BlackEnergy malware first appeared in 2007 as a DDoS tool and was traded among cybercriminals until, in 2010, a Russian hacking group known as the Sandworm Team – widely  reported to have links to Russian Intelligence Service – began utilizing BlackEnergy2 (BE2) to conduct espionage against industrial control system networks. The malware is highly modular, meaning it consists of many different components which serve different functions and not all functionality is delivered to all victims. 

Most recently, BlackEnergy3 (BE3) was involved in the 2015 cyberattacks in Ukraine that results in power outages. Although BE3 did not have a direct role in cutting off the power, it was used in the lead-up to the attack to collect information about the ICS environment and was likely used to compromise user credentials of network operators. Unlike previous incidents involving variants of BlackEnergy, BE3 was delivered to the Ukrainian energy companies via spear-phishing emails and weaponized Microsoft Word documents.

Prior to the involvement of BE3 in the attacks in Ukraine, BE2 made the news in 2014 when it was found to have infected numerous critical infrastructure sites in the United States. Unlike BE3, BE2 gained access to networks by exploiting vulnerabilities in internet-connected ICS devices, specifically Human Machine Interface (HMI) products from various vendors, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens SIMATIC WinCC. Compromising internet-connected HMI devices provided the malicious actors with a foothold on the network that allowed them to maintain command and control, and collect information on the ICS environment and its processes. According to numerous media and government reports, BE2 infections in the United States began as early as 2011 and affected the water, energy, real estate, and telecommunications sectors. However, to date, there are no public reports of BE2 or BE3 damaging, modifying, or otherwise disrupting victimized ICS networks in the United States.

Indicators of Compromise (IOCs)

The most effective method to detect the presence of BlackEnergy are the YARA signatures provided by DHS ICS-CERT, available here.