02:15 PM
Connect Directly

Questions Remain On How Cyberattack Caused Ukraine Blackout

Could BlackEnergy backdoor with KillDisk really cause a power outage? Some experts think piece of puzzle is missing.

The BlackEnergy malware family might have been involved in the Dec. 23 blackout in Ukraine, according to researchers at ESET, but whether it was or wasn't, questions remain on how the attack occurred. In particular, while ESET contends that this backdoor malware previously used for data theft was repurposed to cause a widespread power outage, not all experts are convinced.

The blackout

The blackout across western Ukraine, including its regional capital, was attributed to a cyberattack on Ukrainian electricity distributor Prykarpattya Oblenergo. Ukraine's SBU state security service officially blamed Russian hackers for the incident, and told Reuters that "the region would have faced a much longer blackout if the malware had executed as the attackers had intended."

“To my knowledge this is the first time an electricity provider has openly claimed to be the victim of a cyber attack that intentionally caused an outage," says Sean McBride, critical infrastructure lead analyst for iSIGHT. "We do have evidence that general malware was implicated in outages previously, but that case does not qualify as intentionally caused. The up-front and relatively immediate claim by the Ukrainian victims, the plausibility of the situation, and the details produced to date make this something new."


On Sunday, researchers at ESET published analysis stating that they believed the BlackEnergy malware family was involved in the attack at Prykarpattya Oblenergo; Monday, they wrote that this attack was not an isolated incident, and that the malware was discovered at other electricity companies earlier in 2015. The infection vector used in those attacks appeared to be Microsoft Word macros, delivered via spearphishing messages, some of which purported to be from the Ukrainian parliament. 

BlackEnergy has been used against the energy sector before; Sandworm Team, a Russian hacking group, has used it heavily in the past in attacks on the energy sector in Europe and in the United States since as far back as 2011. However, the primary purpose of the malware at that time, according to Cyber X researchers in a May report, was data theft -- not power outages.

Since that time, however, a new KillDisk component has been added to BlackEnergy, according to ESET. "The main purpose of this component," researchers wrote, "is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable."

This combo of BlackEnergy with a KillDisk component was first spotted in November, by Ukraine's national CERT, being used against Ukrainian media companies. The sample discovered by ESET in the energy companies, though, "was slightly different."

The newer samples, according to ESET, accept a command line argument to set a time delay, delete Windows Event Logs, "is less focused on deleting documents" than the version that was found in media companies, and "also appears to contain some additional functionality specifically intended to sabotage industrial systems," terminating two non-standard processes called komut.exe and sec_service.exe.

Monday, ESET researchers wrote that "Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems." In other words, Black Energy and KillDisk could cause a blackout.

Researchers at iSIGHT say they believe that -- regardless of whether the BlackEnergy sample was used in this particular attack -- that the attackers behind the Ukrainian blackout are Sandworm Team.

Are Black Energy and Kill Disk Enough?

Robert M. Lee, an instructor and course author for SANS, isn't entirely convinced.

Lee says that while he does believe that the BlackEnergy malware and the Sandworm Team threat group were involved in the attack, he does not believe there is enough evidence to prove either of those things yet.

He also does not believe that BlackEnergy, even with the KillDisk component, could cause the outage on its own. As a backdoor, BlackEnergy could give attackers access to key systems, but the destructive capabilities in KillDisk, he says, are mainly for anti-forensics purposes; there's a possibility that they were used for other things but the cleanup is the most predominant theory right now, he says.

Attackers could have used BlackEnergy with KillDisk "to get on and clean up," says Lee, but to cause a blackout they would have needed additional steps. He does not, however, think the attackers needed operational expertise with the ins-and-outs of power plants to carry it out (as some cyber-physical attackers do). It "would likely have been a script or a direct interaction that might open or close breakers,” says Lee. "We don't know. We may never know."

ESET acknowledged in its post Monday that a scenario like this could be possible -- BlackEnergy or the SSH backdoor providing access for a secondary attack, with KillDisk providing clean up -- but persisted that "we can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage" in western Ukraine Dec. 23.

The cost of a major cyberattack on the U.S. electric grid has been estimated at $1 trillion in economic impact and $71.1 billion in insurance claims. In their study published in July, the University of Cambridge Centre for Risk Studies and London-based insurance provider Lloyd's defined the attack as a malware infection of 50 generators in the Northeastern U.S. that made them overload and caused a blackout in 15 states and Washington D.C.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.