BlackEnergy – The Trojan We Should be Talking About

Just before Christmas, half of the residents of the Ukrainian Ivano-Frankivsk region were left without electricity for hours. 

According to the Ukrainian news media outlet TSN, the cause of the blackout was a “hacker attack” utilizing a “virus” to compromise email security across the network. Cybersecurity researchers at ESET believe it to be the first-known instance of power stations being disabled by hackers.

Attackers used the BlackEnergy malware with a modification to include an SSH backdoor to plant the destructive KillDisk component onto the targeted computers to make them unbootable.
Attackers used the BlackEnergy malware with a modification to include an SSH backdoor to plant the destructive KillDisk component onto the targeted computers to make them unbootable.

It later emerged that attackers used the BlackEnergy malware with a modification to include an SSH backdoor to plant the destructive KillDisk component onto the targeted computers to make them unbootable.

This attack has not been widely reported but has had some coverage from media sites like the International Business Times. Credit to welivesecurity who covered it more than once.

The attack used a spear phishing attack in the form of a business email that contains a weaponized attachment which uses a VBA macro to download a malicious payload to the victim’s computer. The Ukrainian security company CyS Centrum have published screenshots of the spear-phishing emails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to Rada (the Ukrainian parliament). The document itself contains social engineering that tries to convince the victim to run the macro in the document. This attack is an example of a malware-less attack that relies on social engineering to trick the user into compromising themselves, instead of a spear-phishing URL, or classic email attachment malware. When the victims are tricked into opening the attachment and enabling the macros, they end up infected with the BlackEnergy Lite trojan.

Destructive malware is not new – the BlackEnergy Trojan was developed in 2007. However, cyber criminals can take a piece of destructive code and easily introduce it into BlackEnergy and mutate it. The new malicious code could then be tailored to theoretically control pipelines, water purification systems, power generators and other Internet connected critical infrastructure. In short, it could be catastrophic for utilities and organizations that own a significant, so called, Internet of Things estate of devices.

The risk to public sector services due to ‘normal’ or maliciously-induced downtime is something I highlighted in this blog last year.

I firmly believe this attack will be remembered as a seminal event in the world of cyber security – it’s a publicly recognized and successful attack on a critical public infrastructure service. We’re sure to see more of this type of attack in the future. The Achilles heel for organizations affected by these hacks seems to be email and weaponized email attachments each time. It’s time for both the private and public sector to recognize the threat of these weaponized attachments appearing in both small and large file emails and take necessary steps to protect companies and critical public services before the lights go out or the tap runs dry (again).

If you’d like more information about how you can protect your organization, you can read more on our site here.

FILED IN