Hackers cause power outage with the BlackEnergy malware in Ukraine. Is it an Information warfare act?

Cyber security of ICS e SCADA systems in the critical infrastructure is essential, these components are a privileged target of cyber criminals and state sponsor hackers.

The most popular SCADA attack in the history is the one conducted against control systems in the Iranian nuclear plant in Natanz with the Stuxnet malware.

Stuxnet is considered the first cyber weapon used by the US/Israeli Government to the Iranian nuclear programme.

Other malware were later designed to target systems managed by the company in the energy industry, HavexShamoon and BlackEnergy are some examples of this malware.

A few days ago I have written about the discovery of a new variant of the BlackEnergy malware made by experts at ESET, which provided details of the new campaign that targeted Ukrainian news media and electric industry in 2015.

Now experts at ESET discovered a new component in the BlackEnergy trojan, the KillDisk component, which is capable of destroying some 4000 different file types and rendering machines unbootable.

“ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry. ” states the blog post published by ESET.

p1

The hackers used the highly destructive malware to compromise the systems at three regional power authorities in Ukraine. The attacks caused blackouts across the Ivano-Frankivsk region of Ukraine on 23rd December.

According to a Ukrainian media TSN, the power outage was caused by a destructive malware that disconnected electrical substations.

The Ukraine energy ministry confirmed blackouts and revealed that the Government is investigating on the causes. It seems that a cyber attack disrupted local energy provider Prykarpattyaoblenergo, causing the major power outage that left half population in the region without electricity.

Experts speculate that the hackers run a spear phishing campaign across the Ukrainian power authorities to spread the destructive variant to the BlackEnergy leveraging on Microsoft Office documents.

The attribution of the attack is not simple, we are only aware that the BlackEnergy malware has a Russian origin and that Russian has a political dispute with the Ukraine that had repercussion also on the cyberspace.

I fear we will assist to other similar attacks in the future, and this is very disturbing.

Pierluigi Paganini