Ukraine’s electric power grid is once again under cyberattack, just one month after a similar incident successfully brought down portions of the system and left millions in the dark.
Worse, researchers studying the attacks say the malware believed responsible – a new version of the so-called BlackEnergy bug – has likely spread to numerous European power grids and is poised to infect many more.
The attacks and spreading malware have left cybersecurity analysts scrambling to determine not only which systems are at greatest risk, but who might be responsible.
“We need to assume it’s already being deployed around Europe,” says Udi Shamir, co-founder and chief security officer for the cybersecurity firm SentinelOne. “This is cyber-warfare; we need to wake up and see that this is war.”
Shamir and his team recently completed a total reverse engineering of the new BlackEnergy3 bug – a technique often used by analysts to learn how bugs work, and possibly who wrote it.
What they discovered is that BlackEnergy3 is using the same Microsoft Office vulnerability to spread as its earlier, and less sophisticated, versions, BE1 & BE2. Shamir says that’s unusual, because Microsoft patched that hole in 2014.
“There are a few possible explanations,” Shamir told VOA. “First, these just might be old systems that haven’t been updated. Second, someone on the inside might be intentionally spreading this. And third, it’s possible these bugs have been sleeping in systems for months on end, and they’re only now waking up.”
Attribution is notoriously difficult with malware, making it very difficult to conclusively prove who is behind these attacks; however, researchers at the cybersecurity firm iSight previously found similarities between earlier versions of BlackEnergy and the Russian-linked Sandworm malware that targeted NATO infrastructure back in 2014.
Shamir found the same similarities in BlackEnergy3, providing his team with “suggestions” of Russian involvement. “The code-style, the clustering, yeah it looks like Russia,” Shamir said. “I’m pretty confident that the origin is from Russia, but I don’t have any bulletproof evidence.”
More troublesome, Shamir says this latest version of BlackEnergy is “modular,” making it much easier for hackers to quickly change how the malware works, and significantly harder for security analysts to find and root it out.
“You can update it, you can replace it, you can change it, you can even change its entire functionality,” said Shamir. “So if you have a sleeper in one industrial network, it can get a totally new command module and infect other systems,” he said.
It’s that ever-changing nature of the malware that’s making it so difficult to figure out how exactly how it works, and what systems within the power grids it’s infecting and disabling.
Most worrisome, says Shamir, is the fact that the majority of BlackEnergy3’s computer coding doesn’t involve infecting and interfering with the industrial command and control systems that make power grids and other heavy industry work. Rather, it appears designed to conduct highly sophisticated monitoring and recording of data – a tactic known as “sniffing.”
“It can detect and record network traffic, steal user credentials and documents if they’re working in a non-encrypted fashion, and exfiltrate all that data,” said Shamir. “That could allow (the hackers) to adjust BlackEnergy3 on the fly. It’s clearly more geared to espionage, and that’s what worries us, because we don’t know where it is now.”
Traditionally, utilities and nation-states are reluctant to publicly confirm that their critical infrastructure is vulnerable to cyberattack, making it that much more difficult for researchers to track BlackEnergy3’s spread and activities.
SentinelOne’s Udi Shamir, however, and many other cybersecurity analysts, say they are sure the bug will continue to spread, and that will lead to many more blackouts and “mysterious” malfunctions in national power grids, transportation, and other industrial infrastructure.