BlackEnergy Malware: How Hackers May Tackle our Infrastructure

Written by

On December 23 2015, 230,000 people in Ukraine were left in the dark for six hours after hackers compromised several power distribution centres which provide electricity to residents in Ukraine. The attackers used spear phishing emails and variants of the BlackEnergy 3 malware to gain a foothold into the IT networks of the electricity companies and knock real-world systems offline. 

This incident was the first recorded successful cyber-attack on an electric grid - and if a power outage at the beginning of winter doesn’t sound too bad, just consider the impact if such a breach were to affect the country’s hospitals.

Energy hacks: 2018 model
Attackers are becoming smarter and more apt, illustrating a degree of learning which is concerning to the security community. In 2018, we’ll likely see threat actors increase their focus on critical infrastructure.

It’s often said that the great battles of the 21st Century will take place online, and with the example of the Ukrainian attack it’s not hard to see why. Imagine if a hostile actor hacked into the rail signaling network and crashed speeding trains into one another; or if the power in Parliament was cut for days. As we connect more of our critical infrastructure to the internet, the scope for attacks with real-world consequences is constantly increasing.

The energy sector needs to be acutely aware of the potential danger posed by cyber-attacks like this. Energy companies need to be able to defend themselves effectively, and intelligence analysis is a key component of achieving that goal. Here we explore how energy companies can collect and organize intelligence to inform their cybersecurity efforts.  

Understanding your adversary
When facing a threat like that posed by BlackEnergy, it’s essential that potential targets understand as much as they can about the threats they face. The more you know, the better you’ll be able to respond to a new threat. Basic details including where the malware comes from, what it does, and how it was targeted in the past can help form the basis of an intelligence-led defense. 

A good place to begin is open source intelligence collection, collating indicators from openly available sources. Many security companies publish blogs and reports that include indicators of compromise (IOCs) such as hashes and network indicators like hostnames and IP addresses. This information can be used as the basis of a threat profile that includes important details like malware capabilities and targeting focuses, data which can aid a company in determining whether the activity poses a threat to its organization.
 
In the case of BlackEnergy, for example, ThreatConnect analysts started with a 2014 Kaspersky report, which detailed BlackEnergy use and contained MD5 hashes, network indicators, and target information associated with BlackEnergy 2 and BlackEnergy 3.

Growing your intelligence
After collecting intelligence from publicly available reporting, researchers can pivot on network information by looking for additional domains on dedicated IP addresses and identifying hosts registered with the same registration information as those associated with a given threat.

Companies can also use techniques like YARA hunting to identify additional, related malware samples. YARA rules can be used to look for strings in malware samples uploaded to public malware scanning sites. If a sample matching a given YARA rule is found, the researcher is notified. 

Once a sample is identified, researchers can use automated malware analysis (AMA) services to analyze the malware. Many AMA services have a feature that associates similar files to the sample being analyzed. This feature can be used to find related samples without waiting for a file to match on a deployed YARA rule. 
 
Using what you know
Intelligence doesn't exist for its own sake: it exists to inform decisions. There are automated platforms that make it easy to take action on information pulled together in this way, further simplifying the process and allowing staff to send indicators to be blocked or assigned to an analyst for further investigation. 

For example, an automated platform can enable security analysts to pull out trends based on information from multiple intelligence sources that manual research would take months to uncover, if it uncovered them at all. Security teams can then use those trends to inform policy, ensuring that vulnerabilities are patched and likely targets are pre-prepared against attack.

Automation can take much of the load of back-end administration off the shoulders of the analysts, leaving them to apply their expertise to the decision-making process once all relevant information has been combined and parsed. That adds up to a more effective defense and a more economical spread of resources.

Forewarned is forearmed
The Ukrainian BlackEnergy attack ended within hours and affected just a small proportion of the population. In 2018, after three years of technological advancement, attacks could conceivably last longer and be more widespread. In the case of an advanced attack, energy providers and governments must be prepared to defend their systems.

An ongoing program of threat analysis, where indicators related to common threats are aggregated and mined for patterns and tactics, can play a large part in building an effective defense.

What’s hot on Infosecurity Magazine?