Elderwood framework, and uses custom-developed back door malware.
By connecting multiple Black Vine campaigns, we traced how the attack group has evolved over the last three years.
Black Vine’s attacks to date delivered exploits for the following zero-day vulnerabilities, primarily through watering-hole attacks:
- Microsoft Internet Explorer ‘CDwnBindInfo’ Use-After-Free Remote Code Execution Vulnerability (CVE-2012-4792)
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
In its campaigns, Black Vine compromised legitimate websites that were of interest to its targets in order to serve exploits to the sites’ visitors. If the zero-day exploits successfully worked against the vulnerable software on the victim’s computer, then they dropped Black Vine’s custom malware, providing the attackers with remote access to the computer. In addition to watering-hole attacks, Black Vine also sent spear-phishing emails that disguised its threats using technology-themed lures.
Black Vine has compromised companies in the following industries:
- Energy (gas & electric turbine manufacturing)
- Military and defense
Black Vine’s targets are spread across several regions, based on the IP address locations of the compromised computers. The vast majority of infections affected companies in the US, followed by China, Canada, Italy, Denmark, and India.
Symantec observed Black Vine using three types of custom malware throughout its campaigns: Hurix and Sakurel (both detected as Trojan.Sakurel), and Mivast (detected asBackdoor.Mivast).
All three threats can perform the following actions:
- Open a back door
- Execute files and commands
- Delete, modify, and create registry keys
- Gather information from the infected computer
Our analysis suggests that Black Vine is well resourced, as the group is capable of frequently updating and modifying its malware to avoid detection.
The Elderwood connection
During our analysis, we noticed that Black Vine used certain zero-day exploits at the same time that other attack groups used them. The other campaigns have been previously investigated by Symantec, such as one by Hidden Lynx.
While these campaigns included the same zero-day exploits, they delivered different payloads unique to each attack group. The fact that these different adversaries simultaneously used the same exploits suggests that they all have access to a common zero-day exploit distribution framework.
Symantec has previously identified the framework in question as the Elderwood platform. We first researched the platform in 2012 and observed how it has been continuously updated with the latest zero-day exploits ever since. In 2014, we discovered that several attack groups were likely using the Elderwood framework, rather than just one. All of the campaigns that leveraged Elderwood’s zero-day exploits have been attributed to attackers based in China.
Other reports suggest that some of the actors involved in Black Vine’s activity may have had connections with a Beijing-based IT security firm called Topsec.