BlackEnergy malware has been used in attacks against news media outlets and electric companies in Ukraine, according...
to researchers. And those attacked are blaming Russian agents.
A trojan from the BlackEnergy family of malware was used as a backdoor to deliver new KillDisk components to the Ukrainian enterprises, which could destroy data and make systems unbootable, according to a blog post by Anton Cherepanov, malware researcher for security company ESET, based in Bratislava, Slovakia.
BlackEnergy malware can be used to search the file system, steal passwords, take screenshots, keylog and steal certificates, but the aim of the attacks is unclear. Cherepanov noted that the KillDisk component was a new plug-in added to BlackEnergy in 2015, though the version in the Ukraine attacks had additional functionality to allow attackers to set when data would be destroyed.
ESET malware researcher Robert Lipovsky said this component was likely used either for sabotage or to cover up tracks after an attack.
"Destruction of data is not a motive in and of itself," Lipovsky told SearchSecurity. "Whatever their intent was, the SSHBearDoor backdoor allows remote access to the infected system, thus allowing the attackers to carry out their attack."
Last week, the Security Service of Ukraine released a report claiming it had found malicious software on the networks of regional power companies, and accused Russia-based agents in the attacks.
Cherepanov confirmed that those reported attacks were connected to the BlackEnergy malware attacks in the ESET report. Cherepanov also found a clue linking the malware to Russia, with code possibly referencing the Russian acronym meaning "mass media."
Wes Widner, director of threat intelligence at Norse, said standard cybersecurity practices should be enough to mitigate risks of attack by BlackEnergy malware.
"This threat used a zero day when it first debuted, but it appears to be fairly well-known by [antivirus] products now," Widner said. "For enterprises, the mitigation path is to keep systems updated, specifically third-party software like the industrial control system (ICS) control software."
Lipovsky said enterprises with industrial control systems should take extra precautions.
"Common cybersecurity rules should be applied -- an up-to-date security software operating at multiple tiers, proper patch management, backups, regular user education and so on," Lipovsky said. "With regards to ICS and SCADA systems, specifically, there are recommended defense strategies, which include additional steps, such as air-gapping critical systems."
Learn more about developing an ICS security framework.
Learn more about the security challenges surrounding ICS.