A quick review of the Black Vine timeline helps underscore the significant resources the group possessed. In late December 2012, independent security researcher Eric Romang uncovered the compromise of domain name capstoneturbine.com, which is owned and operated by Capstone Turbine, a maker of gas turbines used by energy companies. As a result, anyone who visited Capstone Turbine’s website using Microsoft’s Internet Explorer browser was infected with a backdoor that Symantec researchers have dubbed Sakurel.
The “watering hole” attack—so called because it targeted a website frequented by people in the energy and aerospace industries—exploited what in 2012 was an unknown vulnerability in IE, CVE-2012-4792. Further demonstrating Black Vine’s resources, the Sakurel malware the exploit installed was digitally signed using a certificate issued to an organization called Micro Digital Inc. to bypass Windows security checks. In the last week of 2012, Black Vine targeted a second turbine power and technology manufacturer, an indication that the hackers’ primary interest at the time was related to energy. In February 2014, as the group compromised the website of a European aerospace company, the hackers exploited a newer zero-day vulnerability in IE, this time CVE-2014-0322.
This does not come as a surprise. Once a group finds and leverages an attack technique, often times they will share the code or exploit with their peers, primarily as a way of bragging about their findings.