BlackEnergy Trojan ‘Used In Ukraine Power Grid Attack’

The BlackEnergy trojan horse was used in an attack that disabled parts of Ukraine’s power grid last month, according to security researchers, in an incident security services in the country have blamed on Russia.

The December 23 attack left parts of western Ukraine, including regional capital Ivano-Frankivsk, without power, power company Prykarpattyaoblenergo said at the time.

Investigation

Ukraine’s security service SBU said Russia was behind the attack, and the energy ministry in Kiev said last week it has set up a commission to investigate the incident. Russia has yet to comment on the matter, but relations between the two countries have declined since Russia annexed Crimea in 2014.

SBU said other power companies had been targeted at the same time and that security services had prevented a much longer blackout in the region.

If Ukraine confirms the power outage resulted from a cyber-attack, it could encourage further use of hacking for sabotage, industry observers have said.

Eset, a security firm based in Slovakia, said on Monday it believes BlackEnergy, a sophisticated trojan usually delivered via malicious email attachments, was used in both the attack on Ukraine’s power grid and in an earlier incident that targeted Ukrainian news media during local elections in November.

In both cases the trojan was used to deliver a component called KillDisk, which aims to erase specific files and executables, Eset said.

The November attack resulted in the destruction of video materials and other documents, according to a report by CERT-UA, Ukraine’s computer emergency response team, which documented the use of BlackEnergy and the KillDisk component in that incident.

Social engineering

“The main purpose of this component is to do damage to data stored on the computer,” Eset said in an advisory. “It overwrites documents with random data and makes the OS unbootable.”

The version of KillDisk used in the energy grid attack includes a time delay allowing the attackers to specify when the payload should activate, Eset said.

It targets fewer file types than the version used to attack the media companies, but also deletes Windows Event Logs and terminates specific executable files that appear to be used in industrial control systems.

“In case the process is found, the malware does not just terminate it, but also overwrites the executable file with random data,” Eset said.

BlackEnergy attackers typically send the trojan in a malicious attachment, such as a Word document that contains a macro which, when run, infects the user’s system, according to Eset.

Specific users are targeted and are encouraged to activate the attachment via social engineering techniques, such as making the message appear to originate from the Ukrainian parliament, Eset said.

Eset previously documented the use of BlackEnergy for espionage in Ukraine and Poland in the first half of 2014.

Security experts reported in 2014 that a number of energy companies in the US, Spain, France, Italy, Germany, Turkey and Poland had been compromised by a group called Dragonfly, thought to be based in Russia.

Are you a security pro? Try our quiz!