Partner Perspectives  Connecting marketers to our tech communities.
2/5/2016
09:55 AM
Christiaan Beek
Christiaan Beek
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

A Case Of Mistaken Identity?

The role of BlackEnergy in Ukrainian power grid disruption.

Co-authored by Raj Samani, Chief Technology Officer of Intel Securitys Europe, Middle East, and Africa division

Recent reports of electricity outages across the Ukraine have led to significant speculation regarding the specific malware that was used to disrupt supply. Intel Security’s approach to understanding this particular event included making contact with the impacted organization to offer our support and, where possible, retrieving data in order to analyze the true nature of the threat. In this case the impacted organization allowed us to publicly share our findings in order to benefit the entire industry.

Researchers from the Advanced Programs Group within Intel Security were able to analyze multiple samples that were used in an attack, raising questions regarding the role of BlackEnergy malware in disrupting the supply of electricity. We would also like to acknowledge the support we were provided in the technical investigation from our partner BAKOTECH Group.

This post builds upon our initial blog posting that detailed the historical evolution of BlackEnergy.

It Begins With A Phish

Our malware zoo within McAfee Labs contains a wealth of data that can be used to identify the reuse of tools in a particular attack. In this instance, we cross-referenced the initial dropper and collected samples that were used by infected systems. Indeed, this was absolutely necessary because the criminal infrastructure used to host the second malware instance was offline when our initial analysis began. As we began our analysis, we identified a number of similarities with previous campaigns that targeted the energy sector.

In March 2015, an email appearing to be from the Supreme Council of Ukraine (Verkhovna Rada of Ukraine) was sent to multiple state institutions in the Ukraine. One of the targets of this campaign was a power company situated in the western part of the country. The spear-phishing email contained an XLS attachment with a macro in it (see below).

Once the document was opened, a macro was executed, the BlackEnergy dropper was created, and the dropper started to download the final BlackEnergy 2/3 version.

One of the interesting email artifacts was a part of the SMTP header that pointed to an IP address and name of the mail server used to spread the spear-phishing emails.

We received information that, once the attackers were in the network, they compromised a Web server and used it as a beachhead for entering a segment of the company’s network. The attackers were using tools that are freely available on the Internet for download, including Web shells, tunneling tools, and SSH server tools.

If we compare a previous attack to the BlackEnergy attack on the grid reported in December, we can recognize a number of similarities. First, the attack vector is exactly the same, namely a spear-phishing campaign. Below is an example of the content of the email.

The attachment was a weaponized Excel sheet containing a dropper. Once launched, the payload was downloaded from a site hosted in the Ukraine.

We investigated the SMTP headers in this case and found that the attack in December leveraged a mail server with the same IP address and name as a server used in the previously described campaign in March. The energy sector was one of the targets in both campaigns.

Besides these files, we also received a package of suspicious files for analysis. These files were part of a Web template system called Synio. The Synio template is part of the LiveStreet content management system. LiveStreet is a Russian site that allows for the free download of engines for blogging and social networking. It is not known to us whether these files were related to the spear-phishing campaign or part of lateral movement. However, we noticed references to the Synio template being used on the server that hosted the payload for the dropper: “8080/templates/compiled/synio/...” One of the files in the templates was definitely not part of normal content management.

After analysis of this php file, we determined that it was a php Web shell (see below).

These WSO Web shells are often used after compromising a server to keep access. They usually support multiple modules with a variety of features. In this case, the shell included the following modules:

  • Console
  • SQL manager
  • Support for Windows and Linux OS
  • Server information
  • File manager
  • Editing, modifying files
  • SQL console
  • PHP console
  • Network analysis tools

Access to the Web shell was secured with an easy-to-crack md5 password.

One interesting feature was the “search for hash option,” where discovered hashes could be sent to certain sites that might have cracked the value for these hashes (see below).

For both the March and December attacks, there are some similarities:

  • Spear-phishing using weaponized Office documents
  • Email sender using a valid “info” addressee in the Ukraine
  • Same mail provider and server used
  • Usage of common backdoor tools
  • Low sophistication of attacks

The use of BlackEnergy for espionage is not new, but prior to the December attack there had been no evidence that campaigns used BlackEnergy for more than stealing confidential information from a victim organization. While the latest attack included a wiper component, we did not find any evidence that this malware specifically targeted SCADA systems. Therefore, it appears unlikely that the BlackEnergy malware was the direct cause of the outage. It is unclear if a single actor both controlled BlackEnergy and also issued a coordinated shutdown of the electrical system.

Meanwhile, the spear-phishing campaigns in Ukraine appear to have continued into January, using Word documents instead of Excel. While available information does not yet point to a clear root cause, additional details are emerging and analysis is ongoing. There is greater confidence that the follow-up phishes were from the same group then this group being responsible for the availability disruption. Not only does this adopt the same modus operandi, but it is more aligned with the level of technical sophistication than we have seen with BlackEnergy. We are continuing analysis as more samples are received and will provide more details in due course.

Christiaan Beek manages threat intelligence research within Intel Security's Office of the CTO. He leads research in advanced attacks and assists in cyberattack take-down operations. In previous roles, Beek was director of threat intelligence in McAfee Labs and director of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.