7 Jan 2016

BlackEnergy APT is back, deleting files and killing computer systems



The BlackEnergy APT - or SandWorm group, as some researchers call it - has been active since 2007 (at least).

Its past exploits include cyber-espionage campaigns targeting NATO, the European Union, Ukrainian and Polish government organizations; theWhite House; and a variety of US ICS operators.

In the last few months, they have turned their sights on Ukrainian targets.

According to ESET researchers, the group has hit Ukrainian news media companies in November 2015 (during the 2015 Ukrainian local elections), and Ukrainian energy companies in December 2015.

In both attacks, the attackers have leveraged a new component of the BlackEnergy Trojan. Called KillDisk, it apparently supersedes the dstr plugin used in previous variants, and is capable of wiping documents and various file types (over 4000 file extensions!), as well as deleting Windows Event Logs and system files in order to make the system unbootable.

While in the attacks against media companies the Trojan's main aim was to delete documents, video files, and so on, in the attacks against power companies the attackers were more interested in deleting files and killing processes that could lead to the sabotage of working industrial systems.

Although ESET researchers don't actually say it, the latter attacks are likely the ones flagged by Ukraine's Security Service (SBU).

Apparently, the agents have found malware in the networks of individual regional power companies, and the attack was accompanied by a telephone "flood" aimed at the companies' tech support department.

The Ukrainian government blames Russians for the attacks, as all the targets are situated in the areas under control of the official government.

Aside from past targets, which were all against institutions and individuals considered to work against Russian interests, there are other indicators pointing to Russian nationals being the attackers. Still, it's impossible to say for sure whether they are or not, and whether they work for the Russian government.

http://www.net-security.org/malware_news.php?id=3185