Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is BlackEnergy malware a threat to U.S. utility companies?

BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and if U.S. companies are at risk.

According to reports, threat actors used the BlackEnergy malware to assist with an attack on Ukrainian utility...

and media companies, though some question these reports. How big of a role did BlackEnergy play in this attack and what was it used for specifically? Is this a threat U.S. utility companies should be concerned about?

It is difficult to know if or how big of a role BlackEnergy malware played in the attacks on Ukrainian utility and media companies. Attribution is very difficult, and it is easy for a skilled attacker to leave clues that would lead an investigator of a specific incident to misattribute an attack to a particular party or piece of malware. Knowing Ukrainian utility and media companies were targeted could help similar companies in different countries identify types of attacks for which they could be at risk. Participating in a national sector Information Sharing and Analysis Center (ISAC) or Computer Emergency Readiness Team (CERT) could help identify more specific attacks.

In these attacks, BlackEnergy was used as the framework for the attack malware, where plug-ins for deleting data via the KillDisk component and a backdoor SSH server were present. The BlackEnergy dropper, malware config and command-and-control functionality were used in the attack. ESET did not say specifically how the utility or media companies were initially compromised in this attack to have BlackEnergy installed, but had previously stated BlackEnergy used phishing and social engineering for the initial access to the network.

Other than serving as an example of a possible attack, BlackEnergy malware is probably not something U.S. utility companies should be concerned about, if they are already addressing phishing, social engineering, incident response, supervisory control and data acquisition, industrial control system security and other best practices. BlackEnergy malware might be used in an attack targeting U.S. organizations, but monitoring for indicators of compromise from an ISAC or CERT could be very useful in stopping or detecting the initial infection vector.

Next Steps

Learn about a technique used to attribute malware attacks

Find out how a malicious C&C server can remain undetected

Read about the ongoing trend of long-duration APT attacks

This was last published in June 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How is your company addressing the BlackEnergy malware risk?
Cancel

Segmentation is the key.  Limit access to critical sub-systems through firewalls and authentication.

Will

Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close