BlackEnergy (BE) malware first appeared as a DDoS tool in 2007. BlackEnergy 2 (BE2) was first observed as early as 2010, featuring a rootkit technique and the ability to enable plugins, allowing BE2 to be used by an advanced persistent threat (APT) group to steal banking information and function as a click-fraud tool.

The third iteration of BlackEnergy (BE3) emerged in 2014 featuring additional functionality such as support for proxy servers, espionage modules, and support for a range of operating systems and devices. In addition, it contained a KillDisk component specifically designed to erase files and corrupt a system's master boor record, effectively rendering the system inoperable. 

BlackEnergy received significant media coverage in early 2016 following a December 23, 2015 attack against Ukrainian energy providers that resulted in power outages impacting 225,000 customers. While BlackEnergy was confirmed to be present on the networks of the targeted utilities, US investigators from the Department of Homeland Security (DHS) and FBI did not identify a direct link to the actual attack that resulted in the power outages. Instead, BlackEnergy is likely to have played a role in the reconnaissance and compromise of account credentials used to prepare for the attack.   

BlackEnergy is primarily delivered via spear-phishing emails, most recently using malicious Microsoft Office attachments. The malware is highly modular, meaning it consists of many different components which serve different functions and not all functionality is delivered to all victims. 



  • April 2014: F-Secure released an in-depth threat intelligence product titled "BlackEnergy & Quedach: The Convergence of Crimeware and APT Attacks," detailing the emergence of BlackEnergy 2 and use among APT actors.
  • May 2015: "Data Theft The Goal Of BlackEnergy Attacks On Industrial Control Systems, Researchers Say." (DarkReading
  • February 2016: DHS Alert Cyber-Attack Against Ukrainian Critical Infrastructure. (IR-ALERT-H-16-056-01)
  • March 2016: DHS updated its alert to include latest information on BlackEnergy 3, following the investigation into the attack on Ukrainian energy utilities in December 2015. Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). (ICS-ALERT-14-281-01E)

Technical Details

  • McAfee blog provides technical details on BlackEnergy 3, available here

Image Source: The Register