Eset reveals malware behind electricity outage in Ukraine

CYBERATTACKS against energy companies in Ukraine in December 2015 are connected to attacks on media and targeted cyber-espionage against Ukrainian government agencies.

Illustrative stock photo(Source: Sme)

Analysing the KillDisk malware used in the attacks, researchers of Slovak software company Eset found out that the new variant of this malware contained some additional functionality for sabotaging industrial systems.

About half of the 1.5 million inhabitants of the Ivano-Frankivsk region in Ukraine, some 200 kilometres from the Slovak border, were left without electricity for several hours on December 23. The Ukrainian media outlet TSN was the first to report that the outage was caused by the malware, but Eset researchers discovered during their analysis that this was not the only case.  Moreover, other power distribution companies in Ukraine were targeted by cybercriminals at the same time, Eset wrote in the press release.

The attackers have been using the BlackEnergy backdoor to plant a KillDisk component onto the targeted computers that would render them unbootable, according to ESET researchers.

The BlackEnergy backdoor Trojan is modular and employs various downloadable components to carry out specific tasks. In 2014 it was used in a series of cyber-espionage attacks against high-profile, government-related targets in Ukraine. In the recent attacks against electricity distribution companies, a destructive KillDisk Trojan was downloaded and executed on systems previously infected with the BlackEnergy Trojan. It was also used in the attack on participants of the GLOBSEC security conference held in Bratislava in 2014, Eset wrote.

The first known link between BlackEnergy and KillDisk was reported by the Ukrainian cybersecurity agency, CERT-UA, in November 2015. In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents have been destroyed as a result of the attack.

The KillDisk variant used in the recent attacks against Ukrainian power distribution companies also contained some additional functionality. In addition to being able to delete system files to make the system unbootable – functionality typical for such destructive Trojans – this particular variant contained code specifically intended to sabotage industrial systems.

“Apart from the regular KillDisk functionality, it would also try to terminate processes that may belong to a platform commonly used in Industrial Control Systems,” said Anton Cherepanov, malware researcher at Eset, as quoted in the press release.

If these processes are found on the target system, the Trojan will not only terminate them but also overwrite their corresponding executable file on the hard drive with random data in order to make restoration of the system more difficult.

“Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that the same toolset that was successfully used in attacks against the Ukrainian media in November 2015 is also theoretically capable of shutting down critical systems,” Cherepanov added.

The processing of personal data is subject to our Privacy Policy and the Cookie Policy. Before submitting your e-mail address, please make sure to acquaint yourself with these documents.

Top stories

Coalition demands the right of reply for politicians

Politicians ponder new provisions for the Press Code, Speaker of Parliament Danko wants to defend himself against op-eds too.

The ruling coalition (L-R: SNS-Andrej Danko, Smer-Robert Fico. Most-Híd-Béla Bugár).

Maya expert: The world we live in is not the only one possible

Leading Slovak expert contributes to rewriting Maya history.

Milan Kováč

Slovakia’s Pohoda wins two prestigious European festival awards

The festival organiser praised the awards and says they want to continue and improve the quality of the summer festival.

"They united us." - tribute to Ján Kuciak and Martina Kušnírová at Pohoda 2018.

Theresa May at least has the courage to try

May keeps her job because nobody else is capable, or willing, to take on the impossible task of Brexit.

Theresa May