BlackEnergy (BE) malware first appeared as a DDoS tool in 2007. BlackEnergy 2 (BE2) was first observed as early as 2010, used by advanced persistent threat (APT) group dubbed "Sandworm" and was tailored to target industrial control systems (ICS) components - specifically human machine interfaces (HMIs) used in the industrial environment. Once the perpetrators gained access to the HMI they can conduct reconnaissance on the network.
The third iteration of BlackEnergy (BE3) emerged in 2014 featuring additional functionality such as support for proxy servers, espionage modules, and support for a range of operating systems and devices. In addition, it contained a KillDisk component specifically designed to erase files and corrupt a system's master boor record, effectively rendering the system inoperable.
BlackEnergy received significant media coverage in early 2016 following a December 23, 2015 attack against Ukrainian energy providers that resulted in power outages impacting 225,000 customers. While BlackEnergy was confirmed to be present on the networks of the targeted utilities, US investigators from the Department of Homeland Security (DHS) and FBI did not identify a direct link to the actual attack that resulted in the power outages. Instead, BlackEnergy is likely to have played a role in the reconnaissance and compromise of account credentials used to prepare for the attack.
BlackEnergy is primarily delivered via spear-phishing emails, most recently using malicious Microsoft Office attachments. The malware is highly modular, meaning it consists of many different components which serve different functions and not all functionality is delivered to all victims.
- The most effective method to detect the presence of BlackEnergy is the YARA signatures provided by DHS, available here.
- For more information on YARA, please read our blog post titled "YARA: Effective Tool to Detect Malware" or visit the YARA website.
- April 2014: F-Secure released an in-depth threat intelligence product titled "BlackEnergy & Quedach: The Convergence of Crimeware and APT Attacks," detailing the emergence of BlackEnergy 2 and use among APT actors.
- May 2015: "Data Theft The Goal Of BlackEnergy Attacks On Industrial Control Systems, Researchers Say." (DarkReading)
- February 2016: BlackEnergy 3 was used by perpetrators in the December 2015 cyberattack against Ukrainian transmission stations that resulted in a power outage affecting about 250,000 people for up to six hours. (DHS Alert: Cyber-Attack Against Ukrainian Critical Infrastructure)
- March 2016: DHS updated its alert to include latest information on BlackEnergy 3, following the investigation into the attack on Ukrainian energy utilities in December 2015. (DHS Alert: Ongoing Sophisticated Malware Campaign Compromising ICS)
- McAfee blog provides technical details on BlackEnergy 3, available here.