November 11, 2014

BlackEnergy 2: a good set or bad deeds


A new article had been released on Securelist, dedicated to the already notorious BlackEnergy crimeware toolkit, which has been used most recently by Sandworm APT group, also known as BE2 APT.




While the majority of the research is mostly technical, there are a number of details which may require attention from business people. We’ll try to cover them in this post.

So, what is BlackEnergy? Initially a DDoS crimeware, it turned into a huge collection of various tools currently used in various APT-type activities, including what Kurt Baumgartner and Maria Garnaeva called “significant geopolitical operations”.

The most interesting point here is that BlackEnergy is a modular tool that comprises a lot of various plugins with capabilities to attack a multitude of platforms, including ARM and MIPS; there are also scripts for Cisco network devices, certificate stealers, and destructive plugins.

Yes, destructive: Some are clearly purposed to kill hard drives by overwriting all of the information on them with random data mash.

Kaspersky Lab’s experts don’t know the total number of plugins associated with BlackEnergy (or, to be more specific, BlackEnergy 2 and BlackEnergy 3 – the currently known APT tools), nor do they know how many hacking groups have BE at their disposal. The Sandworm APT team has drawn a lot of attention to itself due to its high-profile attacks on high-profile targets, but it doesn’t mean there aren’t any other groups that may be using the same tools right now, fortunate enough to remain undiscovered.

The Sandworm/BE2 APT group had been hitting the larger entities and clearly displayed an expansive interest in ICS. Among their victims are:

  • power generation site owners
  • power facilities construction
  • power generation operators
  • large suppliers and manufacturers of heavy power related materials
  • investors

However, researchers also noticed that the target list includes government, property holding, and technology organizations as well.

It is also possible there are subtler operations in the works by other groups, with lower-profile targets; BlackEnergy hasn’t been created specifically for narrowly targeted attacks. Judging by its architecture, BlackEnergy is a versatile and advanced toolset.

The attackers behind BE2 were aware they are being watched. Baumgartner and Garnaeva mentioned in their report that over the course of the investigation, attackers left behind a “punchy” farewell message:


Trolling of this kind shows that the attackers are already rattled by the extensive attention they’ve drawn to themselves. Still, so far, they are rather successful in covering their tracks. As said above, the whole range of tools, plugins, and other components of BlackEnergy is still undefined.

The most important thing in situations like this is an attack vector. Of four victims profiled in the research, two had been hit with successful spearphishing. Moreover, attackers delivered an exploit for which there were no (and still is no) current CVE, while a metsaploit module had been available.

This email message contained a ZIP archive with an .EXE file inside that did not appear to be executable. This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension.

The second victim had been hacked via the first victim’s stolen VPN credentials; some data was destroyed on their machines and Cisco routers were hacked.

And while the third victim had been hit the same way as the first, it is the fourth case (or, rather, a set of cases, for there was more than one company affected) that seems especially troubling. Victims discovered that Siemens SCADA software in their ICS environment was responsible for downloading and executing BlackEnergy-associated malware.

All in all, researchers say that the malware’s breadth presents new technical challenges “in unusual environments, including SCADA networks”. These challenges, Baumgartner and Garnaeva say, “may take an organization’s defenders far beyond their standard routine and out of their comfort zone.”

While system administrators should clearly pay close attention to the full version of the research, here are some basic recommendations for businesses regarding this threat:

– Assume that you are a potential target even if your business doesn’t belong to the aforementioned sectors and/or their supply chains. BE tools may be in the possession of more than one hacking gang.

– Deploy antiphishing tools and educate employees on phishing, spearphishing, and how they can be countered.

– Diminish the possible attack surface by setting the most vulnerable software exploited by BE in the “presumption of guilt” mode. Automatic exploit prevention tools are most helpful here.

– And, of course, keep software (including security solutions) up to date.