• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 

SAP fixed 26 flaws in August 2025 Update, including 4 Critical

 | 

August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

 | 

Dutch NCSC: Citrix NetScaler zero-day breaches critical orgs

 | 

Chrome sandbox escape nets security researcher $250,000 reward

 | 

Smart Buses flaws expose vehicles to tracking, control, and spying

 | 

MedusaLocker ransomware group is looking for pentesters

 | 

Google confirms Salesforce CRM breach, faces extortion threat

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 57

 | 

Security Affairs newsletter Round 536 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Embargo Ransomware nets $34.2M in crypto since April 2024

 | 

Germany limits police spyware use to serious crimes

 | 

Phishing attacks exploit WinRAR flaw CVE-2025-8088 to install RomCom

 | 

French firm Bouygues Telecom suffered a data breach impacting 6.4M customers

 | 

Columbia University data breach impacted 868,969 people

 | 

SonicWall dismisses zero-day fears after Ransomware probe

 | 

Air France and KLM disclosed data breaches following the hack of a third-party platform

 | 

CISA, Microsoft warn of critical Exchange hybrid flaw CVE-2025-53786

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • ICS-SCADA
  • Malware
  • Ukrainian Blackjack group used ICS malware Fuxnet against Russian targets

Ukrainian Blackjack group used ICS malware Fuxnet against Russian targets

Pierluigi Paganini April 15, 2024

The Ukrainian hacking group Blackjack used a destructive ICS malware dubbed Fuxnet in attacks against Russian infrastructure.

Industrial and enterprise IoT cybersecurity firm Claroty reported that the Ukrainian Blackjack hacking group claims to have damaged emergency detection and response capabilities in Moscow and beyond the Russian capital using a destructive ICS malware dubbed Fuxnet.

The Blackjack group is believed to be affiliated with Ukrainian intelligence services that carried out other attacks against Russian targets, including an internet provider and a military infrastructure.

The group claims to have attacked Moscollector, a Moscow-based company, that is responsible for the construction and monitoring of underground water and sewage and communications infrastructure. 

The website ruexfil.com provided detailed information about the attacks against Moscollector, the hackers also published screenshots of monitoring systems, servers, and databases they claim to have compromised.

Fuxnet malware

The site also hosts password dumps allegedly stolen from the Russian company.

Below is the timeline of the attack published on ruexfil.com:

Initial access June 2023.
- Access to 112 Emergency Service.
- 87,000 sensors and controls have been disabled (including Airports, subways, gas-pipelines, ...).
- Fuxnet (stuxnet on steroids) was deployed earlier to slowly and physically destroy sensory equipment
(by NAND/SSD exhaustion and introducing bad CRC into the firmware). (YouTube Video 1, YouTube Video 2).
- Fuxnet has now started to flood the RS485/MBus and is sending 'random' commands to 87,000 embedded
control and sensory systems (carefully excluding hospitals, airports, ...and other civilian targets).
- All servers have been deleted. All routers have been reset to factory reset. Most workstations (including
the admins workstations) have been deleted.
- Access to the office building has been disabled (all key-cards have been invalidated).
- Moscollector has recently been certified by the FSB for being 'secure & trusted' (picture included)
- Defaced the webpage (https://web.archive.org/web/20240409020908/https://moscollector.ru/)

The website reported that Blackjack destroyed about 1,700 sensor routers deployed at airports, subways, gas-pipelines. The group also disrupted the central command-dispatcher and database. The attack brought all 87,000 sensors offline, threat actors also wiped databases, backups, and email servers, a total of 30TB of data.

“Fuxnet has now started to flood the RS485/MBus and is sending ‘random’ commands to 87,000 embedded control and sensory systems (carefully excluding hospitals, airports, …and other civilian targets).” states the website.

Team82 and Claroty have been unable to verify the attackers’ claims, however, they conducted a detailed analysis of the Fuxnet malware relying on information provided by the attackers.

“For example, Blackjack claims to have damaged or destroyed 87,000 remote sensors and IoT collectors. However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact.” reads the analysis published by Claroty. “If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed.”

The attack chain sees hackers targeting a list of sensor gateways IPs. Threat actors distributed their malware to each target, likely either through remote-access protocols such as SSH or the sensor protocol (SBK) over port 4321.

Upon running on the target device, the malware initiates a new child process to lock out the device. The malicious code remounts the filesystem with write access, then delete essential filesystem files and directories and disables remote access services such as SSH, HTTP, telnet, and SNMP. This prevents remote access for restoring operations even if the router remains functional.

Subsequently, the threat actors erase the router’s routing table, rendering its communication with other devices non-functional. Finally, the malware deletes the filesystem and rewrites the flash memory using the operating system’s mtdblock devices.

Once it has corrupted the file system and isolated the device, the malware attempts to destroy the NAND memory chip physically and rewrites the UBI volume to prevent rebooting. 

“In order to ensure the sensor does not reboot again, the malware rewrites the UBI volume. First, the malware uses the IOCTL interface UBI_IOCVOLUP allowing it to interact with the management layer controlling the flash memory, which tells the kernel that the UBI volume will be rewritten, and that x-number of bytes will be written.” continues the report. “In its normal behavior, the kernel will know that the rewrite is finished only when x-number of bytes were written. However, the malware will not write x-number of bytes to the UBI, instead it will write fewer bytes than it declares, causing the device to wait for the rewrite to finish indefinitely.”  

The malware overwrites the UBI volume with junk data (0xFF), making the UBI useless and the filesystem becomes unstable.

The malware also tries to disrupt gateway-connected sensors by flooding serial channels with random data, overloading the serial bus and the sensors.

“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways.” concludes the report.

(SecurityAffairs – hacking, Fuxnet)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini


facebook linkedin twitter

Blackjack Fuxnet Hacking hacking news ICS information security news IT Information Security malware Pierluigi Paganini Russia SCADA Security Affairs Security News Ukraine

you might also like

Pierluigi Paganini August 13, 2025
Critical FortiSIEM flaw under active exploitation, Fortinet warns
Read more
Pierluigi Paganini August 13, 2025
Charon Ransomware targets Middle East with APT attack methods
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Critical FortiSIEM flaw under active exploitation, Fortinet warns

    Hacking / August 13, 2025

    Charon Ransomware targets Middle East with APT attack methods

    Malware / August 13, 2025

    Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

    Data Breach / August 13, 2025

    SAP fixed 26 flaws in August 2025 Update, including 4 Critical

    Uncategorized / August 13, 2025

    August 2025 Patch Tuesday fixes a Windows Kerberos Zero-Day

    Hacking / August 12, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT