On December 23rd, 2015 a coordinated and synchronized remote cyber attack on Ukranian infrastructure companies (Oblenergos) caused extended unscheduled power outages for over 225,000 customers in multiple central and regional facilities. In addition to the temporary operational impact, the attack left several systems permanently unusable.
The cross-sector cyber strikes were coordinated within 30 minutes of each other using BlackEnergy malware as the key delivery and command and control system. During the attack malicious operation of breakers was conducted by remotely controlling workstations at the OS level. There is evidence that legitimate credentials were used after being captured during a surveillance period (post-infection, pre-strike).
In addition, three companies indicated that at the end of the cyber attack KillDisk malware was used to corrupt mater boot records rendering systems inoperable. Target systems included;
- Windows-based workstations running ICS client software
- Serial-to-Ethernet devices at substations
- Windows based human interface machines (HMIs)
- Un-interruptable Power Systems (UPS)
Due to BlackEnergy's ability to sit undetected for long periods of time, un-detected by traditional signature based Anti-virus and Anti-malware, gathering critical pieces of information such as network maps, software inventory, credentials, and its ability to communicated securely thru encrypted channels, BlackEnergy poses a substantial threat to organizations in the US, both now and in the future.
RAVENii has partnered with the leaders in non-signature based malware detection and prevention, Cylance, to develop a quick and effective program to assess whether or not BlackEnergy has infiltrated organizations. In addition to this "Indicator of Compromise" assessment, an attack surface report card based on the recent ICS-CERT recommendations "Seven Steps to effectively Defend Industrial Control Systems " is provided, to assess organization's capabilities to repel and detect BlackEnergy.
The assessment can assess tens of thousands of systems in a thirty day window, giving organizations the ability to quickly answer the two questions "Do we have BlackEnergy in our systems?" and "Are we vulnerable to Black Energy?".
Confidential inquiries on Black Energy IOC Assessment should be directed to;