BlackEnergy cyberespionage group adds disk wiper and SSH backdoor to its arsenal

The group recently attacked Ukrainian energy distribution and media companies causing power and data loss

A cyberespionage group focused on companies and organizations in the energy sector has recently updated its arsenal with a destructive data-wiping component and a backdoored SSH server.

The group is known in the security community as Sandworm or BlackEnergy, after its primary malware tool, and has been active for several years. It has primarily targeted companies that operate industrial control systems, especially in the energy sector, but has also gone after high-level government organizations, municipal offices, federal emergency services, national standards bodies, banks, academic research institutions and property companies.

Over the past few months, the group has targeted organizations from the media and energy industries in Ukraine, according to security researchers from antivirus vendor ESET. These new operations have brought to light some changes in the group's techniques.

In November, the Computer Emergency Response Team of Ukraine (CERT-UA) reported that during the country's local elections in October, multiple media organizations were attacked with BlackEnergy malware leading to the loss of video content and other data.

According to ESET researchers, the culprit was a new BlackEnergy component dubbed KillDisk that can be configured to delete specific types of files and render affected systems unbootable.

The KillDisk variant in the attack against media organizations was configured to delete over 4,000 file types, many of which were for video and documents.

The same component was also used recently in attacks against energy companies in Ukraine, but with a different configuration. It only targeted 35 file extensions and had a timed attack option.

"As well as being able to delete system files to make the system unbootable -- functionality typical for such destructive trojans -- the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems," the ESET researchers said in a blog post.

On the eve of Dec. 23, a large area in the Ivano-Frankivsk district in Ukraine suffered a power outage. Ukrainian news service TSN reported that the outage was caused by a virus that disconnected electrical substations.

Researchers from ESET believe that this attack was performed with the BlackEnergy malware and that it wasn't the only one.

"Looking at ESET’s own telemetry, we have discovered that the reported case was not an isolated incident and that other energy companies in Ukraine were targeted by cybercriminals at the same time," they said in a report.

The KillDisk component was used in some of those attacks. In addition to wiping various file types, it had been configured to stop two particular processes, one of them possibly associated with ELTIMA Serial to Ethernet Connectors or to ASEM Ubiquity, a remote management platform for industrial control systems (ICS).

This is not the first time that BlackEnergy has been used to attack industrial control systems. In 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, warned that multiple companies running HMI (human-machine interface) products from General Electric, Siemens and BroadWin/Advantech had their systems infected with BlackEnergy.

HMIs are software applications that provide a graphical user interface for monitoring and interacting with industrial control systems.

Another recent addition to the group's arsenal is a backdoored version of a SSH server called Dropbear. The ESET researchers have seen the BlackEnergy attackers deploying a variant of this software on compromised machines that had been pre-configured to accept a hard-coded password and key for SSH authentication.

Join the CSO newsletter!

Error: Please check your email address.

More about Computer Emergency Response TeamGeneral ElectricSiemensSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place