BlackEnergy and the Ukrainian power outage: What we really know

A lot of speculation, and some misinterpretation, has arisen surrounding the recent discovery of malware in Ukrainian energy distribution companies. ESET researchers have published a detailed analysis of the malware and its dangerous functionalities, which probably relate to the recent, massive power outage experienced by hundreds of thousands Ukrainian citizens.

“Analyzing the malware, we’ve shed some light on an operation against the Ukrainian energy sector but what we know is only a small piece of the puzzle,”explains Robert Lipovsky, a senior malware researcher at ESET. “Many questions have been left unanswered.”

In this interview, he separates fact from fiction and offers expert insight into this fascinating story.

Some media outlets have reported on this case as if it were a matter of fact that malware alone was responsible for the power outage. Do you agree?

“Power is an achilles heel for any organization. A serious blackout is every enemy’s dream.”

Unfortunately, things are not clear enough to reach such simple conclusions. But it is true that the BlackEnergy trojan, together with an SSH backdoor and the destructive KillDisk component, which were all detected in several electricity distribution companies in Ukraine, are a dangerous set of malicious tools theoretically capable of giving attackers remote access to a company’s network, shutting down critical systems and, by wiping their data, making it harder to get them up and running again.

But another important aspect of this case is that the attack on the Ukrainian power sector may indicate how future complex attacks could look. Power is an achilles heel for any organization. A serious blackout is every enemy’s dream.

And maybe we witnessed someone trying to make their dream come true.

Look, our focus is primarily on internet security, while for a blackout to be triggered, the attacker must take control over an industrial system.

On one hand, these are different worlds. On the other hand, it’s common that dedicated software used to program and control industrial hardware will run on PCs with operating systems like Windows or Linux. These can then be targeted using similar – or even the same – malware that regular internet users face. And, of course, all the regular vectors of attack can be used, including human error and social engineering.

It sounds like it is dangerous to connect industrial systems to the internet. Why do they do it?

Yes, this interconnection introduces serious risks. The first reasons that come to mind for doing this are practicality and cost savings.

Without getting into the details, this interconnection exposes the industrial control system to the very same threats that common PCs face – but with much fewer options for defense. Take patching as an example: proper software patching is much more problematic with industrial systems. They tend to be heavily customized and they are often always on.

To get back to the Ukrainian case, what was found inside the energy companies’ IT environment – the BlackEnergy trojan – is a backdoor. And what’s more, we discovered that it was enhanced by another component, a backdoored SSH server. This is the answer to the most common question we face in this regard: what exactly were the motives behind planting the BlackEnergy malware inside the energy companies’ networks?

We all know that attribution in cybercrime is a very difficult thing. What’s your take on it?

This is very complicated.

In September 2014, we broke the news about BlackEnergy being used in attacks against a number of high-value targets in Ukraine and other countries. A few weeks later, these attacks and the suspected group behind them started to be referred to as ‘Sandworm’ by other security companies.

While the BlackEnergy malware may have Russian origins and is commonly associated with a (supposedly) Russian malware group, there is actually no definitive proof for this. This malware family has undergone a significant evolution throughout its lifetime – the source code of the very old first version has even leaked online and there are a number of versions of it being used in the wild. There is no definite way of telling whether the BlackEnergy malware is currently operated by a single group or several.

Let’s go back to the motives …

Having a live, functional backdoor inside an IT system that is interconnected with a power company’s industrial control system … I don’t think it’s necessary to describe what it means.

Maybe some examples would help readers to imagine the possible consequences …

In the past, there were a number of serious cyberattacks against industrial systems. There isn’t proof in every case, as the victims tend not to disclose details. However, two cases are widely believed to have been proven: the destruction of uranium enrichment centrifuges in an Iranian nuclear facility, and a damaged blast furnace in a German steel mill. Malware is also blamed for – among others – the opening of all of the doors at a maximum security section of a US prison, allowing gang members to attack their rivals.

What can organizations do in order to prevent themselves from cyberattacks on their operational technology?

Firstly, critical industrial systems should be air-gapped from IT systems. But the sad reality is that you can sometimes find industrial control systems connected to the internet with a simple Google. It is important to follow defensive strategies recommended by institutions like US CERT or the SANS Institute.

“Critical industrial systems should be air-gapped from IT systems.”

Then, for the ‘regular’ PCs at an industrial facility – all the more, when they’re not air-gapped, for whatever reason – common cybersecurity rules should be applied, i.e. up-to-date security software operating at multiple tiers, proper patch management, back-ups, regular user education, and so on.

But it seems to me that companies often underestimate the cyber risks to their operational technologies.

Unfortunately, you are right. But another incentive for lowering companies’ tolerance to cybersecurity risks has emerged: the Moody’s rating agency has issued a warning that they will also take cyber risks into account when setting their ratings. Let’s hope that this unfortunate case in Ukraine will also serve as warning for other organizations worldwide to harden their IT security.

Author , ESET

  • rt

    One other well documented intentional ICS attack is the maroochy wastewater attack in Austrialia. Another well documented case of a random worm causing the shutdown of of a safety control system was the Davis-Besse nuclear plant. I think the lack of worms since the days of slammer/codered/nimda played a bigger role than improved security in keeping these publicly admitted case numbers down.

    Most other cases people have heard about may very well be urban legends.

  • Coyote

    The first thing I think of is the old WANK worm from the late 1980s.

    One remark otherwise:

    ‘They tend to be heavily customized and they are often always on.’

    Maybe the specific hardware doesn’t have the capability (but in which case: why not ?) but I don’t get this ‘always on’: it’s not like patching requires you to be powered off. Sure, some updates require (perhaps with some exceptional set ups) you to reboot and I could see that being a problem for some things, but most types of updating doesn’t need to be that complicated. Maybe it is very different for machines like Siemens but then you can also say it shouldn’t be connected to the Internet (it obviously shouldn’t be connected at all) … and they do that too. It comes down to neglect, laziness, ineptitude or lack of awareness – and it shouldn’t be accepted yet unfortunately it often is.

Follow us

Copyright © 2018 ESET, All Rights Reserved.