BlackEnergy Trojan Used in Attack Against Ukrainian Critical Infrastructure

By John Atienza on February 2, 2016


The trojan known as BlackEnergy became well known in 2008 when state sponsored hackers used it during the Russia-Georgia cyber conflict. BlackEnergy was developed by a Russian hacker for DDoS attacks, bank frauds, and spam distribution. BlackEnergy also has the added capability of being able to wipe the hard drives of infected machines. Security research firm ESET reported that 100 government and industry organizations in Poland and Ukraine were attacked using BlackEnergy. Security firm F-Secure also reports that one target was hit in Brussels, Belgium.

These cyber attacks seem to be related to a cyber espionage campaign named “CosmicDuke.” (as reported by F-Secure) There is evidence of a link between the CosmicDuke, Miniduke, and OnioDuke APT campaigns. These campaigns seem to be the result of Russian state-sponsored hackers because the targets are all related to Russian interested affairs. CosmicDuke did however target users of illicit drugs which could point to the involvement of Russian law enforcement agencies.

TSN ,a Ukrainian media outlet,  reported a blackout in the Ivano-Frankivsk region of Ukraine on December 23. Malware possibly took down electrical substations serving the area. The attackers used a highly destructive variant of BlackEnergy and targeted three regional power authorities in Ukraine. This attack on the energy sector left half the population in the region without electricity.

Security Service of Ukraine (SBU) documented a diversionary tactic of flooding technical support lines before performing the DDoS attack. The SBU think the attack was done by the Russians because of the malware origins and current political dispute, but they are not willing to attribute the Russians in terms of this cyber attack.

BlackEnergy has several new components added to its already destructive arsenal. A new component of the BlackEnergy malware is the KillDisk component which is ” capable of destroying some 4000 different file types and rendering machines unbootable.” Other components include log deletion, delays for payload delivery, SSH backdoors, and a command line interface.

One interesting feature of this malware according to Symantec is that it disables sec_service. The service is connected to the “Serial to Ethernet Connector” software developed by Eltima. This service allows access to remote serial ports over network connections. These features lead Symantec to believe that the hackers who designed BlackEnergy have a great knowledge of SCADA and legacy SCADA systems. Blocking the sec_service’s communications can lead to potential damage to the target system.

According to Brian Honan of Europol and Michael Assante (former CSO of NERC) BlackEnergy itself can not be completely responsible for the Ukrainian power outages. A data wiper could be used to extend an outage, but a hacker would also need to interact with a human interface system in order to manipulate breakers at a power station.

These cyber attacks on the Ukrainian energy sector are also related to the SandWorm APT. A spear-phishing campaign was used to infect Ukrainian power authorities with BlackEnergy via Microsoft Office documents using macros and a JAR-file.

Sandworm has been active since 2009. The Russian group has targeted Polish energy, Western European government agencies, and French telecommunications. Investigations began in late 2013 when the NATO alliance was targeted using several exploit kits.