BlackEnergy targets Ukrainian news media and electric industry

Pierluigi Paganini January 04, 2016

Security experts at ESET firm provided details of the new campaign based on the BlackEnergy Trojan that targeted Ukrainian news media and electric industry in 2015.

A new wave of malware-based attacks is targeting media outlets and energy companies in Ukraines, the attackers rely on malicious code that is able to wipe hard drives of the infected systems. The security expert from ESET Anton Cherepanov explained that hackers are attacking a group of unnamed organisations in the country with the BlackEnergy trojan.

BlackEnergy is a popular DDoS Trojan, gained notoriety in 2008 when it was reported to have been used during the conflict Russia-Georgia conflict, the malicious code was used to launch cyber attacks against the infrastructure of Georgia.

The BlackEnergy malware was authored by a Russian hacker and originally used for DDoS attacksbank frauds and spam distribution, but the new variant was used in targeted attacks on government entities and private companies across a range of industries.

According to the report proposed by experts at ESET in 2014, the malware targeted more than 100 government and industry organizations in Poland and the Ukraine, F-Secure reported other attacks based on BlackEnergy which hit a target in Brussels.

F-Secure security advisor Sean Sullivan speculated that BlackEnergy detected in Brussels has been used in a targeted attack on the European Parliament or European Commission.

“A large number of state organizations and businesses from various industry fields in the Ukraine and Poland have been targeted in recent attacks. What would otherwise be a mundane scenario in today’s world of cybercrime is spiced up by the fact that the malware-spreading campaigns have leveraged the tense current geopolitical situation in Eastern Ukraine and the use of a malware family with a rich history. The most recent campaigns are dated August 2014.” states the blog post on VirusBulletin

According to ESET the campaign targeted  hundreds of victims mainly located in Eastern Europe.

“We have observed more than 100 individual victims of these campaigns during our monitoring of the botnets,” Lipovsky said. “Approximately half of these victims are situated in Ukraine and half in Poland, and include several state organisations, various businesses, as well as targets which we were unable to identify.” 

The same nations hit by BlackEnergy malware were already targeted by another cyber espionage campaign documented by F-Secure, dubbed CosmicDuke, which targeted dozens of computers at government agencies across Europe.

Now experts at ESET discovered a new component in the BlackEnergy trojan, the KillDisk component, which is capable of destroying some 4000 different file types and rendering machines unbootable.

The KillDisk component used to compromise the energy companies in Ukraine was slightly different from other versions, below the list of new features observed by the experts:

  • Now it accepts a command line argument, to set a specific time delay when the destructive payload should activate.
  • It also deletes Windows EventLogs : Application, Security, Setup, System.
  • It is less focused on deleting documents. Only 35 file extensions are targeted.
Blackenergy Figure_1_config_example

The BlackEnergy configuration example used in 2015 (ESET)

The strain of malware detected by ESET in 2015 also uses a previously unknown SSH backdoor to access the infected systems, in addition to BlackEnergy backdoor.

“ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry. ” states the blog post published by ESET.

The experts at ESET highlighted the presence of Build IS numbers in the BlackEnergy code, these data could provide information useful for the attribution of the malicious code. In the specific case the build identity numbers suggest the possible involvement of Russian hackers, but ESET avoids confirming it.

“Apart from a list of C&C servers, the BlackEnergy config contains a value called build_id. This value is a unique text string used to identify individual infections or infection attempts by the BlackEnergy malware operators. The combinations of letters and numbers used can sometimes reveal information about the campaign and targets.” states the post “We can speculate that some of them have a special meaning. For example 2015telsmi could contain the Russian acronym SMI – Sredstva Massovoj Informacii, 2015en could mean Energy, and there’s also the obvious “Kiev”.”

Give a look to the report published by ESET that also includes Indicators of Compromise (IoC).

Pierluigi Paganini

(Security Affairs – BlackEnergy Trojan, cyber espionage)

you might also like

leave a comment