BlackEnergy - What We Really Know About the Notorious Cyber Attacks

Presented at VB2016, Oct. 7, 2016, 2:30 p.m. (30 minutes).

In the past two years, BlackEnergy has become one of the top malware families of interest to system administrators with the responsibility of protecting the networks of potential targets, to security researchers that have the family in their sights, and also to the media - both technical and main-stream. BlackEnergy recently made the headlines again after we discovered that it was used in cyber attacks against electricity distribution companies, which resulted in massive power outages in Ukraine in December 2015. But cyber attacks using the BlackEnergy malware are nothing new. We first discussed the malware and the perpetrators behind it (later nicknamed Sandworm Team) during our talk at the *Virus Bulletin* conference in 2014, where we discussed how it transformed from a regular piece of crimeware for DDoS attacks and online banking fraud into a complex piece of malware for espionage and industrial sabotage. Now we are publishing the most comprehensive paper on the cybercrime operations based on our three years of research. One of the main reasons why the BlackEnergy attacks have grabbed so much attention is because they were - and still are - used in the midst of a tense geopolitical situation in Ukraine. In addition to electricity distribution companies, the targets in that country have included state institutions, news media organizations, airports, and railway companies. Ukrainian officials were quick to point an accusing finger at Russia, and many others - including security companies - followed with similar allegations. The power grid compromise has become known as the first-of-its-kind confirmed cyber warfare attack affecting civilians. In our paper we share insights about the discoveries and our following research, including previously unpublished details. We attempt to separate facts from speculations, reality from hype, and clearly state what we know and don't know - both in regard to attribution, as well as other disputed details of the attacks.

Presenters:

  • Robert Lipovsky - ESET
    Robert Lipovsky Robert Lipovsky is Senior Malware Researcher in ESET's Security Research Laboratory, having worked for ESET since 2007. He is responsible for malware intelligence and research and leads the Malware Research team in Bratislava. He is a regular speaker at security conferences, including Virus Bulletin, EICAR, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater, and the Comenius University. When not bound to a keyboard, he enjoys sports, playing the guitar and flying an airplane.
  • Anton Cherepanov - ESET
    Anton Cherepanov Anton Cherepanov graduated from the South Ural State University in 2009. Currently working at ESET as a malware researcher, his responsibilities include the analysis of complex threats. His research has been presented at numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on IT security, reverse engineering and malware analysis automation.

Links:

Similar Presentations: