The tail-end of 2015 took an interesting turn when hundreds of thousands of homes, which amounts to half the number of residences in the region of Ivano-Frankivsk in Ukraine, were left in the dark—literally. The incident was far from the previously reported outage, caused by explosives set off by alleged Ukrainian nationalists in the Crimean peninsula last November. This incident, researchers said, was caused by malware in its system, resulting in a 6-hour power disruption on December 23rd.
According to malware researcher Robert Lipovsky, while Western Ukrainian power authority Prykarpattyaoblenergo was the only company that divulged details of an outage, two other electric firms were also affected by similar malware found in their networks.
Following Ukraine’s security service pointing fingers to Russia for the power outage—what with the two nations’ ongoing military and political feud—investigations have led to the discovery of a malware sample that was said to have caused the blackout. Cyber security expert Robert M. Lee noted in his entry, “The malware is a 32 bit Windows executable and is modular in nature indicating that this is a module of a more complex piece of malware.”
Shortly after, Lee coordinated with Trend Micro Forward-looking Threats Researcher Kyle Wilhoit with the sample and confirmed that the malware has a wiping routine that can impact the infected system. Soon after Lee’s initial investigation, several analysts and researchers confirmed that the electric firms were indeed affected by a cyber attack, making this incident the first outage to be caused by a malware.
Consistent with insights given by other analysts and researchers, Wilhoit shared, “This event is concerning and interesting at the same time. On one hand, we have the first publicly made information regarding malware taking out SCADA devices. This is clearly bad and concerning in its own right. What could come next, for instance? However, on the other hand, we're dealing with something incredibly interesting, and never before seen publicly—so that adds to its mystique.”
“What we do know is that power was affected at Prykarpattyaoblenergo, with malware contributing to that outage. We also know that this malware was targeting not only Prykarpattyaoblenergo, but also at least one Ukrainian broadcasting company. The victims, at the current stage, all seem to be in Ukraine, and not outside,” Wilhoit added.
Security experts note that the electric firms were, in fact, infected by malware belonging to BlackEnergy, a package that was first seen in 2007 and updated several years ago to add more capabilities. KillDisk, an added feature, could render infected systems unusable and could obliterate vital components of an infected sytem. Notably, it was reported to possess functions that could place Industrial Control Systems (ICS) at risk.
“KillDisk was part of a new BlackEnergy campaign and was very likely delivered to its intended victim via phishing email with a macro enabled Microsoft Excel document attached. This document, once executed, initiates stage two, which downloads the appropriate packages for persistence on the infected machine,” Wilhoit noted.
This isn’t the first time that the BlackEnergy malware got linked to an attack in Ukraine. In 2014, its KillDisk module brought permanent damage to media organizations, particularly its video and other contents as reported by its Computer Emergency Response Team. The same year, the Sandworm team behind BlackEnergy targeted members of the North Atlantic Treaty Organization (NATO), the governments of Ukraine and Poland, and numerous industries in Europe. Further investigations by the Trend Micro threat research team revealed that the group has been targeting SCADA-centric victims.
Given the available evidence gathered over the past week, researchers are careful to jump to a conclusion that the attack that caused the Ukrainian blackout is in fact connected to Sandworm. To date, a special commission has already been established and ongoing analyses and investigations have yet to shed light on a definite answer on what brought about this kind of incident—which has long been the subject of warnings of security experts.
Wilhoit added, “Do we know if this malware is solely responsible? No. Do we know if there are any additional malware samples that could be attributed to this incident? Not yet. Do we know if the attackers are Sandworm? No. However, my guess is that this won't be the last time we see malware contributing to the Prykarpattyaoblenergo incident. I think we will see some more samples in the coming days surrounding this incident, likely including additional BlackEnergy modules or stage two tools.”
Wilhoit, who released a study that detailed the insecurity of SCADA devices, added, “Until basic security protocols are implemented within SCADA environments, I'm afraid these types of things will become more prevalent."