CERT reported that the threat was used to destroy documents and video files.
Although BE3 did not have a direct role in cutting off the power, it was used in the lead-up to the attack to collect information about the ICS environment and was likely used to compromise user credentials of network operators. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.Whichever is the case, attacks against Industrial Control Systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions. The malware operators have used numerous spreading mechanisms to infect their victims, including the infamous PowerPoint 0-day CVE-2014-4114. In December 2015, around half the homes in the Ivano-Frankivsk region in Ukraine were left with no electricity for a few hours. They struck the “Prykarpattyaoblenergo” power distribution center and switched off 30 substations ― seven 110kv substation and 23 35kv substation; hackers also attacked two other power grid companies leaving more than 230,000 residents in the dark for one to six hours.Attackers initiated the attacks with a spear-phishing campaign in the spring of 2015 targeting the IT staff and system administrators of several electricity distribution companies in Ukraine. Initial reports from Ukrainian news outlets reported the cause was a ‘virus’ spread by ‘hackers’; the truth is far more sinister. Subsequent investigations have led to the discovery of a malware sample that was said to have caused the blackout. It is considered to be the first known successful cyberattack on a power grid. One sample, amdide.sys, (SHA1: 2D805BCA41AA0EB1FC7EC3BD944EFD7DBA686AE1) appears to have been used in November 2015 to infect its target. Copyright © 2020 Trend Micro Incorporated. Both samples seen in the Ukrainian power incident were possibly also used against this large Ukrainian mining organization.Like the attacks against the Ukrainian mining company, we also witnessed KillDisk possibly being used against a large Ukrainian railway company that is part of the national Ukrainian railway system. We quickly realized that Prykarpattya Oblenergo and Kyivoblenergo were not the only targets revolving around the newest BlackEnergy campaign.Based on telemetry data from open-source intelligence (OSINT) and Trend Micro Smart Protection Network, we saw that there were samples of BlackEnergy and KillDisk that may have been used against a large Ukrainian mining company and a large Ukrainian rail company. It was reported to have possessed remarkable functions that could place Industrial Control Systems (ICS) at risk. This sample, which is flagged as BlackEnergy, has the same exact functionality as those samples witnessed in the Ukrainian power utility attack. BlackEnergy malware may have also been used to target other utilities. ICS, Energy, government and media in Ukraine; ICS/SCADA companies worldwide; Energy companies worldwide; The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014. ]7:443/l7vogLG/BVZ99/rt170v/solocVI/eegL7p.php which is also one of the same C2’s used in the Ukrainian power incident. The power grid companies segregated the SCADA networks with a firewall; cquisition (SCADA) is a computer system responsible for gathering and analyzing real-time data, as well as discrete monitoring and controlling processes in industries; in this case, the SCADA is in charge of controlling the grid. Based on the SANS Identified several years ago, BlackEnergy is a Trojan malware designed to launch distributed denial-of-service (DDoS) attacks, download custom spam, and banking information-stealer plugins.BlackEnergy malware was known to have been used to deliver KillDisk, a feature that could render systems unusable and could obliterate critical components on an infected system. Most recently, BlackEnergy3 (BE3) was involved in the 2015 cyberattacks in Ukraine that results in power outages. The attacker spoofs the sender address in order to appear to be coming from Rada (the Ukrainian parliament). It also overwrites the master boot record, causing the infected computers to fail to reboot.Your email address will not be published. BlackEnergy is a Trojan that is used to conduct DDoS attacks, cyber espionage and information destruction attacks. Who is behind the BlackEnergy attacks?
BlackEnergy is a Trojan that is used to conduct DDoS attacks, cyber espionage and information destruction attacks. These pathways allowed hackers to collect information from the environment and enable access. The second version also had a msiexec.exe installer to bypass user account control on Windows. KillDisk and BlackEnergy Go Beyond Energy Sector While Russia is concerned about Ukraine turning to the West, it is also concerned with Ukraine’s moves to end its dependence on Russian energy sources. As Ukraine has discovered natural gas sources in its own territory, Russia has faced the loss of a major policy lever in Ukraine. In 2014 (approximately) a specific user group of BlackEnergy attackers began deploying SCADA-related plugins to victims in the ICS (Industrial Control Systems) and energy markets around the world.