BlackEnergy (BE) malware first appeared as a DDoS tool in 2007. BlackEnergy 2 (BE2) was first observed as early as 2010, used by advanced persistent threat (APT) group dubbed "Sandworm" and was tailored to target industrial control systems (ICS) components - specifically human machine interfaces (HMIs) used in the industrial environment. Once the perpetrators gained access to the HMI they can conduct reconnaissance on the network.

The third iteration of BlackEnergy (BE3) emerged in 2014 featuring additional functionality such as support for proxy servers, espionage modules, and support for a range of operating systems and devices. In addition, it contained a KillDisk component specifically designed to erase files and corrupt a system's master boor record, effectively rendering the system inoperable. 

BlackEnergy received significant media coverage in early 2016 following a December 23, 2015 attack against Ukrainian energy providers that resulted in power outages impacting 225,000 customers. While BlackEnergy was confirmed to be present on the networks of the targeted utilities, US investigators from the Department of Homeland Security (DHS) and FBI did not identify a direct link to the actual attack that resulted in the power outages. Instead, BlackEnergy is likely to have played a role in the reconnaissance and compromise of account credentials used to prepare for the attack.   

BlackEnergy is primarily delivered via spear-phishing emails, most recently using malicious Microsoft Office attachments. The malware is highly modular, meaning it consists of many different components which serve different functions and not all functionality is delivered to all victims. 



Technical Details

  • McAfee blog provides technical details on BlackEnergy 3, available here

Image Source: The Register