Hackers have caused the first ever power outage, knocking out the power to hundreds of thousands of homes last week all with highly “destructive malware,” researchers in the Ukraine reported last week.
On December 23, half the homes in the Ivano-Frankivsk region of the Ukraine suddenly lost their electricity, Ukrainian news service TSN first reported. The report went on to disclose that the outage was the direct result of malware that disconnected electrical substations. On Monday, researchers from security firm iSIGHT Partners said that they had obtained samples of the malicious code that infected at least three of the regional operators. According to iSIGHT, the malware led to “destructive events” that in turn caused the outage.
If confirmed, this would be the first known instance of a hacker group or individual using malware to cause a full-fledged power outage.
Researchers from antivirus firm ESET have confirmed that multiple Ukrainian power stations were infected by “BlackEnergy,” a piece of malware initially uncovered in 2007 that was last found updated two years ago, including new functions that had the ability to render infected computers useless. Most recently ESET said they found the malware updated, once again containing a host of new functions, the most notable being dubbed KillDisk, a tool that destroys critical components found within hard drives and contains a deadly function that could “sabotage industrial control systems.” The BlackEnergy malware also contains a backdoored SSH utility that lets attackers gain direct access to the infected machine.
Closer look into BlackEnergy Malware
Up to this point, BlackEnegry has mainly been found conducting espionage on targets affiliated with news organizations, power companies and other industrial-based groups. Though iSIGHT has yet to confirm the malware was the culprit, ESET did not tie the to malware to the most recent blackout, but did however state that new BlackEnergy features had more than the necessary capability.
“Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems,” said Robert Lipovsky and Anton Cherepanov, both malware researchers for ESET, in a blog post published Monday. “However, there is also another possible explanation. The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.”
The group behind BlackEnergy have slowly been ramping up the tool’s destructive capabilities in just the past year. According to an advisory published by Ukraine’s Computer Emergency Response Team (CERT), the KillDisk module packed in BlackEnegry infected a media organizations servers, which led to the permanent deletion of an unknown amount of video among other irrecoverable content. The KillDisk module is what is believed to have plagued the Ukrainian power center, however ESET believes the malware was strictly manipulated to delete specific sets of data. BlackEnergy’s KillDisk module also scans for active executables running on the system, more specifically services commonly used in industrial control systems. If targeted executable services are found on the system, not only will KillDisk try to terminate the services, but will begin to overwrite it with its own version of the executable file on the hard drive, making it substantially harder to restore the system.
According to ESET, the Ukrainian power organization was infected by attackers sending malicious macro functions embedded in Microsoft Office Documents. If true, this means that industrial control systems among dozens of other highly-sensitive organizations are vulnerable using simple social-engineering tactics. This also goes to show that malware can now have catastrophic consequences, such as causing power blackouts spanning cities.
Ukrainian authorities have begun investigating a suspected cyber attack on the country’s power grid. iSIGHT Partners have dubbed the group behind the BlackEnergy malware to be Sandworm team, a hacker gang believed to have ties to Russia, yet neither claims have been proven.
The world of attacks headed for Internet-connected industries this coming 2016 are going to be critical, with the first massive attack already causing power blackouts for hundreds of thousands of unsuspecting residents. Malware and its expanding capabilities are only going to become more deadly this 2016.