Department of Homeland security’s (DHS’s) Industrial Control systems cyber emergency response team (ICS-CERT) has identified a piece of malicious code known as ‘BlackEnergy’ in the networks of a power company in western Ukraine.
The code came to light when the intelligence community of United States investigated a cyber attack on the Ukrainian power grid which was caused last year in December.
BlackEnergy, which is a sophisticated malware campaign, has been ongoing since at least 2011. It targets industrial control systems and has been identified on Internet-connected human-machine interfaces in the United States.
The investigation shows that the power outages were caused by a series of network-centric attacks against multiple utilities which disrupted Supervisory control and data acquisition (SCADA) and phone systems.
ICS-CERT and US-CERT along with Ukrainian CERT are still analyzing the malware which was likely used to prevent system operators from detecting the attack while a remote attacker opened breakers.
The not so sophisticated malware may have been used to shield the perpetrators.
On December 23 a power cut affected 80,000 customers for six hours. The attacks cut at least seven 110 Kilo volt (kV) and twenty three 35 kV substations.
Russian government was blamed for this incident by Ukraine’s security service, but later it was noted that BlackEnergy was associated with the incident which is associated with the ethnic Russian hacking group ‘Sandworm’. In October 2014, Sandworm reportedly compromised industrial control systems in the US for up to three years.
The malware has been found attacking utilities and media organizations with the hard-drive nuking killdisk componentry.
Former NSA and CIA head, retired Gen. Michael Hayden warned about the increasing threat of physical damages by malware infections.