A post-Sandworm investigation revealed that the zero-day vulnerability is likely being used to target SCADA-centric victims who are using GE Intelligent Platform’s CIMPLICITY HMI Solution Suite. Based on our observations, the Sandworm team appears to be utilizing certain files used by the CIMPLICITY software as attack vectors.
In a nutshell, CIMPLICITY is a Human Machine Interface (HMI) software suite that SCADA systems employ to monitor and control devices in its environment. HMI acts as an integral operator console that oversees automation control and safety operations. Additionally, it also allows real-time visibility across any location and lets the team track and analyze previous incidents.
According to our research, the malware targeting CIMPLICITY drops infected files into the CIMPLICITY installation directory using an environment variable on the user's machine. However, indications of SCADA-specific commands being sent by malware have been found.
As we continue to investigate this critical targeted attack, we encourage systems admins to consider employing whitelisting and application control on SCADA systems and to constantly inspect networks for likely intrusions. Also keep tabs on the latest updates on this topic as it develops.