Security Experts:

Connect with us

Hi, what are you looking for?



BlackEnergy Malware Used in Ukraine Power Grid Attacks

BlackEnergy Group Uses Destructive Plugin in Ukraine Attacks

A threat group has been using the Russia-linked BlackEnergy malware family in attacks aimed at news media and electrical power organizations in Ukraine, ESET reported on Sunday.

BlackEnergy Group Uses Destructive Plugin in Ukraine Attacks

A threat group has been using the Russia-linked BlackEnergy malware family in attacks aimed at news media and electrical power organizations in Ukraine, ESET reported on Sunday.

The BlackEnergy malware has been around since at least 2007 and it has been used in numerous targeted attacks, including ones aimed at Ukrainian government organizations and critical infrastructure companies in the United States.

Security firm ESET has been monitoring attacks involving the threat and recently discovered that the Trojan had been used to target news media and electrical power companies in Ukraine.

The news comes just days after Ukraine’s security service, the SBU, accused Russian special services of planting malware on the networks of several regional power companies. The agency also said attackers flooded the targeted firms’ technical support phone lines.

Ukrainian power company Prykarpattyaoblenergo blamed some recent power outages in the Ivano-Frankivsk Oblast region on outsiders who remotely tampered with automatic control systems.

ESET malware researcher Anton Cherepanov has confirmed for SecurityWeek that the attacks analyzed by the security firm and the ones reported by Ukrainian authorities and power companies are connected. The security firm has published a blog post detailing the connection.

Cherepanov said Prykarpattyaoblenergo is not the only company targeted by the attackers, but most of the other victims don’t want to disclose the attacks just yet.

iSIGHT Partners believes the Russian hackers behind the blackouts in Ukraine are part of the threat group known as Sandworm Team, which is known to rely heavily on BlackEnergy malware and which previously targeted SCADA systems in Europe and the United States.

The security firm told SecurityWeek that it has very limited evidence that the recent destructive attacks against Ukraine involved BlackEnergy, but if this is the case, it’s likely the work of Sandworm Team or a related Russian operator. The company has pointed out that this is the first known instance of cyberattacks causing a blackout.

Kaspersky Lab researchers identified nearly two dozen Windows and Linux plugins used by BlackEnergy in 2014. One of the Windows plugins, dubbed “dstr,” was designed to destroy data stored on the infected machine’s hard drive by overwriting the content of files.

According to ESET, in 2015, attackers started using a new destructive plugin called KillDisk (Win32/KillDisk). The component is designed to overwrite a total of more than 4,000 file types with random data and damage the operating system by making it unbootable.

CERT Ukraine reported in November that the KillDisk component was used by BlackEnergy attackers to targeted news companies during last year’s local elections. CERT reported that the threat was used to destroy documents and video files.

A different version of KillDisk was spotted in attacks against Ukrainian energy companies. The newest version of the threat allows attackers to specify when the destructive payload should be activated, it is capable of removing Windows event logs, and it focuses on corrupting 35 types of document, image, database and configuration files.

The KillDisk version observed in attacks against Ukrainian power companies attempts to make the operating system unbootable, and it also contains functionality designed to sabotage industrial systems.

Once it infects a system, the malware targets a couple of services, including sec_service.exe, a process associated with an industrial control systems (ICS) software called ASEM Ubiquity. The malware terminates the process and corrupts the executable file by overwriting its content with random data.

SSH Backdoor

In addition to the BlackEnergy malware, the threat group monitored by ESET has also leveraged an SSH backdoor to gain access to infected systems (Win32/SSHBearDoor.A trojan).

Researchers discovered the backdoor after finding what appeared to be a legitimate copy of the SSH application Dropbear on one of the infected servers. The attackers used a VBS file that executed the Dropbear SSH server and configured it to accept connections on port 6789.

The SSH server had also been configured to allow the attackers to authenticate using a hardcoded password or a private key. This backdoor allowed threat actors to connect to the compromised network whenever they needed.

Cherepanov told SecurityWeek that this backdoor SSH server has so far been detected on just one compromised machine.

*Updated with additional information from ESET and iSIGHT Partners

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.