ESET: Connects Breaking Electricity with Cyber-Espionage

Cyber-attacks against electricity utilities in Ukraine in December 2015 are linked to attacks on the media and targeted cyber- against Ukrainian government agencies. Analyzing the malware of these attacks, KillDisk, ESET researchers found that the new variant of this particular malware includes some additional functionality aimed at sabotaging industrial systems.ESET ESET ESET

On December 23, 2015, half a of the Ivano-Frankivsk region in Ukraine, were left without ρεύμα για αρκετές ώρες, επηρεάζοντας περίπου 700 χιλιάδες . ESET researchers discovered that the blackout – first reported by Ukrainian media outlet TSN – was not an isolated incident, as other electricity providers in Ukraine had also been targeted by cybercriminals at the same time.

According to ESET researchers, the attackers used the of BlackEnergy to implant a KillDisk component in the targeted computers to make the reboot function impossible.

The BlackEnergy backdoor trojan has a modular structure and includes various components, which are made to perform specific tasks. In 2014, it was used in a series of cyber espionage attacks against high-profile government-linked targets in Ukraine. In recent attacks against power companies, a destructive KillDisk trojan was downloaded and executed on systems already infected with the BlackEnergy trojan.

The first known link between BlackEnergy and KillDisk was reported by the Ukrainian agency in cyberspace, CERT-UA, in November 2015. In this particular case, a number of companies in the media space had been attacked during the 2015 Ukrainian local elections. The report claims that, as a result of the attack, a large number of videos and various documents have been destroyed.

The KillDisk variant, used in recent attacks on Ukrainian power companies, also contained some additional functionality. In addition to being able to delete system files to prevent a system reboot - a typical function of such malicious trojans - this variant contained code specifically designed to sabotage industrial systems.

"In addition to its routine operation, KillDisk will also try to terminate processes that traditionally belong to a platform commonly used in industrial control systems," explains Anton Cherepanov, malware researcher at ESET.

If these processes are detected in the system, the trojan will not only end them, but it will also replace their executable hard disk file with random data in order to make it even more difficult to restore the system.

"According to the analysis we have carried out in the destructive malware KillDisk that has been detected in several electricity companies in Ukraine, the same set of tools successfully used in the attacks against the Ukrainian media in November of 2015 is theoretically capable of stopping operation of critical systems, "concludes Cherepanov.

For more information on the attack on Ukrainian power providers and for the BlackEnergy / KillDisk malware, please visit the blog WeLiveSecurity from ESET.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).