Researchers at security firm Trend Micro have found evidence suggesting that pieces of malware involved in the recent attacks against Ukraine’s energy sector have been used to target other types of organizations as well.
The Russia-linked BlackEnergy malware, known to target SCADA systems in Europe and the United States, and KillDisk, a plugin designed to destroy files and make systems inoperable, were spotted last year in attacks aimed at Ukraine’s energy sector. Ukrainian authorities accused Russia of being behind the attacks that resulted in significant power outages.
An analysis of the campaign revealed that while BlackEnergy and KillDisk had been found on the targeted systems, the malware was likely not directly responsible for the outages.
Trend Micro reported on Thursday that its researchers spotted BlackEnergy and KillDisk samples on the systems of a Ukrainian mining company and a major railway operator. Experts believe these attacks were conducted by the same threat actor that targeted the country’s power companies.
In the case of the infections at the Ukrainian mining company, experts uncovered several samples whose name and functionality was similar to the samples spotted in the power utility attacks. The malware, used in November and December 2015, communicated with some of the same command and control (C&C) servers observed in the energy attacks.
The security firm noticed that the systems of the same mining company were also infected with multiple variants of KillDisk. The samples don’t match the ones used in the energy attacks exactly, but they do exhibit the same functionality.
Trend Micro also spotted KillDisk infections on the systems of a Ukrainian railway company that is part of the country’s national railway system. The KillDisk sample found by researchers matched one used in the electric utility attacks.
“This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network,” Trend Micro senior threat researcher, Kyle Wilhoit, said in a blog post.
Based on the similarities between the samples, naming conventions, infrastructure overlaps, and the timing of the attacks, experts believe the same threat actor targeted all of these Ukrainian organizations, and they have several theories about the attacker’s goals.
“One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities,” Wilhoit said. “Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.”
The United States is concerned that attacks like the one aimed at Ukraine’s energy sector could be launched against its own critical infrastructure. While the US government has so far refrained from officially pointing the finger at Russia for the Ukraine cyberattacks, CNN reported on Thursday that Elizabeth Sherwood-Randall, Deputy Secretary at the Department of Energy, told a gathering of power grid industry execs that Russia is behind the attacks.
Robert M. Lee, founder and CEO of Dragos Security, told SecurityWeek last month that while attacks like the ones in Ukraine could be launched against European countries and the United States, they would likely result in less significant damage.