02:15 PM
Connect Directly

Questions Remain On How Cyberattack Caused Ukraine Blackout

Could BlackEnergy backdoor with KillDisk really cause a power outage? Some experts think piece of puzzle is missing.

The BlackEnergy malware family might have been involved in the Dec. 23 blackout in Ukraine, according to researchers at ESET, but whether it was or wasn't, questions remain on how the attack occurred. In particular, while ESET contends that this backdoor malware previously used for data theft was repurposed to cause a widespread power outage, not all experts are convinced.

The blackout

The blackout across western Ukraine, including its regional capital, was attributed to a cyberattack on Ukrainian electricity distributor Prykarpattya Oblenergo. Ukraine's SBU state security service officially blamed Russian hackers for the incident, and told Reuters that "the region would have faced a much longer blackout if the malware had executed as the attackers had intended."

“To my knowledge this is the first time an electricity provider has openly claimed to be the victim of a cyber attack that intentionally caused an outage," says Sean McBride, critical infrastructure lead analyst for iSIGHT. "We do have evidence that general malware was implicated in outages previously, but that case does not qualify as intentionally caused. The up-front and relatively immediate claim by the Ukrainian victims, the plausibility of the situation, and the details produced to date make this something new."


On Sunday, researchers at ESET published analysis stating that they believed the BlackEnergy malware family was involved in the attack at Prykarpattya Oblenergo; Monday, they wrote that this attack was not an isolated incident, and that the malware was discovered at other electricity companies earlier in 2015. The infection vector used in those attacks appeared to be Microsoft Word macros, delivered via spearphishing messages, some of which purported to be from the Ukrainian parliament. 

BlackEnergy has been used against the energy sector before; Sandworm Team, a Russian hacking group, has used it heavily in the past in attacks on the energy sector in Europe and in the United States since as far back as 2011. However, the primary purpose of the malware at that time, according to Cyber X researchers in a May report, was data theft -- not power outages.

Since that time, however, a new KillDisk component has been added to BlackEnergy, according to ESET. "The main purpose of this component," researchers wrote, "is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable."

This combo of BlackEnergy with a KillDisk component was first spotted in November, by Ukraine's national CERT, being used against Ukrainian media companies. The sample discovered by ESET in the energy companies, though, "was slightly different."

The newer samples, according to ESET, accept a command line argument to set a time delay, delete Windows Event Logs, "is less focused on deleting documents" than the version that was found in media companies, and "also appears to contain some additional functionality specifically intended to sabotage industrial systems," terminating two non-standard processes called komut.exe and sec_service.exe.

Monday, ESET researchers wrote that "Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems." In other words, Black Energy and KillDisk could cause a blackout.

Researchers at iSIGHT say they believe that -- regardless of whether the BlackEnergy sample was used in this particular attack -- that the attackers behind the Ukrainian blackout are Sandworm Team.

Are Black Energy and Kill Disk Enough?

Robert M. Lee, an instructor and course author for SANS, isn't entirely convinced.

Lee says that while he does believe that the BlackEnergy malware and the Sandworm Team threat group were involved in the attack, he does not believe there is enough evidence to prove either of those things yet.

He also does not believe that BlackEnergy, even with the KillDisk component, could cause the outage on its own. As a backdoor, BlackEnergy could give attackers access to key systems, but the destructive capabilities in KillDisk, he says, are mainly for anti-forensics purposes; there's a possibility that they were used for other things but the cleanup is the most predominant theory right now, he says.

Attackers could have used BlackEnergy with KillDisk "to get on and clean up," says Lee, but to cause a blackout they would have needed additional steps. He does not, however, think the attackers needed operational expertise with the ins-and-outs of power plants to carry it out (as some cyber-physical attackers do). It "would likely have been a script or a direct interaction that might open or close breakers,” says Lee. "We don't know. We may never know."

ESET acknowledged in its post Monday that a scenario like this could be possible -- BlackEnergy or the SSH backdoor providing access for a secondary attack, with KillDisk providing clean up -- but persisted that "we can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage" in western Ukraine Dec. 23.

The cost of a major cyberattack on the U.S. electric grid has been estimated at $1 trillion in economic impact and $71.1 billion in insurance claims. In their study published in July, the University of Cambridge Centre for Risk Studies and London-based insurance provider Lloyd's defined the attack as a malware infection of 50 generators in the Northeastern U.S. that made them overload and caused a blackout in 15 states and Washington D.C.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-11-16
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
PUBLISHED: 2018-11-15
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
PUBLISHED: 2018-11-15
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
PUBLISHED: 2018-11-15
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
PUBLISHED: 2018-11-15
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.