 |
ESET®, a global pioneer in IT security
for more than two decades, has uncovered a new wave of attacks against electricity
distribution companies in Ukraine. Previously, the attackers have managed to
cause massive power outages in several regions in Ukraine in late December 2015.
Interestingly, the malware that was used this time is not the infamous BlackEnergy.
The
attack scenario itself hasn’t changed much from previous campaigns. The
attackers sent spear-phishing emails to potential victims. The emails contained
an attachment with a malicious XLS file, and also HTML content with a link to a
.PNG file located on a remote server, so that the attackers would get a
notification that the email had been delivered and opened by the target.
“We expected to see the BlackEnergy
malware as the final payload, but a different malware was used this time. The
attackers used modified versions of an open-source backdoor,” explains Robert Lipovsky, Malware
Researcher at ESET.
This
backdoor is able to download executables and execute shell-commands. Other
backdoor functionality of the malware used - such as making screenshots,
keylogging, or uploading files - was removed from the source code. The backdoor
is controlled by attackers using a Gmail account, which makes it difficult to
detect such traffic in the network.
The
malware attacks on the Ukrainian energy sector have gained a lot of publicity
as they caused or enabled (the role of the malware remains to be figured out in
detail) a massive power outage, probably the world’s first as the result of
such an attack.
“We currently have no evidence that
would indicate who is behind these attacks and to attempt attribution by simple
deduction based on the current political situation might bring us to the
correct answer, or it might not. The current discovery does not bring us any
closer to uncovering the origins of the attacks in Ukraine. On the contrary, it
reminds us to avoid jumping to rash conclusions,” concludes Robert Lipovsky, Malware Researcher
at ESET.
Read
more at ESET’s WeLiveSecurity blog about this recent non-BlackEnergy attack and about the malware attack that
left hundreds of thousand people in Ukraine without electricity: here is a technical blogpost and here is an interview with ESET’s Robert
Lipovsky putting the event in context.