Malware Campaign Reportedly Prompts Large-Scale Blackout in Ukraine

Malware has apparently been used for the first time to prompt a large-scale power blackout.

An attack was tied to a Dec. 23 blackout affecting about 1.4 million Ukrainians living in the Ivano-Frankivsk region, reported Ukrainian news media outlet TSN.

However, Slovakian information security firm ESET later confirmed that the reported case “was not an isolated incident,” and that other energy companies in Ukraine were targeted by cybercriminals at the same time.

ESET said the attackers have been using the BlackEnergy malware family. “Specifically, the BlackEnergy backdoor has been used to plant a KillDisk component onto the targeted computers that would render them unbootable,” it explained.

BlackEnergy is a sophisticated malware campaign that has compromised several industrial control systems (ICS) using variants since at least 2011, the U.S. Department of Homeland Security’s ICS-Cyber Emergency Response Team (CERT) reported in 2014.  ESET experts said in a September 2015 paper that the malware is a trojan that has evolved from a simple DDoS trojan since it was first analyzed by Arbor Networks in 2007.

ESET said that while BlackEnergy malware operators have used spreading mechanisms to infect victims primarily for espionage, “the discovery of BlackEnergy trojan-droppers capable of infecting SCADA Industrial Control Systems hinted that the gang might be up to something more dramatic.”

BlackEnergy and KillDisk are suspected to have been used to wipe out video materials and other documents at news media companies during the 2015 Ukrainian local elections.

During the Dec. 23 incident, several electricity distribution companies in Ukraine were targeted. “We can confirm that the BlackEnergy backdoor was used against some of them and that the destructive KillDisk component was also used in more recent cases observed during the week of Christmas Eve, 2015,” said ESET. “Additionally, BlackEnergy was also detected at electricity companies earlier in 2015; while we have no indication of KillDisk being used at that time, it is possible that the cybercriminals were then at the preparatory stage of the attack.”

The attack scenario consists of a spear-phishing email that contains the attachment of a malicious document (see screenshot from Ukrainian security firm CyS Centrum—in Russian). ESET warns that the document contains text that may convince the victim to run the macro in the document. “This is an example where social engineering is used instead of exploiting software vulnerabilities. If victims are successfully tricked, they end up infected with BlackEnergy Lite.”

What’s different about the KillDisk variant detected in electricity distribution companies is that it “appears to contain some additional functionality specifically intended to sabotage industrial systems,” the firm said.

“Firstly, it was possible to set a specific time delay after which the destructive payload was activated. Then, apart from the regular KillDisk functionality, it would try to terminate two non-standard processes: komut.exe and sec_service.exe. The second process, sec_service.exe, may belong to software called ELTIMA Serial to Ethernet Connector or to ASEM Ubiquity, a platform commonly used in [ICS]. If this process is found on the target system, the trojan will not only terminate it but will also overwrite its corresponding executable file on the hard drive with random data in order to make restoration of the system more difficult.”

Security experts have warned that the dearth of data makes it impossible to determine who deployed the attack. Ukraine’s state security service has blamed Russia for the attacks, however, and the country’s energy ministry has set up a special commission to investigate. Relations between Russia and Ukraine have waned since Russia annexed Crimea in 2014.

The dispute has resulted in several critical breaches to electricity supply. In November, Ukrainian nationalists and anti-Russian activists allegedly knocked down electricity pylons in the Kherson region, and prevented crews from restoring service, leaving more than 1.8 million people on the Black Sea in a blackout. Mainland Russia began supplying electricity to Crimea in December. However, a similar blackout caused by sabotage turned out the lights to hundreds more people on Dec. 31.

Kiev and Moscow, meanwhile, are embroiled in a bitter dispute about gas supplies. Ukraine’s state gas company Naftogaz has not officially resumed purchasing gas from Russian energy giant Gazprom. Gazprom halted supply in November because Ukraine had not paid them for a future delivery, and Ukraine’s cabinet retaliated by banning imports of gas from Russia. While Kiev is now looking to receive gas from European Union states, it has also announced a “radical” increase in fees for the transit of Russia’s gas through pipelines traversing Ukraine.

Sonal Patel, associate editor (@POWERmagazine, @sonalcpatel)