Attacks/Breaches
1/5/2016
02:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Questions Remain On How Cyberattack Caused Ukraine Blackout

Could BlackEnergy backdoor with KillDisk really cause a power outage? Some experts think piece of puzzle is missing.

The BlackEnergy malware family might have been involved in the Dec. 23 blackout in Ukraine, according to researchers at ESET, but whether it was or wasn't, questions remain on how the attack occurred. In particular, while ESET contends that this backdoor malware previously used for data theft was repurposed to cause a widespread power outage, not all experts are convinced.

The blackout

The blackout across western Ukraine, including its regional capital, was attributed to a cyberattack on Ukrainian electricity distributor Prykarpattya Oblenergo. Ukraine's SBU state security service officially blamed Russian hackers for the incident, and told Reuters that "the region would have faced a much longer blackout if the malware had executed as the attackers had intended."

“To my knowledge this is the first time an electricity provider has openly claimed to be the victim of a cyber attack that intentionally caused an outage," says Sean McBride, critical infrastructure lead analyst for iSIGHT. "We do have evidence that general malware was implicated in outages previously, but that case does not qualify as intentionally caused. The up-front and relatively immediate claim by the Ukrainian victims, the plausibility of the situation, and the details produced to date make this something new."

BlackEnergy

On Sunday, researchers at ESET published analysis stating that they believed the BlackEnergy malware family was involved in the attack at Prykarpattya Oblenergo; Monday, they wrote that this attack was not an isolated incident, and that the malware was discovered at other electricity companies earlier in 2015. The infection vector used in those attacks appeared to be Microsoft Word macros, delivered via spearphishing messages, some of which purported to be from the Ukrainian parliament. 

BlackEnergy has been used against the energy sector before; Sandworm Team, a Russian hacking group, has used it heavily in the past in attacks on the energy sector in Europe and in the United States since as far back as 2011. However, the primary purpose of the malware at that time, according to Cyber X researchers in a May report, was data theft -- not power outages.

Since that time, however, a new KillDisk component has been added to BlackEnergy, according to ESET. "The main purpose of this component," researchers wrote, "is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable."

This combo of BlackEnergy with a KillDisk component was first spotted in November, by Ukraine's national CERT, being used against Ukrainian media companies. The sample discovered by ESET in the energy companies, though, "was slightly different."

The newer samples, according to ESET, accept a command line argument to set a time delay, delete Windows Event Logs, "is less focused on deleting documents" than the version that was found in media companies, and "also appears to contain some additional functionality specifically intended to sabotage industrial systems," terminating two non-standard processes called komut.exe and sec_service.exe.

Monday, ESET researchers wrote that "Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems." In other words, Black Energy and KillDisk could cause a blackout.

Researchers at iSIGHT say they believe that -- regardless of whether the BlackEnergy sample was used in this particular attack -- that the attackers behind the Ukrainian blackout are Sandworm Team.

Are Black Energy and Kill Disk Enough?

Robert M. Lee, an instructor and course author for SANS, isn't entirely convinced.

Lee says that while he does believe that the BlackEnergy malware and the Sandworm Team threat group were involved in the attack, he does not believe there is enough evidence to prove either of those things yet.

He also does not believe that BlackEnergy, even with the KillDisk component, could cause the outage on its own. As a backdoor, BlackEnergy could give attackers access to key systems, but the destructive capabilities in KillDisk, he says, are mainly for anti-forensics purposes; there's a possibility that they were used for other things but the cleanup is the most predominant theory right now, he says.

Attackers could have used BlackEnergy with KillDisk "to get on and clean up," says Lee, but to cause a blackout they would have needed additional steps. He does not, however, think the attackers needed operational expertise with the ins-and-outs of power plants to carry it out (as some cyber-physical attackers do). It "would likely have been a script or a direct interaction that might open or close breakers,” says Lee. "We don't know. We may never know."

ESET acknowledged in its post Monday that a scenario like this could be possible -- BlackEnergy or the SSH backdoor providing access for a secondary attack, with KillDisk providing clean up -- but persisted that "we can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage" in western Ukraine Dec. 23.

The cost of a major cyberattack on the U.S. electric grid has been estimated at $1 trillion in economic impact and $71.1 billion in insurance claims. In their study published in July, the University of Cambridge Centre for Risk Studies and London-based insurance provider Lloyd's defined the attack as a malware infection of 50 generators in the Northeastern U.S. that made them overload and caused a blackout in 15 states and Washington D.C.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.