Security Experts:

BlackEnergy Malware Used in Ukraine Power Grid Attacks

BlackEnergy Group Uses Destructive Plugin in Ukraine Attacks

A threat group has been using the Russia-linked BlackEnergy malware family in attacks aimed at news media and electrical power organizations in Ukraine, ESET reported on Sunday.

The BlackEnergy malware has been around since at least 2007 and it has been used in numerous targeted attacks, including ones aimed at Ukrainian government organizations and critical infrastructure companies in the United States.

Security firm ESET has been monitoring attacks involving the threat and recently discovered that the Trojan had been used to target news media and electrical power companies in Ukraine.

The news comes just days after Ukraine’s security service, the SBU, accused Russian special services of planting malware on the networks of several regional power companies. The agency also said attackers flooded the targeted firms’ technical support phone lines.

Ukrainian power company Prykarpattyaoblenergo blamed some recent power outages in the Ivano-Frankivsk Oblast region on outsiders who remotely tampered with automatic control systems.

ESET malware researcher Anton Cherepanov has confirmed for SecurityWeek that the attacks analyzed by the security firm and the ones reported by Ukrainian authorities and power companies are connected. The security firm has published a blog post detailing the connection.

Cherepanov said Prykarpattyaoblenergo is not the only company targeted by the attackers, but most of the other victims don’t want to disclose the attacks just yet.

iSIGHT Partners believes the Russian hackers behind the blackouts in Ukraine are part of the threat group known as Sandworm Team, which is known to rely heavily on BlackEnergy malware and which previously targeted SCADA systems in Europe and the United States.

The security firm told SecurityWeek that it has very limited evidence that the recent destructive attacks against Ukraine involved BlackEnergy, but if this is the case, it’s likely the work of Sandworm Team or a related Russian operator. The company has pointed out that this is the first known instance of cyberattacks causing a blackout.

Kaspersky Lab researchers identified nearly two dozen Windows and Linux plugins used by BlackEnergy in 2014. One of the Windows plugins, dubbed “dstr,” was designed to destroy data stored on the infected machine’s hard drive by overwriting the content of files.

According to ESET, in 2015, attackers started using a new destructive plugin called KillDisk (Win32/KillDisk). The component is designed to overwrite a total of more than 4,000 file types with random data and damage the operating system by making it unbootable.

CERT Ukraine reported in November that the KillDisk component was used by BlackEnergy attackers to targeted news companies during last year’s local elections. CERT reported that the threat was used to destroy documents and video files.

A different version of KillDisk was spotted in attacks against Ukrainian energy companies. The newest version of the threat allows attackers to specify when the destructive payload should be activated, it is capable of removing Windows event logs, and it focuses on corrupting 35 types of document, image, database and configuration files.

The KillDisk version observed in attacks against Ukrainian power companies attempts to make the operating system unbootable, and it also contains functionality designed to sabotage industrial systems.

Once it infects a system, the malware targets a couple of services, including sec_service.exe, a process associated with an industrial control systems (ICS) software called ASEM Ubiquity. The malware terminates the process and corrupts the executable file by overwriting its content with random data.

SSH Backdoor

In addition to the BlackEnergy malware, the threat group monitored by ESET has also leveraged an SSH backdoor to gain access to infected systems (Win32/SSHBearDoor.A trojan).

Researchers discovered the backdoor after finding what appeared to be a legitimate copy of the SSH application Dropbear on one of the infected servers. The attackers used a VBS file that executed the Dropbear SSH server and configured it to accept connections on port 6789.

The SSH server had also been configured to allow the attackers to authenticate using a hardcoded password or a private key. This backdoor allowed threat actors to connect to the compromised network whenever they needed.

Cherepanov told SecurityWeek that this backdoor SSH server has so far been detected on just one compromised machine.

*Updated with additional information from ESET and iSIGHT Partners

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.