BlackEnergy

BlackEnergy malware first appeared in 2007 as a DDoS tool and was traded among cybercriminals until, in 2010, a Russian hacking group known as the Sandworm Team – widely  reported to have links to Russian Intelligence Service – began utilizing BlackEnergy2 (BE2) to conduct espionage against industrial control system networks. The malware is highly modular, meaning it consists of many different components which serve different functions and not all functionality is delivered to all victims. 

Most recently, BlackEnergy3 (BE3) was involved in the 2015 cyberattacks in Ukraine that results in power outages. Although BE3 did not have a direct role in cutting off the power, it was used in the lead-up to the attack to collect information about the ICS environment and was likely used to compromise user credentials of network operators. Unlike previous incidents involving variants of BlackEnergy, BE3 was delivered to the Ukrainian energy companies via spear-phishing emails and weaponized Microsoft Word documents.

Prior to the involvement of BE3 in the attacks in Ukraine, BE2 made the news in 2014 when it was found to have infected numerous critical infrastructure sites in the United States. Unlike BE3, BE2 gained access to networks by exploiting vulnerabilities in internet-connected ICS devices, specifically Human Machine Interface (HMI) products from various vendors, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens SIMATIC WinCC. Compromising internet-connected HMI devices provided the malicious actors with a foothold on the network that allowed them to maintain command and control, and collect information on the ICS environment and its processes. According to numerous media and government reports, BE2 infections in the United States began as early as 2011 and affected the water, energy, real estate, and telecommunications sectors. However, to date, there are no public reports of BE2 or BE3 damaging, modifying, or otherwise disrupting victimized ICS networks in the United States.

Indicators of Compromise (IOCs)

The most effective method to detect the presence of BlackEnergy are the YARA signatures provided by DHS ICS-CERT, available here.

Reporting

• June 2017: TeleBots Are Back: Supply-Chain Attacks Against Ukraine (ESET)
• December 2016: Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) (ICS-CERT)
• March 2016: Analysis of the Cyber Attack on the Ukrainian Power Grid (SANS)
• January 2016: Everything We Know About Ukraine's Power Plant Hack (Wired)
• January 2016: The Malware That Led to the Ukrainian Blackout (Motherboard)
• January 2016: Updated BlackEnergy Trojan Grows More Powerful (McAfee)
• January 2016: BlackEnergy by the SSHBearDoor: Attacks Against Ukrainian News Media and Electric Industry (ESET)
• May 2015: BlackEnergy 3 – Exfiltration of Data in ICS Networks (CyberX)
• May 2015: Data Theft the Goal of BlackEnergy Attacks on Industrial Control Systems, Researchers Say (DarkReading)
• November 2014: An Analysis of BlackEnergy3 Malware Using Carbon Black (Carbon Black)
• October 2014: Suspected Russian “Sandworm” Cyber Spies Targeted NATO, Ukraine (ArsTechnica)
• October 2014: Sandworm to Blacken: The SCADA Connection (TrendMicro)
• September 2014: Blackenergy & Quedagh: The Convergence of Crimeware and APT Attacks (F-Secure)
• September 2014: Back in BlackEnergy *: 2014 Targeted Attacks in Ukraine and Poland (ESET)
• March 2010: New BlackEnergy Trojan Targeting Russian, Ukrainian Banks (DarkReading)
• March 2010: BlackEnergy Version 2 Threat Analysis (Dell SecureWorks)