14 DAY TRIAL // Cyber-security researchers investigating the famous attacks on the Ukraine power grid have discovered clues that the same malware variant was also used against a local railway operator and a mining company.
The original attacks happened before Christmas and were carried out against the IT systems of the Prykarpattiaoblenergo and Kyivoblenergo energy suppliers, resulting in energy blackouts for multiple regions in Western Ukraine.
After the incident passed and made headlines around the world, security companies investigating the incidents discovered clues that linked the attacks to the BlackEnergy APT, a cyber-espionage group with vague Russian ties.
This group employed its own malware variant, also called BlackEnergy, which included a special module named KillDisk, capable of infecting industrial SCADA systems.
The same malware was discovered in all three targets
Security researchers from Trend Micro are saying that, before the Christmas attacks on the two power grid companies, samples of the main BlackEnergy malware and its KillDisk component were also detected in other companies.
The first attacks were carried out against a Ukrainian mining company in November, where the group used the BlackEnergy malware that had the same functionality as the one used against the power grid companies.
Moreover, the group used the same C&C server infrastructure employed in the Christmas attacks, and the KillDisk component was again identical.
Trend Micro's investigation also discovered a railway operator where the KillDisk component was detected, identical to the power grid attacks but without its parent BlackEnergy malware.
Attackers were probing companies in search of weak points
"There is remarkable overlap between the malware used, infrastructure, naming conventions, and to some degree, the timing of use for this malware, therefore leading us to believe the same actors are not only attacking power utilities, but also large mining and railway organizations throughout Ukraine," noted Kyle Wilhoit, Senior Threat Researcher for Trend Micro.
The chances are that the BlackEnergy APT was either testing its malware before the real attack (on Christmas) or was just blindly probing various Ukrainian companies to see where it could get a foothold and cause more damage.