Threat Intelligence

2/12/2016
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ukraine Railway, Mining Company Attacked With BlackEnergy

Weeks after the malware played a role in a massive power outage in the Ukraine, BlackEnergy and its cohort KillDisk were used in other attacks as well, Trend Micro says.

Even as questions continue to swirl around the role of the BlackEnergy malware family in the widespread power outage in Ukraine on December 23, there are signs the same toolkit is being used in attacks against industrial control systems in other sectors as well.

Security vendor Trend Micro says new intelligence shows that whoever was behind the power grid attacks also may have attempted similar attacks against a large railway operator and a mining company in the Ukraine. An inspection of telemetry data obtained from the open source intelligence community shows that BlackEnergy and its integrated KillDisk component for erasing hard disks were used in both attacks.

The BlackEnergy and KillDisk infrastructure used in the attacks on the mining and rail transportation firms was the same as the one used to launch the December attacks on Ukraine power distributor Prykarpattya Oblenergo that resulted in 30 substations getting knocked off the grid, according to Trend's findings. More than 100 cities suffered a total blackout while dozens of others experienced a partial power disruption as a result of that attack.

“Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack," Trend Micro senior security researcher Kyle Wilhoit said in a blog post. The remarkable overlap between the malware used in the attacks, the naming conventions, the infrastructure, and the timing of the attacks hint strongly at a connection between the three campaigns, he concluded.

The attacks suggest that the attackers are either seeking to use cyberattacks to cause massive and persistent disruption to Ukraine power, transportation, and mining infrastructure. Or the attackers could be deploying the malware on different critical infrastructure targets in Ukraine to try and figure out the most vulnerable ones, he said.

The hacking of industrial control systems at the railway and mining companies in Ukraine, if true, represent a troubling expansion of the BlackEnergy campaign, says Dean Weber, chief cyber architect at Mission Secure Inc., which specializes in control systems security.

The attack on Ukraine’s power grid represents the first time since Stuxnet degraded Iran’s uranium processing capability in 2010 that a cyberattack has been used to cause a physical outcome, he says.

To pull it off, the attackers basically appear to have compromised a human-machine interface (HMI) system at Prykarpattya Oblenergo and used the access to instruct the underlying industrial control system to open a series of circuit breakers causing power to be shut down in multiple areas, Weber says. Some have attributed the attack to a Russian hacking group dubbed the Sandworm team, which has been associated with BlackEnergy related attacks on energy companies in the US and Europe for years, he notes.

Though an inspection of the compromised system at the Ukraine power distributor revealed the presence of BlackEnergy 3 and KillDisk, security researchers are not entirely sure what role the malware played in actually leading to the switches being thrown open. 

['KillDisk' and BlackEnergy were not the culprits behind the power outage -- there's still a missing link in the chain of attack. Read More Signs Point To Cyberattack Behind Ukraine Power Outage.]

BlackEnergy has been floating around since 2011 and was originally used to collect information from industrial control systems. The US ICS-CERT -- which yesterday issued a new YARA signature for detecting BlackEnergy -- recently confirmed that several US organizations have reported infections on Windows-based human-machine interface systems (HMI) that are used to interact with back-end industrial control systems.

ICS-CERT has not identified instances where BlackEnergy has been used to damage or modify control processes on a victim system, or if the malware operators used it to expand their access beyond the compromised HMI. The CERT also has noted in its analysis of the attack on the Ukraine power grids that a version of BlackEnergy 3 with the KillDisk utility was indeed present on the system that was compromised. 

“Everybody should be up at night about this,” MSi's Weber says. “Everything that relies on an industrial control system, whether it be an oil and gas facility, a pipeline, a ship or a power generator, are run by HMIs,” and such an attack shows how they could be compromised.

 

Interop 2016 Las VegasFind out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...