BlackEnergy malware activity spiked in runup to Ukraine power grid takedown

Fresh research has shed new light on the devious and unprecedented cyber-attack against Ukraine's power grid in December 2015.

A former intelligence analyst has warned that launching similar attacks is within the capabilities of criminals, or perhaps even hacktivist groups, since most of the key components are readily available online.

Zach Flom, an intelligence analyst at threat intelligence firm Recorded Future and a former US DoD computer network defense analyst, has published a study on the BlackEnergy malware, noting a spike in activity prior to the Ukraine attack that left more than 200,000 people temporarily without power on December 23.

"In 2014, shortly after being picked up by APT [advanced persistent threat] groups and becoming more modular, we see a large spike in references to the malware and its increasing usage in European countries, namely Ukraine," Flom notes.

"Whether or not the attack was nation state-sponsored, the source code for most of the components that were used is available for purchase and download on the open Web," Flom writes. "It's no longer far fetched that a similar attack could be conducted by non-nation state-sponsored groups for criminal purposes."

BlackEnergy has evolved from a "relatively simple" distributed denial-of-service attack tool of early 2007 to a highly capable blob of malware over the last eight years, according to Flom.

The warning of potential future misuse of BlackEnergy comes days after a US government report concluded that the December 2015 power outage in Ukraine – which affected 225,000 customers – was caused by outside attackers.

Representatives of the US Department of Homeland Security (DHS), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other US government agencies traveled to Ukraine to collaborate and gain more insight into the attack. The Ukrainian government and the three impacted power utilities (named elsewhere as Prykarpattya, Oblenergo and Kyivoblenergo) collaborated with the investigation, which concluded that the assault involved a great deal of coordination and planning, culminating with an attempt to destroy evidence on field devices using wiper malware.

The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable.

The whole incident has generated a great deal of interest because it's reckoned to represent the first time that hackers have successfully attacked a power grid. For context, it's worth pointing out that outages caused by squirrels chewing through electricity cables and the like are commonplace. A growing number of experts have come to regard the Ukraine energy utility attacks as the most significant malware-based hack attack since Stuxnet hobbled Iranian nuclear centrifuges back in 2010.

BlackEnergy malware was discovered on the affected companies' computer networks, however it is important to note that ICS-CERT investigators reckon the precise role of the potent cyber-pathogen in the attack remains as yet unclear.

Each company also reported that they had been infected with BlackEnergy malware, however we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote-access Trojan could have been used, and none of BlackEnergy's specific capabilities were reportedly leveraged.

A mining company and a large railway operator in Ukraine were also hit by BlackEnergy, so the run of attacks was far from limited to the power distribution sector. The possible motivations of the hackers range from an attempt to disable Ukraine economically to a test of the power of their malware against real life targets. Russia is the obvious prime suspect in this malfeasance, and this is supported by plenty of circumstantial evidence, although nothing incontrovertible and certainly no smoking gun.

Security researchers at the SANS Institute have put together a reaction to the ICS-CERT report ahead of their own forthcoming study, which will focus on how to defend against similar attacks on industrial control systems in future.

Industrial control system security expert Robert M Lee argues that ICS-CERT unnecessarily hedged its bets in calling BlackEnergy a central vector of the attack. "ICS-CERT is very shy in stating that BlackEnergy3 was involved in the incident," Lee writes. "I understand their hesitation, but the use of BlackEnergy3 to harvest credentials in the impacted organizations was very clear from publicly available sources. The malware, however, was not responsible for the outage. It just enabled the attackers, as the SANS team and others in the community have said all along," he added. ®