Black Energy Security Report

Featured article by Irena Damsky, Senior Director, Security Research at ThreatSTOP, Inc.

Black Energy, a notorious malware that we have been researching lately, has once again become the subject of talk in the cyber world. This celebrity status is mainly due to its involvement in the recent cyberattack on Ukraine’s power industry, which left around 80,000 customers of the electricity company without power for several hours, two days before Christmas.

Arbor Networks discovered the original Black Energy – a relatively simple HTTP DDoS Trojan – in mid-2007. During their initial research, Arbor Networks analyzed twenty-seven botnets infected by Black Energy, with an estimated couple hundred bots in each network. Most of the botnets were in Russia and Malaysia, yet the most of the top targets for the DDOS attacks were also in Russia, making the correlation between the attacked networks and the attacked sites unclear. Since its first sighting, Black Energy has taken many forms and has evolved into a sophisticated malware that can be used for fraud, spam, espionage, and targeted attacks.

The first major attack in which Black Energy was utilized was in 2008, when Russian hackers successfully hacked 54 communications, finance, and government websites in Georgia – just 3 weeks before the Russo-Georgian war. This attack is said to be the first case in history of a coordinated cyberspace domain attack synchronized with major combat actions in the other war domains (consisting of land, air, sea, and space).

Later, in 2010 came the first time Black Energy was used in a massive cyber-fraud attack, this time with a newer version of the malware. Black Energy version 2 was better for the mission than its former counterpart, using a plug-ins to carry out its various malicious capabilities. For example, in an event researched by SecureWorks, Black Energy v2 took advantage of a plug-in for a banking authentication system – used only by Ukranian and Russian banks – to steal authentication credentials. These credentials, as hypothesized by SecureWorks researchers, would be used to transfer money, and adjacently to launch DDOS attacks against the bank to distract them from noticing the fraudulent transfers.

In September 2014, the US Department of Homeland security announced that the software responsible for running most of the nation’s critical infrastructure had been attacked with Black Energy, and had been infected since 2011. The compromised software was used to control oil and gas pipelines, power transmission grids, water distribution and filtration systems, wind turbines, and even nuclear plants. Had it gone undiscovered, this Black Energy invasion could have seriously damaged US security and the country’s economy.

Not only was 2014 a year of discovery for prior Black Energy attacks that had gone unexposed, it was a year that brought many new samples to researchers’ attention. F-Secure labs went as far as stating that “The universe is full of Black Energy and so is cyberspace”. In June, two Black Energy samples were uploaded and researched by F-Secure Labs – one from Ukraine and the other from Belgium. A political party website in Ukraine had been a main target in first attack, and Belgium is the home of the NATO headquarters. These facts, in sight of the Ukranian political and national crisis peaking in 2014, raised speculation as to the motives of the attackers, and strengthened the notion that Black Energy was being used mostly for political sabotage attacks. A few months later, ESET stated that they had been researching over one hundred individual victims of Black Energy attacks that year, half in Ukraine and half in Poland, which included a number of state organization and various businesses.

During 2015, Black Energy was used against several electrical distribution companies in Ukraine, peaking on December 23rd with the massive DDOS attack against the electrical power industry, leaving most of the Ivano-Frankivisk Oblast without power for 6 hours.

The sophistication that this bot has come to over the years has given it a big name in the cyber world.

The Evolution of Black Energy

Black Energy v1

The first Black Energy samples researched by Arbor Networks in 2007 were of a web-distributed DDoS bot, used to target Russian sites while using Malaysian and Russian IP addresses.

Unlike most bots at the time, Black Energy v1 did not communicate with the botnet master using IRC, nor did it perform exploit activities. Because of the lack of an exploit code, external tools and methods were necessary in order to load the bot.

The first version of Black Energy had three distinct capabilities: DDoS attack commands, a download functionality using a “get” command to download from its servers, and commands to stop the bot from acting, such as “stop” (cease DDoS attacks), “wait” (act as a placeholder), and “die”. The bot’s way of evading detection was by hiding the bot’s processes and files in a system driver called “syssrv.sys”.

Russian underground hackers were said to be the owner of the bot, and although it was not widely available on the web, it was sold in Russian forums for computer hackers and in the Russian underground.

Black Energy v2

After the big success of Black Energy v1 came its second and more superior version, which was publicly announced in 2010. The malware went through a complete code rewrite, and emerged with a modular architecture, making it easy to modify and suitable for spam, fraud and targeted attacks as well as its original DDoS functionality.

The malware’s flexible infrastructure utilizes plug-ins with various capabilities that can be downloaded and updated from the bot’s C&C servers. These plugins are saved in an encrypted format as drivers on the infected computer’s hard drive. Malicious plug-ins include the Trojan plug-in, which can destroy an infected computer’s entire filesystem when given a “kill” command, the DDoS plugin, as well as plug-ins used to gather user credentials, send spam, and more. In addition, the bot can download and execute remote files, execute local files, update itself from the C&C servers, and die on command.

The attackers’ capability to easily update the bot on demand also makes the bot much more evasive – if the bot is discovered by an antivirus program, the programmers can simply write an update that overtakes the discovered part of the malware. The update is then sent to their bots for immediate action. This feature makes the bot’s survival time on an infected computer much, much higher.

Black Energy v3

The latest full version of Black Energy emerged in 2014. The changes made to this version were smaller, mainly simplifying the malware. For instance, the v3 installer does not use a driver component in the installation process, as did the previous versions, but rather the installer drops the main DLL component directly to the local application data folder. Another modification made to v3 is that it communicates with its plugins using a different protocol than its predecessors.

Black Energy LITE

Also called “Black Energy Mini”, this version runs its plug-in capabilities differently and with less support than its “big” counterparts and leaves a lighter footprint. Black Energy Lite’s configuration files are stored as a x.509 certificate (responsible for public key verification), instead of as an xml file like the other versions of the malware.

Infection Vectors

Researchers studying Black Energy have come across many samples of the malware, and show that it has been distributed in various ways. The most common distribution method is as an email attachment. In a simple attachment-based infection, attackers attach an executable file (.exe) with the word-document icon, which tricks victims into thinking it is a legitimate file. Other methods took advantage of exploits in common programs. In one infection case, the attackers used a PowerPoint attachment, utilizing a vulnerability in the application that loads remote files in the background. This way, the attackers were able to “silently” drop the malware dropper while showing a decoy document to the victim. Word (the well-known CVE-2014-1761 zero-day vulnerability), Java, and TeamViewer and Juniper were also exploited for the use of infecting victims with Black Energy.

The Main Actor: Sandworm

The most prominent use of Black Energy for targeted attacks is by a cyber gang who is attributed to Russia. The group, who was named Sandworm because of the references to the science-fiction series “Dune” embedded in their malware, was researched mainly from late 2013 and throughout 2014, and it seems that the team’s activity traces back to 2009. The group’s preferred infection tactic is spear-phishing, and they use Black Energy version 3 as their signature malware.

The Sandworm team is known to have a particular interest in political targets, and is said to be responsible for the 2014 attacks against Ukranian government organizations. Other organizations the gang has targeted include NATO, Western European government organizations, Energy Sector firms, European telecommunications firms, and American academic organization. In addition, it is suspected that Sandworm was involved in the 2008 attack on Georgia. Many tie Sandworm to the Russian government, though there is no proof of this type of connection.

Most mainstream media outlets have quoted the security firm iSight, who claims that Sandworm is responsible for the recent Ukranian power outage. This is probably largely due to the fact that Black Energy v3 was found in the samples uploaded from the attack, as well as the political motive of the group. Others say this is a loose assumption and is not close to enough evidence to tie the cyber gang to the attack.

Black Energy has been, and will probably continue to be, an extremely powerful and intriguing malware researched by the biggest security companies today. ThreatSTOP has been actively analyzing indicators for this malware, and is currently protecting its customers from the malware by blocking any potential traffic from their network to Black Energy’s C&C servers.

Author: Irena Damsky – Senior Director, Security Research at ThreatSTOP, Inc.

Irena Damsky is a security and intelligence researcher and developer based in Israel. As Senior Director, Security Research for ThreatSTOP, she is responsible for establishing and managing a team of researchers and analysts to find, understand and publish information about active threats that is then used to protect ThreatSTOP customers and shared with the infosec community at large. Prior to joining ThreatSTOP, Irena served as the Threat Intelligence Team Leader for Check Point Software. Irena currently holds the rank of Captain in Reserve with the Israeli Intelligence Forces where she served for more than six years as a security researcher, developer and team leader. She is a frequent speaker at security events such as M3AAWG and Shmoocon. Irena holds a BSc in Computer Science from Tel Aviv University (TAU) and an MSc in Computer Science from The Interdisciplinary Center Herzliya (IDC). She is fluent in English, Russian and Hebrew.