Russian actors accused of attacking Ukraine with BlackEnergy malware

Russia-based threat actors were accused of attacking media outlets and electric companies in Ukraine using BlackEnergy malware.

BlackEnergy malware has been used in attacks against news media outlets and electric companies in Ukraine, according...

to researchers. And those attacked are blaming Russian agents.

A trojan from the BlackEnergy family of malware was used as a backdoor to deliver new KillDisk components to the Ukrainian enterprises, which could destroy data and make systems unbootable, according to a blog post by Anton Cherepanov, malware researcher for security company ESET, based in Bratislava, Slovakia.

BlackEnergy malware can be used to search the file system, steal passwords, take screenshots, keylog and steal certificates, but the aim of the attacks is unclear. Cherepanov noted that the KillDisk component was a new plug-in added to BlackEnergy in 2015, though the version in the Ukraine attacks had additional functionality to allow attackers to set when data would be destroyed.

ESET malware researcher Robert Lipovsky said this component was likely used either for sabotage or to cover up tracks after an attack.

"Destruction of data is not a motive in and of itself," Lipovsky told SearchSecurity. "Whatever their intent was, the SSHBearDoor backdoor allows remote access to the infected system, thus allowing the attackers to carry out their attack."

Last week, the Security Service of Ukraine released a report claiming it had found malicious software on the networks of regional power companies, and accused Russia-based agents in the attacks.

Cherepanov confirmed that those reported attacks were connected to the BlackEnergy malware attacks in the ESET report. Cherepanov also found a clue linking the malware to Russia, with code possibly referencing the Russian acronym meaning "mass media."

Wes Widner, director of threat intelligence at Norse, said standard cybersecurity practices should be enough to mitigate risks of attack by BlackEnergy malware.

"This threat used a zero day when it first debuted, but it appears to be fairly well-known by [antivirus] products now," Widner said. "For enterprises, the mitigation path is to keep systems updated, specifically third-party software like the industrial control system (ICS) control software."

Lipovsky said enterprises with industrial control systems should take extra precautions.

"Common cybersecurity rules should be applied -- an up-to-date security software operating at multiple tiers, proper patch management, backups, regular user education and so on," Lipovsky said. "With regards to ICS and SCADA systems, specifically, there are recommended defense strategies, which include additional steps, such as air-gapping critical systems."

Next Steps

Learn more about developing an ICS security framework.

Learn more about the security challenges surrounding ICS.

Dig Deeper on Malware, Viruses, Trojans and Spyware



Find more PRO+ content and other member only offers, here.

Related Discussions

Michael Heller asks:

What policies does your enterprise have in place for air-gapping critical systems?

0  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: