The BlackEnergy malware was a key element of the Ukraine power outage

Pierluigi Paganini January 11, 2016

According to security experts the BlackEnergy malware was a key element of the attack against Ukrainian power grid that caused the power outage.

 On December 23, the entire Ivano-Frankivsk region in Ukraine suffered a major power outage, according to security experts and the Ukrainian Government the attackers used a destructive varian of the popular BlackEnergy malware.

According to a Ukrainian media TSN, the power outage was caused by a destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.

Now investigations are revealing new interesting aspects on the attack, it looks like the threat attackers took advantage of the power of BlackEnergy, in an article published by SANS is explained that this allowed the attackers to get a foothold on power-company systems, where they were able to open circuit breakers, which cut the power. The still unknown attackers probably used a utility called KillDisk, a disk eraser and performed a denial-of-service to stop company personnel from trying to receiving customer reports of outages.

Blackenergy malware Figure_1_config_example

Unknown attackers used a wiper utility called KillDisk, and launched a denial-of-service on phone lines in order to stop company personnel from receiving customer reports of outages.

“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.” wrote Michael J. Assante, SANS ICS Director.

Below the cyber attack milestones reported by the SANS:

  • The adversary initiated an intrusion into production SCADA systems
  • Infected workstations and servers
  • Acted to “blind” the dispatchers
  • Acted to damage the SCADA system hosts (servers and workstations)
    • Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions
    • Action can also makeforensics more difficult
  • Flooded the call centers to deny customers calling to report power out

It’s important to explain that there is no evidence that the KillDisk was the unique cause of the power outage affecting 80,000 customers.

“There have been two prominent theories in the community and speculation to the media that either the ‘KillDisk’ component was just inside the network and unrelated to the power outage (a reliability issue where malware just happened to be there) or that the ‘KillDisk’ component was directly responsible for the outage. It is our assessment that neither of these are correct. Malware likely enabled the attack, there was an intentional attack, but the ‘KillDisk’ component itself did not cause the outage.”…” The malware campaign reported, tied to BlackEnergy and the Sandworm team by others, has solid links to this incident but it cannot be assumed that files such as the excel spreadsheet and other malware samples recovered from other portions of that campaign were at all involved in this incident. It is possible but far too early in the technical analysis to state that. ”

The SANS report leaves almost no space left for doubts, BlackEnergy was indeed the key ingredient of this attack:

“We assess currently that the malware allowed the attackers to gain a foothold at the targeted utilities, open up command and control, and facilitate the planning of an attack by providing access to the network and necessary information,”…”The malware also appears to have been used to wipe files in an attempt to deny the use of the SCADA system for the purposes of restoration to amplify the effects of the attack and possibly to delay restoration.”

SCADA security is becoming even more important, experts believe that other similar attacks would happen in a short future.

Stay Tuned!

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SCADA , BlackEnergy malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment