The BlackEnergy cyber-attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.
Fresh intelligence from TrendMicro shows that BlackEnergy has evolved from being just an energy sector problem; rather, the attacks are aimed at crippling Ukrainian public and critical infrastructure in what could only be a politically motivated strike.
“We came upon these findings by pivoting off of the original indicators of compromise, which included BlackEnergy reconnaissance and lateral movement tools and KillDisk, a disk-wiping malware, among others,” the firm explained in an extensive forensics breakdown. “A fellow senior threat researcher at Trend Micro and I began hunting for additional infections or malware samples related to the incident. We quickly realized that Prykarpattya Oblenergo and Kyivoblenergo were not the only targets revolving around the newest BlackEnergy campaign.”
Based on telemetry data, it emerged that there were possible infections in mining and railway organizations that had overlap with the BlackEnergy and KillDisk samples used in the Ukrainian power incident.
“There is remarkable overlap between the malware used, infrastructure, naming conventions and to some degree, the timing of use for this malware, therefore leading us to believe the same actors are not only attacking power utilities, but also large mining and railway organizations throughout Ukraine,” the researchers concluded.
Motivations could be myriad: the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining and transportation facilities; or, they may have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over; or, the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.
“Whichever is the case, attacks against industrial control systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions,” Trend Micro noted.
Photo © Matus Madzik