Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/12/2016
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ukraine Railway, Mining Company Attacked With BlackEnergy

Weeks after the malware played a role in a massive power outage in the Ukraine, BlackEnergy and its cohort KillDisk were used in other attacks as well, Trend Micro says.

Even as questions continue to swirl around the role of the BlackEnergy malware family in the widespread power outage in Ukraine on December 23, there are signs the same toolkit is being used in attacks against industrial control systems in other sectors as well.

Security vendor Trend Micro says new intelligence shows that whoever was behind the power grid attacks also may have attempted similar attacks against a large railway operator and a mining company in the Ukraine. An inspection of telemetry data obtained from the open source intelligence community shows that BlackEnergy and its integrated KillDisk component for erasing hard disks were used in both attacks.

The BlackEnergy and KillDisk infrastructure used in the attacks on the mining and rail transportation firms was the same as the one used to launch the December attacks on Ukraine power distributor Prykarpattya Oblenergo that resulted in 30 substations getting knocked off the grid, according to Trend's findings. More than 100 cities suffered a total blackout while dozens of others experienced a partial power disruption as a result of that attack.

“Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack," Trend Micro senior security researcher Kyle Wilhoit said in a blog post. The remarkable overlap between the malware used in the attacks, the naming conventions, the infrastructure, and the timing of the attacks hint strongly at a connection between the three campaigns, he concluded.

The attacks suggest that the attackers are either seeking to use cyberattacks to cause massive and persistent disruption to Ukraine power, transportation, and mining infrastructure. Or the attackers could be deploying the malware on different critical infrastructure targets in Ukraine to try and figure out the most vulnerable ones, he said.

The hacking of industrial control systems at the railway and mining companies in Ukraine, if true, represent a troubling expansion of the BlackEnergy campaign, says Dean Weber, chief cyber architect at Mission Secure Inc., which specializes in control systems security.

The attack on Ukraine’s power grid represents the first time since Stuxnet degraded Iran’s uranium processing capability in 2010 that a cyberattack has been used to cause a physical outcome, he says.

To pull it off, the attackers basically appear to have compromised a human-machine interface (HMI) system at Prykarpattya Oblenergo and used the access to instruct the underlying industrial control system to open a series of circuit breakers causing power to be shut down in multiple areas, Weber says. Some have attributed the attack to a Russian hacking group dubbed the Sandworm team, which has been associated with BlackEnergy related attacks on energy companies in the US and Europe for years, he notes.

Though an inspection of the compromised system at the Ukraine power distributor revealed the presence of BlackEnergy 3 and KillDisk, security researchers are not entirely sure what role the malware played in actually leading to the switches being thrown open. 

['KillDisk' and BlackEnergy were not the culprits behind the power outage -- there's still a missing link in the chain of attack. Read More Signs Point To Cyberattack Behind Ukraine Power Outage.]

BlackEnergy has been floating around since 2011 and was originally used to collect information from industrial control systems. The US ICS-CERT -- which yesterday issued a new YARA signature for detecting BlackEnergy -- recently confirmed that several US organizations have reported infections on Windows-based human-machine interface systems (HMI) that are used to interact with back-end industrial control systems.

ICS-CERT has not identified instances where BlackEnergy has been used to damage or modify control processes on a victim system, or if the malware operators used it to expand their access beyond the compromised HMI. The CERT also has noted in its analysis of the attack on the Ukraine power grids that a version of BlackEnergy 3 with the KillDisk utility was indeed present on the system that was compromised. 

“Everybody should be up at night about this,” MSi's Weber says. “Everything that relies on an industrial control system, whether it be an oil and gas facility, a pipeline, a ship or a power generator, are run by HMIs,” and such an attack shows how they could be compromised.

 

Interop 2016 Las VegasFind out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.