Posted on 01/07/2016 6:41:44 AM PST by thackney
Malware has apparently been used for the first time to prompt a large-scale power blackout.
An attack was tied to a Dec. 23 blackout affecting about 1.4 million Ukrainians living in the Ivano-Frankivsk region, reported Ukrainian news media outlet TSN.
However, Slovakian information security firm ESET later confirmed that the reported case "was not an isolated incident," and that other energy companies in Ukraine were targeted by cybercriminals at the same time.
ESET said the attackers have been using the BlackEnergy malware family. "Specifically, the BlackEnergy backdoor has been used to plant a KillDisk component onto the targeted computers that would render them unbootable," it explained.
BlackEnergy is a sophisticated malware campaign that has compromised several industrial control systems (ICS) using variants since at least 2011, the U.S. Department of Homeland Security's ICS-Cyber Emergency Response Team (CERT) reported in 2014. ESET experts said in a September 2015 paper that the malware is a trojan that has evolved from a simple DDoS trojan since it was first analyzed by Arbor Networks in 2007.
ESET said that while BlackEnergy malware operators have used spreading mechanisms to infect victims primarily for espionage, "the discovery of BlackEnergy trojan-droppers capable of infecting SCADA Industrial Control Systems hinted that the gang might be up to something more dramatic."
BlackEnergy and KillDisk are suspected to have been used to wipe out video materials and other documents at news media companies during the 2015 Ukrainian local elections.
During the Dec. 23 incident, several electricity distribution companies in Ukraine were targeted. "We can confirm that the BlackEnergy backdoor was used against some of them and that the destructive KillDisk component was also used in more recent cases observed during the week of Christmas Eve, 2015," said ESET. "Additionally, BlackEnergy was also detected at electricity companies earlier in 2015; while we have no indication of KillDisk being used at that time, it is possible that the cybercriminals were then at the preparatory stage of the attack."
The attack scenario consists of a spear-phishing email that contains the attachment of a malicious document (see screenshot from Ukrainian security firm CyS Centrum--in Russian). ESET warns that the document contains text that may convince the victim to run the macro in the document. "This is an example where social engineering is used instead of exploiting software vulnerabilities. If victims are successfully tricked, they end up infected with BlackEnergy Lite."
What's different about the KillDisk variant detected in electricity distribution companies is that it "appears to contain some additional functionality specifically intended to sabotage industrial systems," the firm said.
"Firstly, it was possible to set a specific time delay after which the destructive payload was activated. Then, apart from the regular KillDisk functionality, it would try to terminate two non-standard processes: komut.exe and sec_service.exe. The second process, sec_service.exe, may belong to software called ELTIMA Serial to Ethernet Connector or to ASEM Ubiquity, a platform commonly used in [ICS]. If this process is found on the target system, the trojan will not only terminate it but will also overwrite its corresponding executable file on the hard drive with random data in order to make restoration of the system more difficult."
Security experts have warned that the dearth of data makes it impossible to determine who deployed the attack. Ukraine's state security service has blamed Russia for the attacks, however, and the country's energy ministry has set up a special commission to investigate. Relations between Russia and Ukraine have waned since Russia annexed Crimea in 2014.
The dispute has resulted in several critical breaches to electricity supply. In November, Ukrainian nationalists and anti-Russian activists allegedly knocked down electricity pylons in the Kherson region, and prevented crews from restoring service, leaving more than 1.8 million people on the Black Sea in a blackout. Mainland Russia began supplying electricity to Crimea in December. However, a similar blackout caused by sabotage turned out the lights to hundreds more people on Dec. 31.
Kiev and Moscow, meanwhile, are embroiled in a bitter dispute about gas supplies. Ukraine's state gas company Naftogaz has not officially resumed purchasing gas from Russian energy giant Gazprom. Gazprom halted supply in November because Ukraine had not paid them for a future delivery, and Ukraine's cabinet retaliated by banning imports of gas from Russia. While Kiev is now looking to receive gas from European Union states, it has also announced a "radical" increase in fees for the transit of Russia's gas through pipelines traversing Ukraine.
Imagine that happening here.
And it will.
Now imagine EBT cards and McDonald’s restaurants not working for a few days.
In winter.
Meanwhile Crimean citizens now in the dark voted to reject a contract to get electricity from UKraine because it required them to identify as part of Ukraine, Crimeans preferring to wait out extra months of darkness and cold until alternate electrical supplies can be constructed from Russia
This threat seems a little overblown. From the description the target is PCs running SCADA software and specifically ASEM Ubiquity. Which they call “a platform commonly used in [ICS]” - yet this is a small (125 employees) Italian company that is dwarfed by the real industrial control players, including Siemens, ABB, Emerson, etc. Stuxnet worked because it had been very specifically crafted to install rogue code on Siemens PLCs which are widely used, but while Ukraine may be dependent on ASEM software, the rest of the world is not.
I’d think this kind of stuff would strengthen the resolve of Crimeans to stay as far from association with Kiev as possible. And to retaliate in kind.
I agree this does not represent any real threat to a widspread power blackout in the US.
Yep, but not to underestimate the threat in general, just this specific instance. I remember someone years ago saying that when you have the unlimited resources of a nation-state behind you, there is really not much that can’t be done.
The whitepaper on this F-Secure site is interesting reading for anyone interested in the “under the hood” stuff: https://www.f-secure.com/en/web/labs_global/whitepapers
Summary:
“In the summer of 2014, we noted that certain
samples of BlackEnergy malware began targeting Ukranian
government organizations for information harvesting. These
samples were identifed as being the work of one group,
referred to in this document as Quedagh, which has a history
of targeting political organizations.
The Quedagh-related customizations to the BlackEnergy
malware include support for proxy servers and use of
techniques to bypass User Account Control and driver
signing features in 64-bit Windows systems. While monitoring
BlackEnergy samples, we also uncovered a new variant used by
this group. We named this new variant BlackEnergy 3.
The use of BlackEnergy for a politically-oriented attack is an
intriguing convergence of criminal activity and espionage. As
the kit is being used by multiple groups, it provides a greater
measure of plausible deniability than is aforded by a custom-
made piece of code.”
Ping!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.