Frequently Asked Questions: BlackEnergy

In December 2015, around half the homes in the Ivano-Frankivsk region in Ukraine were left with no electricity for a few hours. According to reports, the cause of the 6-hour power outage was a cyber-attack that utilized malware. Interestingly, the reported case was not an isolated incident, as other electric firms in Ukraine were found to have also been targeted.

Subsequent investigations have led to the discovery of a malware sample that was said to have caused the blackout. Based on the SANS report, “the malware is a 32-bit Windows executable and is modular in nature, indicating that the module is of a more complex piece of malware.” As it turns out, the malware, dubbed as “BlackEnergy” appears to have infected the plant’s systems after a successful spear phishing attack.

Here's what we know about BlackEnergy:

What is BlackEnergy?

Identified several years ago, BlackEnergy is a Trojan malware designed to launch distributed denial-of-service (DDoS) attacks, download custom spam, and banking information-stealer plugins.

What does it do?

BlackEnergy malware was known to have been used to deliver KillDisk, a feature that could render systems unusable and could obliterate critical components on an infected system.  It was reported to have possessed remarkable functions that could place Industrial Control Systems (ICS) at risk. An attack scenario involves a target receiving an email that contains a malicious attachment. The attacker spoofs the sender address in order to appear to be coming from Rada (the Ukrainian parliament). Once the target opens the attachment, the victim is asked to run the macro in the document.

Who are its targets?

The BlackEnergy malware appears to have targeted a Ukrainian power facility Prykarpattya Oblenergo and other electricity distribution companies in Ukraine. BlackEnergy malware may have also been used to target other utilities. 

[More: KillDisk and BlackEnergy Are Not Just Energy Sector Threats]

Who is behind the BlackEnergy attacks?

The Ukraine attack has been attributed to Sandworm, a Russian cyber espionage group known to have been harassing Ukrainian officials and their allies as early as 2007. The group is also known to have used malware to target SCADA-centric systems in October, 2014.

As of late, a special commission has already been established and ongoing investigations are expected to determine the origin and motives of those behind the BlackEnergy attacks.

Visit the Threat Intelligence Center for more on ICS and SCADA systems and industrial cyber security.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Cyber Attacks, Malware