Our new intelligence on BlackEnergy expands previous findings on the first wide-scale coordinated attack against industrial networks. Based on our research that we will further outline below, attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.
This proves that BlackEnergy has evolved from being just an energy sector problem; now it is a threat that organizations in all sectors—public and private—should be aware of and be prepared to defend themselves from. While the motivation for the said attacks has been the subject of heavy speculation, these appear to be aimed at crippling Ukrainian public and criticial infrastructure in what could only be a politically motivated strike.
We came upon these findings by pivoting off of the original indicators of compromise, which included BlackEnergy reconnaisance and lateral movement tools and KillDisk, a disk-wiping malware, among others. A fellow senior threat researcher at Trend Micro and I began hunting for additional infections or malware samples related to the incident. We quickly realized that Prykarpattya Oblenergo and Kyivoblenergo were not the only targets revolving around the newest BlackEnergy campaign.
Based on telemetry data from open-source intelligence (OSINT) and Trend Micro Smart Protection Network, we saw that there were samples of BlackEnergy and KillDisk that may have been used against a large Ukrainian mining company and a large Ukrainian rail company. In addition, the possible infections in the mining and railway organizations appear to use some of the same BlackEnergy and KillDisk infrastructure that were seen in the two power facilities attacks.
Related Malware in a Large Ukrainian Mining Company
During the course of our investigation, we saw an overlap between the BlackEnergy samples used in the Ukrainian power incident and those apparently used against the Ukrainian mining company. One sample, amdide.sys, (SHA1: 2D805BCA41AA0EB1FC7EC3BD944EFD7DBA686AE1) appears to have been used in November 2015 to infect its target. Additional samples leveraged in the Ukrainain power utilities attack and the Ukrainian mining company are:
- aliide.sys: C7E919622D6D8EA2491ED392A0F8457E4483EAE9
- acpipmi.sys: 0B4BE96ADA3B54453BD37130087618EA90168D72
We also came across another sample named aliide.sys (SHA1: C7E919622D6D8EA2491ED392A0F8457EA240) that appears to have hit the same company. The naming of the BlackEnergy samples appears to mirror one of the samples that was actively used in the campaign against the Ukrainian power utilities. This sample, which is flagged as BlackEnergy, has the same exact functionality as those samples witnessed in the Ukrainian power utility attack. In addition, this sample utilizes the same infrastructure. In this case, the URL communicated with is 88[.]198[.]25[.]92:443/fHKfvEhleQ/maincraft/derstatus.php.
Additional samples that are caught as BlackEnergy and appear related are:
- adpu320.sys : 2D805BCA41AA0EB1FC7EC3BD944EFD7D
- acpipmi.sys: 0B4BE96ADA3B54453BD37130087618EA
Both of the aforementioned samples communicate to 146[.]0[.]74[.]7:443/l7vogLG/BVZ99/rt170v/solocVI/eegL7p.php which is also one of the same C2’s used in the Ukrainian power incident. All of these BlackEnergy samples mentioned appear to be used and utilized in the November –December 2015 timeframe.
Unfortunately, this same mining organization was also hit with multiple variants of KillDisk. While none of the exact samples in the prior utility attacks appear to have been used against the mining organization, the specific samples witnessed perform the same exact functionality as those witnessed at the Ukrainian power utilities, with very little difference.
We did see KillDisk bleed over from the Ukrainian power incident that occurred as well. Two samples drew our attention, svchost.exe (SHA1: 8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569) and crab.exe (SHA1: 16f44fac7e8bc94eccd7ad9692e6665ef540eec4). Both samples seen in the Ukrainian power incident were possibly also used against this large Ukrainian mining organization.
Similar Malware in a Large Ukrainian Train/Railway Operator
Like the attacks against the Ukrainian mining company, we also witnessed KillDisk possibly being used against a large Ukrainian railway company that is part of the national Ukrainian railway system. The file tsk.exe (SHA1: f3e41eb94c4d72a98cd743bbb02d248f510ad925) was flagged as KillDisk and used in the electric utility attack as well as against the rail company. This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network.
Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack. There is remarkable overlap between the malware used, infrastructure, naming conventions, and to some degree, the timing of use for this malware, therefore leading us to believe the same actors are not only attacking power utilities, but also large mining and railway organizations throughout Ukraine.
Figure 1. Overlap between sectors, campaigns, malware, and C&C servers used
There are many possibilities that exist about the big picture, but three in particular, stand out. One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities. Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.
Whichever is the case, attacks against Industrial Control Systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions. In addition—and this bears repeating—this attack shows that any organization, regardless of the nature or size of their business, can be a target. Given the fact that the BlackEnery campaign has destructive payload (KillDisk), companies that have this false sense of security that they are not critical or public-facing or too important enough to be targeted, may just find their operations or their ability to conduct their business grind to a halt.
The comprehensive list of indicators we’ve been tracking for BlackEnergy 2015 campaigns can be found in this appendix.