Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:15 PM
Connect Directly

Questions Remain On How Cyberattack Caused Ukraine Blackout

Could BlackEnergy backdoor with KillDisk really cause a power outage? Some experts think piece of puzzle is missing.

The BlackEnergy malware family might have been involved in the Dec. 23 blackout in Ukraine, according to researchers at ESET, but whether it was or wasn't, questions remain on how the attack occurred. In particular, while ESET contends that this backdoor malware previously used for data theft was repurposed to cause a widespread power outage, not all experts are convinced.

The blackout

The blackout across western Ukraine, including its regional capital, was attributed to a cyberattack on Ukrainian electricity distributor Prykarpattya Oblenergo. Ukraine's SBU state security service officially blamed Russian hackers for the incident, and told Reuters that "the region would have faced a much longer blackout if the malware had executed as the attackers had intended."

“To my knowledge this is the first time an electricity provider has openly claimed to be the victim of a cyber attack that intentionally caused an outage," says Sean McBride, critical infrastructure lead analyst for iSIGHT. "We do have evidence that general malware was implicated in outages previously, but that case does not qualify as intentionally caused. The up-front and relatively immediate claim by the Ukrainian victims, the plausibility of the situation, and the details produced to date make this something new."


On Sunday, researchers at ESET published analysis stating that they believed the BlackEnergy malware family was involved in the attack at Prykarpattya Oblenergo; Monday, they wrote that this attack was not an isolated incident, and that the malware was discovered at other electricity companies earlier in 2015. The infection vector used in those attacks appeared to be Microsoft Word macros, delivered via spearphishing messages, some of which purported to be from the Ukrainian parliament. 

BlackEnergy has been used against the energy sector before; Sandworm Team, a Russian hacking group, has used it heavily in the past in attacks on the energy sector in Europe and in the United States since as far back as 2011. However, the primary purpose of the malware at that time, according to Cyber X researchers in a May report, was data theft -- not power outages.

Since that time, however, a new KillDisk component has been added to BlackEnergy, according to ESET. "The main purpose of this component," researchers wrote, "is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable."

This combo of BlackEnergy with a KillDisk component was first spotted in November, by Ukraine's national CERT, being used against Ukrainian media companies. The sample discovered by ESET in the energy companies, though, "was slightly different."

The newer samples, according to ESET, accept a command line argument to set a time delay, delete Windows Event Logs, "is less focused on deleting documents" than the version that was found in media companies, and "also appears to contain some additional functionality specifically intended to sabotage industrial systems," terminating two non-standard processes called komut.exe and sec_service.exe.

Monday, ESET researchers wrote that "Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems." In other words, Black Energy and KillDisk could cause a blackout.

Researchers at iSIGHT say they believe that -- regardless of whether the BlackEnergy sample was used in this particular attack -- that the attackers behind the Ukrainian blackout are Sandworm Team.

Are Black Energy and Kill Disk Enough?

Robert M. Lee, an instructor and course author for SANS, isn't entirely convinced.

Lee says that while he does believe that the BlackEnergy malware and the Sandworm Team threat group were involved in the attack, he does not believe there is enough evidence to prove either of those things yet.

He also does not believe that BlackEnergy, even with the KillDisk component, could cause the outage on its own. As a backdoor, BlackEnergy could give attackers access to key systems, but the destructive capabilities in KillDisk, he says, are mainly for anti-forensics purposes; there's a possibility that they were used for other things but the cleanup is the most predominant theory right now, he says.

Attackers could have used BlackEnergy with KillDisk "to get on and clean up," says Lee, but to cause a blackout they would have needed additional steps. He does not, however, think the attackers needed operational expertise with the ins-and-outs of power plants to carry it out (as some cyber-physical attackers do). It "would likely have been a script or a direct interaction that might open or close breakers,” says Lee. "We don't know. We may never know."

ESET acknowledged in its post Monday that a scenario like this could be possible -- BlackEnergy or the SSH backdoor providing access for a secondary attack, with KillDisk providing clean up -- but persisted that "we can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage" in western Ukraine Dec. 23.

The cost of a major cyberattack on the U.S. electric grid has been estimated at $1 trillion in economic impact and $71.1 billion in insurance claims. In their study published in July, the University of Cambridge Centre for Risk Studies and London-based insurance provider Lloyd's defined the attack as a malware infection of 50 generators in the Northeastern U.S. that made them overload and caused a blackout in 15 states and Washington D.C.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-20
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
PUBLISHED: 2019-09-19
In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf.
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
PUBLISHED: 2019-09-19
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.