BlackEnergy Trojan Attacks Again - Strikes Electric Power Industry in Ukraine

The group of BlackEnergy APT (Advanced Persistent Threat) was exceedingly active in 2014 and came back in 2015, specially targeting electrical power stations and news outlets in Ukraine and victims are blaming Russian agents.

BlackEnergy might have been responsible for the so-called "malware attacks" on the Ukrainian electrical power grid just after Christmas when major power supply was not available at western region of Ukraine. ComputerWeelyon posted on 4th January, 2016, stating that CERT-UA first reported the link between KillDisk component and BlackEnergy when many companies of news media were attacked at the time of local elections at Ukraine in November 2015.

The BlackEnergy Trojan is prefabricated and employs different downloadable components to complete particular jobs. Win32/KillDisk malware was detected on the infected system during the latest attack in Ukraine. Researchers of security company ESET discovered that the KillDisk component was used in attacks against energy companies in Ukraine was somewhat different. Looking at telemetry of ESET, the reported case was not the only incident in Ukraine which was targeted by cybercriminals.

Cherepanov (malware researcher of Security Company ESET based at Bratislava, Slovakia) confirmed that those reported attacks were associated with the BlackEnergy malware attacks in the ESET report. Cherepanov also discovered a clue connecting the malware to Russia with code possibly with reference to the Russian acronym which means "mass media".

Cherepanov posted stating that New KillDisk components to the Ukrainian enterprises abolish data and make systems unbootable. A vicious KillDisk Trojan was downloaded and executed on systems which were infected before with the BlackEnergy Trojan.

The KillDisk component used against news outlets targeted an extensive range of files (4,000 file extensions) whereas the one against the Ukrainian electrical grid only targeted 35 types of file, aiming to stop access to ICS/SCADA components. It also deleted Windows Event Logs and removed only 35 types of file extension as compared to 4,000 types of file extension in the attacks against media companies in Ukraine.

The report reveals that a huge number of video materials and different documents were damaged by the attacks. The researchers of ESET said that they will continue to monitor the BlackEnergy malware operations for the developments in future.

» SPAMfighter News - 1/7/2016