Three regional Ukraine power authorities suffered a malware attack that caused hundreds of thousands of homes to lose power last week, according to ArsTechnica. Nearly half the homes in Ukraine’s Ivano-Frankivsk region lost power, according to the Ukrainian news service TSN on Dec. 23, one day following the failure. The malware disconnected electrical substations.
iSIGHT Partners, a global cyber threat intelligence company, found malicious code samples that affected at least three regional operators. The destruction could mark the first known instance of malware causing a power outage.
John Hultquist, head of iSIGHT’s cyber espionage intelligence, said destructive events have struck energy targets in the past, such as oil companies, but have not caused a blackout. He said the power outage signifies a scenario that has long concerned people.
‘BlackEnergy’ Infection Expands
ESET, an antivirus provider, confirmed multiple power authorities suffered the “BlackEnergy” infection, discovered in 2007 and updated two years ago to include new functions like being able to leave infected computers unbootable.
ESET recently discovered the malware was updated to include “KillDisk,” a component that destroys computer hard drive parts. KillDisk also displays functions that sabotage industrial control systems. The latest BlackEnergy also has a “backdoored” secure shell (SSH) utility that provides attackers permanent access to affected computers.
BlackEnery previously carried out espionage on power companies, news organizations and other industrial groups. ESET did not say the infections that hit the power companies caused last week’s outage, but the company indicated one or more BlackEnergy components possessed the capability.
ESET researchers on Monday blogged that the malware can disable critical systems. Another explanation is that the BlackEnergy backdoor, along with a newly-found SSH backdoor, provided attackers access to affected systems. After infiltrating a system with either “Trojan,” an attacker would be able to disable it. The planted Trojan would make recovery harder.
Destructive Capabilities Increase
BlackEnergy has strengthened its capabilities in the last year. An advisory from Ukraine’s computer emergency response team noted late last year the KillDisk module hit Ukraine media organizations, destroying video and other content. The one that infiltrated the power companies carried similar functions but deleted a narrower data set, according to ESET.
KillDisk was also updated to undermine two computer processes, one being a remote management platform connected to the EL TIMA Serial to Ethernet Connectors that industrial control systems used.
The group behind BlackEnergy, dubbed by iSIGHT as the Sandworm gang, in 2014 attacked Ukrainian, Polish and North Atlantic Treaty Organization agencies as well as some European industries. The gang is connected to Russia, but iSIGHT researchers caution readers about crediting governments or specific groups with hacking attacks.
Booby-trapped macro functions embedded in Microsoft Office documents infected the Ukrainian power authorities, according to ESET. Such an attack would mean a simple social engineering ploy can infect industrial control systems needed to supply power to millions.
In addition, malware is being used to cause power failures that portend life-and-death consequences to many people.
Police Suspect Hacking On Power Grid
Reuters last week reported Ukrainian police are examining a suspected hacking on its power grid.
There is no confirmation that a malware attack that infected Saudi Arabia’s largest gas producer in 2012 affected production. The iSIGHT report indicates there is an escalation in malware-controlled conflict with consequences for industrial nations.
Image from Shutterstock.