Russian-linked APT sports new offensive hacking tools

Jan 4, 2016 08:23 GMT  ·  By
BlackEnergy APT linked to attacks against the Ukrainian electrical power grid
   BlackEnergy APT linked to attacks against the Ukrainian electrical power grid

The BlackEnergy APT (Advanced Persistent Threat) group made a comeback in 2015, after being extremely active in 2014, and this time around, it specifically targeted electrical power stations and news outlets in Ukraine.

BlackEnergy, suspected to be of Russian origin, is a cyber-threat actor that has been active against various politically charged objectives, typical targets in cyber-espionage campaigns.

The group, named after the BlackEnergy trojan often used in their attacks, has a knack for attacking industrial control systems (ICS).

ESET researchers are confirming that, after going dormant in December 2014, new evidence has surfaced showing that BlackEnergy was actually active in 2015 but used new tools, of which researchers had no previous knowledge.

A new KillDisk component to destroy data on infected systems

One of these components is a new addition to the BlackEnergy trojan, a KillDisk component, which allowed the APT to rewrite files on the infected system with random data, destroying stored information and even preventing the OS from booting in some cases.

Two major attacks were observed where this component was used, both in Ukraine. The first was against a series of news outlets, just before the 2015 Ukrainian local elections. The second was against electrical power stations.

Different versions of the KillDisk component were used for each attack, showing a highly targeted campaign, specific in cyber-espionage (cyber-sabotage in this case).

The KillDisk component used against news outlets targeted a wide range of files (4,000 file extensions) while the one against the Ukrainian electrical grid only targeted 35 file types, focusing on destroying access to ICS/SCADA components.

BlackEnergy may have easily been behind the so-called "malware attacks" on the Ukrainian electrical power grid this past Christmas, when major power outages hit Ukraine's western regions.

Before 2015, the BlackEnergy group used another type of data-destroying component, a custom tool they named dstr.

Hidden backdoor and SSH server

On top of the KillDisk component, on some targets, the BlackEnergy APT would also drop the Dropbear SSH component.

This component is an SSH server that would be installed and configured to automatically start on infected systems, providing attackers with remote access to infected computers.

To be sure they had access to the device, the Dropbear SSH server also contained a backdoor, one that allowed access using a default password (passDs5Bu9Te7) or a hard-coded key pair.