“Russian” BlackEnergy malware strikes at Ukrainian media and energy firms

Cyber-criminals behind the BlackEnergy trojan made a comeback in 2015, launching attacks against media and energy companies in the Ukraine, according to infosec researchers.

The malware is suspected of being Russian in origin with it being used against politically sensitive targets and industrial control systems.

According to Eset, BlackEnergy went dormant in December 2014 but resurfaced late last year. The malware now uses a new component called KillDisk in attacks against Ukrainian news media companies and against the electrical power industry.

The KillDisk component enables the malware to rewrite files on the infected system with random data and render the OS unbootable.

“The first known case where the KillDisk component of BlackEnergy was used was documented by CERT-UA in November 2015,” said Anton Cherepanov of Eset in a blog post. “In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents were destroyed as a result of the attack.”

The malware has been primed to overwrite more than 4,000 separate file extension types.

In a separate attack on energy companies, the malware destroyed just 35 file types but also deleted Window event logs such as Application, Security, Setup, System.

“As well as being able to delete system files to make the system unbootable—functionality typical for such destructive trojans—the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems,” said Cherepanov.

The malware was also found to contain an SSH backdoor used to infect systems. The malware was first discovered in 2007 and since then has undergone updates to build up its capabilities.

Tim Erlin, director of security and product management at Tripwire, told that the best way to defend against malware like BlackEnergy is to avoid getting infected in the first place.

“Every piece of malware requires an infection vector. Keeping systems hardened and patched, and training employees to defend against phishing, are the best anti-malware defences,” he said.

“The BlackEnergy malware includes features that make it useful in targeted attacks. We've seen it used against the energy industry in the past, and now expanding to media.”

Tom Williams, lead investigative consultant at Context Information Security, told SC there have been few cases of wiper malware to date.

“This is because, in the majority of cases, cyber threat actors, aside from Hacktivists or individuals with grievances, want to remain undetected on victim networks and steal data for espionage or criminal purposes, rather than destroy it.

“Malware behaving in this way and destroying data, is extremely ‘loud'. Therefore, it will inevitably result in the attacker's behaviour being detected quickly. However, if the attackers' motives are to sabotage systems for political reasons or to follow-up on a threat made in an extortion attempt, wiper malware is a simple but effective tool of choice,” he said.

Leo Taddeo, chief security officer at Cryptzone, told SC that while it's impossible to determine the motive with certainty, the nature of the targets point to a nation state with political or military objectives.  

“Sophisticated criminal groups would not expend the time or resources to target media outlets or critical energy infrastructure. Those targets don't offer payoff that criminal groups look for. On the other hand, a nation state, most likely Russia or one of its proxy hacking group, is behind the attacks.  The tactics and targets fit into Russia's past use of cyber weapons in support of its military and political objectives.  In particular, media and critical infrastructure networks were targeted by Russian actors during periods of heightened tensions and conflict with Estonia (2007), Georgia (2008), and Ukraine (2014-2015),” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.