Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/12/2016
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ukraine Railway, Mining Company Attacked With BlackEnergy

Weeks after the malware played a role in a massive power outage in the Ukraine, BlackEnergy and its cohort KillDisk were used in other attacks as well, Trend Micro says.

Even as questions continue to swirl around the role of the BlackEnergy malware family in the widespread power outage in Ukraine on December 23, there are signs the same toolkit is being used in attacks against industrial control systems in other sectors as well.

Security vendor Trend Micro says new intelligence shows that whoever was behind the power grid attacks also may have attempted similar attacks against a large railway operator and a mining company in the Ukraine. An inspection of telemetry data obtained from the open source intelligence community shows that BlackEnergy and its integrated KillDisk component for erasing hard disks were used in both attacks.

The BlackEnergy and KillDisk infrastructure used in the attacks on the mining and rail transportation firms was the same as the one used to launch the December attacks on Ukraine power distributor Prykarpattya Oblenergo that resulted in 30 substations getting knocked off the grid, according to Trend's findings. More than 100 cities suffered a total blackout while dozens of others experienced a partial power disruption as a result of that attack.

“Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack," Trend Micro senior security researcher Kyle Wilhoit said in a blog post. The remarkable overlap between the malware used in the attacks, the naming conventions, the infrastructure, and the timing of the attacks hint strongly at a connection between the three campaigns, he concluded.

The attacks suggest that the attackers are either seeking to use cyberattacks to cause massive and persistent disruption to Ukraine power, transportation, and mining infrastructure. Or the attackers could be deploying the malware on different critical infrastructure targets in Ukraine to try and figure out the most vulnerable ones, he said.

The hacking of industrial control systems at the railway and mining companies in Ukraine, if true, represent a troubling expansion of the BlackEnergy campaign, says Dean Weber, chief cyber architect at Mission Secure Inc., which specializes in control systems security.

The attack on Ukraine’s power grid represents the first time since Stuxnet degraded Iran’s uranium processing capability in 2010 that a cyberattack has been used to cause a physical outcome, he says.

To pull it off, the attackers basically appear to have compromised a human-machine interface (HMI) system at Prykarpattya Oblenergo and used the access to instruct the underlying industrial control system to open a series of circuit breakers causing power to be shut down in multiple areas, Weber says. Some have attributed the attack to a Russian hacking group dubbed the Sandworm team, which has been associated with BlackEnergy related attacks on energy companies in the US and Europe for years, he notes.

Though an inspection of the compromised system at the Ukraine power distributor revealed the presence of BlackEnergy 3 and KillDisk, security researchers are not entirely sure what role the malware played in actually leading to the switches being thrown open. 

['KillDisk' and BlackEnergy were not the culprits behind the power outage -- there's still a missing link in the chain of attack. Read More Signs Point To Cyberattack Behind Ukraine Power Outage.]

BlackEnergy has been floating around since 2011 and was originally used to collect information from industrial control systems. The US ICS-CERT -- which yesterday issued a new YARA signature for detecting BlackEnergy -- recently confirmed that several US organizations have reported infections on Windows-based human-machine interface systems (HMI) that are used to interact with back-end industrial control systems.

ICS-CERT has not identified instances where BlackEnergy has been used to damage or modify control processes on a victim system, or if the malware operators used it to expand their access beyond the compromised HMI. The CERT also has noted in its analysis of the attack on the Ukraine power grids that a version of BlackEnergy 3 with the KillDisk utility was indeed present on the system that was compromised. 

“Everybody should be up at night about this,” MSi's Weber says. “Everything that relies on an industrial control system, whether it be an oil and gas facility, a pipeline, a ship or a power generator, are run by HMIs,” and such an attack shows how they could be compromised.

 

Interop 2016 Las VegasFind out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.