25.1.16

New Wave of Cyber Attacks Hits Ukrainian Power Industry





ESET®, a global pioneer in IT security for more than two decades, has uncovered a new wave of attacks against electricity distribution companies in Ukraine. Previously, the attackers have managed to cause massive power outages in several regions in Ukraine in late December 2015. Interestingly, the malware that was used this time is not the infamous BlackEnergy.

The attack scenario itself hasn’t changed much from previous campaigns. The attackers sent spear-phishing emails to potential victims. The emails contained an attachment with a malicious XLS file, and also HTML content with a link to a .PNG file located on a remote server, so that the attackers would get a notification that the email had been delivered and opened by the target.

“We expected to see the BlackEnergy malware as the final payload, but a different malware was used this time. The attackers used modified versions of an open-source backdoor,” explains Robert Lipovsky, Malware Researcher at ESET.
This backdoor is able to download executables and execute shell-commands. Other backdoor functionality of the malware used - such as making screenshots, keylogging, or uploading files - was removed from the source code. The backdoor is controlled by attackers using a Gmail account, which makes it difficult to detect such traffic in the network.

The malware attacks on the Ukrainian energy sector have gained a lot of publicity as they caused or enabled (the role of the malware remains to be figured out in detail) a massive power outage, probably the world’s first as the result of such an attack.
“We currently have no evidence that would indicate who is behind these attacks and to attempt attribution by simple deduction based on the current political situation might bring us to the correct answer, or it might not. The current discovery does not bring us any closer to uncovering the origins of the attacks in Ukraine. On the contrary, it reminds us to avoid jumping to rash conclusions,” concludes Robert Lipovsky, Malware Researcher at ESET.

Read more at ESET’s WeLiveSecurity blog about this recent non-BlackEnergy attack and about the malware attack that left hundreds of thousand people in Ukraine without electricity: here is a technical blogpost and here is an interview with ESET’s Robert Lipovsky putting the event in context.