Headline news yesterday (20th Dec 2016) report Ukraine Suffers Power Outage. It was the 2nd time of power disruption this year. As far as I remember the 1st incident occurred on Jan 2016. The motivation of this news lets information security experts re-think about BlackEnergy DDos tools.The Blackenergy soft tools found 2007, a notorious powerful distributed denial of services soft tool conducted cyber attacks suspended Georgian Soviet Socialist Republic communication facilities. Sum up the cyber attack in nuclear power facilities, it gives people to feel those incidents looks like a political fights. Sounds like naughty boy intend to turn off neighbor main water tap to create troubles.
Analyze of nuclear power facility of attacks
Hardcore type malware: Stuxnet, Duqu, and Flame are categories hardcore type malware. The hardcore type malware usually achieve the following actions.
Incident historical records:
- June 2010 – Stuxnet malware to sabotage Iran’s nuclear program.
- May 2012 – Flame malware targeted cyber espionage in Middle Eastern countries.
- Dec 2014 – South Korean nuclear operator hacked amid cyber-attack fears.
- Mar 2015 – South Korea claims North hacked nuclear data.
- Apr 2016 – A malware infected systems at the Gundremmingen nuclear plant in Germany.
- Oct 2016 – Headline News: Rep. Kim Jin-pyo, a lawmaker of the main opposition Minjoo Party of Korea, told Yonhap News Agency in a telephone interview that the hacking targeted the “vaccine routing server” installed at the cyber command.
Weaponize types of malware: contains sabotage, interfere, traffic monitoring function and remote control functions.
The original goal of design for BlackEnergy is provides powerful distributed denial of service function. To meet attacker functional requirement, BlackEnergy began supporting plugins in 2007. This is the second generation of BlackEnergy. The malware plugin feature make use of mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host (see below diagram for reference). To evade virus and malware detection, malware avoids using a hardcoded name for its mutex.
The third generation of BlackEnergy take advantage of OLE object (CVE-2014-6352). Embedded mailicous code to MS office xls format of document gained remote code execution. Since the blackenergy hash exposed to the world (see below details for reference). More than 90% of above antivirus program can detected. It looks that the severity level of risk dropped.
Target windows component: Win32 DLL
Attack scenario: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Malware implant target destination:
- Win32 Executable MS Visual C++ (generic) (67.4%)
- Win32 Dynamic Link Library (generic) (14.2%)
- Win32 Executable (generic) (9.7%)
- Generic Win/DOS Executable (4.3%)
- DOS Executable Generic (4.3%)
Status update on 21st Dec 2016
Ukraine Suffers Power Outage Possibly Due to Energy Plant Hack on 17th Dec 2016 Sat. What do you think? Do you think a new shape of blackenergy was born? My speculation is that the cyber attacks in nuclear power facilities will going to increase coming months.