Over the last 10 years, the BlackEnergy malware family has grown to include three variants that has been used to target the energy and industrial sectors.
On December 23 2015, 230,000 people in Ukraine were left in the dark for six hours after hackers compromised the country’s energy sector. This attack highlighted the wide range of capabilities in modern hackers arsenals – in this instance, spearphishing emails delivering BlackEnergy 3 malware which was used to hook into the networks of energy companies and bring down essential systems.
This incident is the first recorded successful cyberattack on an electric grid, and BlackEnergy 3 was a key enabler. With a few lines of code, the hackers had a major impact on ordinary people’s lives – and if a power outage at the beginning of winter doesn’t sound too bad, just consider the impact if such a compromise were to affect emergency services.
The energy sector needs to be acutely aware of the danger posed by cyber attacks like this one. Here we explore how energy companies can collect and organise intelligence to inform their cybersecurity efforts.
All energy companies need to be able to defend themselves effectively. Intelligence analysis is a key component of achieving that goal.
BlackEnergy – where did it all begin?
Since its discovery in 2007, BlackEnergy malware has developed and morphed to now include three variants.
The first variant of BlackEnergy is a Trojan designed to conduct distributed denial of service (DDOS) attacks against major servers. The second iteration, BlackEnergy 2, marked a complete overhaul of its original form. The creators added 64 bit drivers and implemented UAC Bypass Installers to provide the malware with elevated code execution privileges on Windows. Finally, BlackEnergy 3, the variant used in the attack against Ukraine, includes a wider variety of plugins and anti-analysis technology enabling it to evade detection.
When facing a threat like that posed by BlackEnergy it is important to understand where the malware comes from, what it does, and who it has targeted in the past. A good place to begin is open source intelligence collection, collating indicators from openly available sources.
Many security companies publish blogs and reports that include indicators of compromise (IOCs) like file indicators such as hashes and network indicators like hostnames and IP addresses. This information can be used as the basis of a threat profile that includes important details like malware capabilities and targeting focuses, data which can aid a company in determining whether the activity poses a threat to its organization.
In the case of BlackEnergy, for example, ThreatConnect analysts started with a 2014 Kaspersky report, which detailed BlackEnergy use and contained MD5 hashes, network indicators, and target information associated with BlackEnergy 2 and BlackEnergy 3.
Building out intelligence
After collecting intelligence from publicly available reporting, researchers can pivot on network information by looking for additional domains on dedicated IP addresses and identifying hosts registered with the same registration information as those associated with a given threat. Companies can also use techniques like YARA hunting to identify additional, related malware samples. YARA rules can be used to look for strings in malware samples uploaded to public malware scanning sites. If a sample matching a given YARA rule is found, the researcher is notified.
Once a sample is identified, researchers can use automated malware analysis (AMA) services to analyze the malware. Many AMA services have a feature that associates similar files to the sample being analyzed. This feature can be used to find related samples without waiting for a file to match on a deployed YARA rule.
Organising your intelligence
After collecting indicators associated with the threat being researched, analysts can then begin to group them logically.
In the case of BlackEnergy, ThreatConnect researchers used the ThreatConnect platform to group related activity into incidents based on each of the three BlackEnergy variants, and linked the groups together using a larger BlackEnergy malware threat.
Making it actionable
Once information has been identified and pulled together, what happens next? As we like to say, intelligence doesn’t exist for its own sake: it exists to inform decisions. The information gathered can be used to make informed decisions about the threat posed by the activity.
There are automated platforms out there that make it easy to take action on information pulled together in this way, further simplifying the process and allowing staff to quickly send indicators to be blocked or assigned to an analyst for further analysis.
Cyber attacks are increasingly common and increasingly effective. The Ukrainian BlackEnergy attack was just an example of the impact a cyber attack can have – it ended within hours and only affected a small proportion of the population. Future attacks could conceivably last much longer and be more widespread. With lives and national security on the line in the case of an advanced attack, energy providers and governments must be prepared to defend their systems.
An ongoing programme of threat analysis, where indicators related to common threats are aggregated and mined for patterns and tactics, can play a large part in building an effective defence. Forewarned is forearmed – energy providers must take the initiative, equip themselves with analytical tools and get to know their enemy – before it’s too late.