On October 14th, a report was publicly released regarding the Sandworm team. After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform’s CIMPLICITY HMI solution suite. We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software. As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.
CIMPLICITY is an application suite that is used in conjunction with SCADA systems. A key component of any SCADA system is the HMI. The HMI (which stands for Human-Machine interface) can be viewed as an operator console that is used to monitor and control devices in an industrial environment. These devices can be responsible for automation control as well as safety operations.
Read more about the Sandworm teams attacks on SCADA centric systems on TrendMicro Labs