Ukraine Attack Proved That Malware Real Danger to Grid
By Irena Damsky and Ofir Ashman, ThreatSTOP
Black Energy, a notorious malware that we have researched lately, has once again become the subject of talk in the cyberworld. Its celebrity status is due mainly to its involvement in the recent cyberattack on Ukraine’s power industry, which left around 80,000 electricity customers without power for several hours, two days before Christmas.
Arbor Networks discovered the original Black Energy-a relatively simple HTTP Distributed Denial of Service (DDoS) Trojan-in mid-2007. During its initial research, Arbor Networks analyzed 27 botnets infected by Black Energy, with an estimated couple hundred bots in each network. Most of the botnets were in Russia and Malaysia, yet most of the top targets for the DDoS attacks were also in Russia, making the correlation between the attacked networks and the attacked sites unclear. Since its first sighting, Black Energy has taken many forms and has evolved into a sophisticated malware that can be used for fraud, spam, espionage and targeted attacks.
The first major attack in which Black Energy was used was in 2008, when Russian hackers successfully hacked 54 communications, finance and government websites in Georgia just 3 weeks before the Russo-Georgian war. This attack is said to be the first case in history of a coordinated cyberspace domain attack synchronized with major combat actions in the other war domains (land, air, sea and space).
Later, in 2010 came the first time Black Energy was used in a massive cyber-fraud attack, this time with a newer version of the malware. Black Energy version 2 (v2) was better for the mission than its former counterpart, using a plug-in to carry out its various malicious capabilities. For example, in an event researched by SecureWorks, Black Energy v2 took advantage of a plug-in for a banking authentication system, which was used by only Ukranian and Russian banks, to steal authentication credentials. These credentials, as hypothesized by SecureWorks researchers, would be used to transfer money, and adjacently to launch DDoS attacks against the bank to distract them from noticing the fraudulent transfers.
In September 2014, the U.S. Department of Homeland Security announced that the software responsible for running most of the nation’s critical infrastructure had been attacked with Black Energy and had been infected since 2011. The compromised software was used to control oil and gas pipelines, power transmission grids, water distribution and filtration systems, wind turbines and even nuclear plants. Had it gone undiscovered, this Black Energy invasion could have seriously damaged U.S. security and the country’s economy.
Not only was 2014 a year of discovery for prior Black Energy attacks that had gone unexposed, it was a year that brought many new samples to researchers’ attention. F-Secure labs went as far as stating that “The universe is full of Black Energy and so is cyberspace.”
In June, two Black Energy samples-one from Ukraine and the other from Belgium-were uploaded and researched by F-Secure Labs. A political party website in Ukraine had been a main target in the first attack, and Belgium is the home of the NATO headquarters. These facts, in sight of the Ukranian political and national crisis peaking in 2014, raised speculation as to the motives of the attackers, and strengthened the notion that Black Energy was being used mostly for political sabotage attacks. A few months later, ESET, a major supplier of Windows antivirus and security software, stated that they had been researching over 100 individual victims of Black Energy attacks that year, half in Ukraine and half in Poland, which included a number of state organization and various businesses.
During 2015, Black Energy was used against several electrical distribution companies in Ukraine, peaking on December 23, 2015, with the massive DDoS attack against the electrical power industry, leaving most of the Ivano-Frankivisk Oblast without power for six hours.
The sophistication that this bot has reached over the years has given it a big name in the cyberworld.
Black Energy’s Evolution
Black Energy v1
The first Black Energy samples researched by Arbor Networks in 2007 were of a Web-distributed DDoS bot, used to target Russian sites while using Malaysian and Russian IP addresses.
Unlike most bots at the time, Black Energy v1 did not communicate with the botnet master using Internet Relay Chat (IRC), nor did it perform exploit activities. Because of the lack of an exploit code, external tools and methods were necessary in order to load the bot.
The first version of Black Energy had three distinct capabilities: DDoS attack commands, a download functionality using a “get” command to download from its servers, and commands to stop the bot from acting, such as “stop” (cease DDoS attacks), “wait” (act as a placeholder) and “die.” The bot’s way of evading detection was by hiding its processes and files in a system driver called “syssrv.sys”.
Russian underground hackers were said to be the owner of the bot, and although it was not widely available on the Web, it was sold in Russian forums for computer hackers and in the Russian underground.
Black Energy v2
After the big success of Black Energy v1, its second and more superior version was publicly announced in 2010. The malware went through a complete code rewrite and emerged with a modular architecture, making it easy to modify and suitable for spam, fraud and targeted attacks as well as its original DDoS functionality.
The malware’s flexible infrastructure uses plug-ins with various capabilities that can be downloaded and updated from the bot’s command and control (C&C) servers. These plug-ins are saved in an encrypted format as drivers on the infected computer’s hard drive. Malicious plug-ins include the Trojan plug-in, which can destroy an infected computer’s entire filesystem when given a “kill” command, the DDoS plugin, as well as plug-ins used to gather user credentials, send spam and more. In addition, the bot can download and execute remote files, execute local files, update itself from the C&C servers, and die on command.
The attackers’ capability to easily update the bot on demand also makes the bot much more evasive-if the bot is discovered by an antivirus program, the programmers can simply write an update that overtakes the discovered part of the malware. The update is then sent to their bots for immediate action. This feature makes the bot’s survival time on an infected computer much, much higher.
Black Energy v3
The latest full version of Black Energy emerged in 2014. The changes made to this version were smaller, mainly simplifying the malware. For instance, the v3 installer does not use a driver component in the installation process, as did the previous versions, but rather the installer drops the main dynamic link library (DLL) component directly to the local application data folder. Another modification made to v3 is that it communicates with its plugins using a different protocol than its predecessors.
Black Energy Lite
Also called “Black Energy Mini,” this version runs its plug-in capabilities differently and with less support than its “big” counterparts and leaves a lighter footprint. Black Energy Lite’s configuration files are stored as a x.509 certificate (responsible for public key verification), instead of as an xml file like the malware’s other versions.
Researchers studying Black Energy have come across many samples of the malware, and show that it has been distributed in various ways. The most common distribution method is as an email attachment. In a simple attachment-based infection, attackers attach an executable file (.exe) with the Word-document icon, which tricks victims into thinking it is a legitimate file. Other methods took advantage of exploits in common programs. In one infection case, the attackers used a PowerPoint attachment, using vulnerability in the application that loads remote files in the background. With this method, the attackers were able to “silently” drop the malware dropper while showing a decoy document to the victim. Word (the well-known CVE-2014-1761 zero-day vulnerability), Java and TeamViewer and Juniper were also exploited for the use of infecting victims with Black Energy.
The Main Actor: Sandworm
The most prominent use of Black Energy for targeted attacks is by a cybergang who is attributed to Russia. The group, which was named Sandworm because of the references to the science-fiction series “Dune” embedded in their malware, was researched mainly from late 2013 and throughout 2014, and it seems that the team’s activity traces back to 2009. The group’s preferred infection tactic is spear-phishing, and they use Black Energy v3 as their signature malware.
The Sandworm team is known to have a particular interest in political targets, and is said to be responsible for the 2014 attacks against Ukranian government organizations. Other organizations the gang has targeted include NATO, Western European government organizations, energy sector firms, European telecommunications firms and American academic organization. In addition, it is suspected that Sandworm was involved in the 2008 attack on Georgia. Many tie Sandworm to the Russian government, though there is no proof of this type of connection.
Most mainstream media outlets have quoted the security firm iSight, who claims that Sandworm is responsible for the recent Ukranian power outage. This is probably largely due to the fact that Black Energy v3 was found in the samples uploaded from the attack, as well as the political motive of the group. Others say this is a loose assumption and is not close to enough evidence to tie the cybergang to the attack.
Black Energy has been, and will probably continue to be, an extremely powerful and intriguing malware researched by the biggest security companies today. ThreatSTOP has been actively analyzing indicators for this malware, and is currently protecting its customers from the malware by blocking any potential traffic from their network to Black Energy’s C&C servers.
Editor’s Note: This story also ran in IT Briefcase.
Irena Damsky is a security and intelligence researcher and developer based in Israel. As senior director of security research for ThreatSTOP, she is responsible for establishing and managing a team of researchers and analysts to find, understand and publish information about active threats. This information is then used to protect ThreatSTOP customers and is shared with the InfoSec community at large. Prior to joining ThreatSTOP, Irena served as the threat intelligence team leader for Check Point Software. Irena currently holds the rank of Captain in Reserve with the Israeli Intelligence Forces where she served for more than six years as a security researcher, developer and team leader.
Ofir Ashman is a security analyst at ThreatSTOP. Based in Israel, Ashman is responsible for investigating new threats for inclusion in the ThreatSTOP Shield platform, and publishing research on trends in cybersecurity. Prior to joining ThreatSTOP, Ashman served three years in the Israeli Intelligence Forces as an intelligence researcher, analyst and commander for training courses. Ashman is fluent in English and Hebrew.