Cyberattacks
against energy companies in Ukraine in December 2015 are connected to attacks
on media and targeted cyber-espionage against Ukrainian government agencies.
Analyzing the KillDisk malware used in the attacks, ESET researchers found out that
the new variant of this malware contained some additional functionality for
sabotaging industrial systems.
On December 23 2015, around 700
thousand people in the Ivano-Frankivsk region in Ukraine, half of the homes
there, were left without electricity for several hours. ESET researchers
discovered that the power outage – the Ukrainian media outlet TSN was first to report
it - was not an isolated incident. Other power distribution companies in
Ukraine were targeted by cybercriminals at the same time.
According to ESET researchers, the
attackers have been using the BlackEnergy backdoor to plant a KillDisk
component onto the targeted computers that would render them unbootable.
The BlackEnergy backdoor trojan is
modular and employs various downloadable components to carry out specific
tasks. In 2014 it was used in a series of cyber-espionage attacks against
high-profile, government-related targets in Ukraine. In the recent attacks
against electricity distribution companies, a destructive KillDisk trojan was
downloaded and executed on systems previously infected with the BlackEnergy
trojan.
The first known link between
BlackEnergy and KillDisk was reported by the Ukrainian cybersecurity agency,
CERT-UA, in November 2015. In that instance, a number of news media companies were
attacked at the time of the 2015 Ukrainian local elections. The report claims
that a large number of video materials and various documents have been
destroyed as a result of the attack.
The KillDisk variant used in the recent
attacks against Ukrainian power distribution companies also contained some
additional functionality. In addition to being able to delete system files to
make the system unbootable – functionality typical for such destructive trojans
– this particular variant contained code specifically intended to sabotage
industrial systems.
“Apart
from the regular KillDisk functionality, it would also try to terminate
processes that may belong to a platform commonly used in Industrial Control Systems,” explains Anton Cherepanov, Malware
researcher at ESET. If
these processes are found on the target system, the trojan will not only
terminate them but also overwrite their corresponding executable file on the
hard drive with random data in order to make restoration of the system more
difficult. “Our analysis of the destructive KillDisk
malware detected in several electricity distribution companies in Ukraine
indicates that the same toolset that was successfully used in attacks against
the Ukrainian media in November 2015 is also theoretically capable of shutting
down critical systems,” concludes Cherepanov.
more about the attack on Ukrainian power distribution companies and the
BlackEnergy/KillDisk malware at ESET’s WeLiveSecurity blog.