only potty Pavarotti
prady3586
Group2-BlackEnergy.docxREADING HEAD: GROUP 2: BLACK ENERGY
Group 2: Black Energy
Group 2: BlackEnergy
ISOL 632 – Business Continuity Planning and Disaster Recovery Planning
University of the Cumberlands - Summer 2018
Professor: Dr. Mary R. Lind, Ph.D.
Group 2 Members:
Mirza Mohammed Omer Baig
Jaipal Reddy Goli
Swetha Kancharla
Pradeep Kumar Kasibhotla
Viran Kumar Kepa
Yousaf Khalid
Vijender Reddy Surukanti
Dheeraj Reddy Thatipally
Sasi Dhar Reddy Tippireddygari
Attack Summary:
BlackEnergy was used in sabotaging the power industry of Ukraine right around the Christmas time. BlackEnergy is a type of Trojan Virus which infects the computer systems and disrupts the functionality in different ways. This incident resulted in the outage of electricity in the Southern part of Ukraine, by disrupting the country’s power grid (Robert & Anton, 2016). Hackers used this black energy tool to spread the malware named KillDisk as well.
The understanding we had about Black Energy before starting the paper is, it is some kind of malware which spreads around the computer systems and causes DDoS attacks. Jeopardizes the security features of the machine and opens up a back channel for malicious connections to gain control of the device.
Like any other attack, first, the attacker chooses a target system and tries to infect it with the malware. Any infrastructure is as strong as its weakest component. This is well illustrated in the cyber-attacks, as attackers always identify and target the weakest component of the computer farm. Upon successful intrusion, the installation of malware will be executed (Thomas, 2016). To do this, the attackers may choose the documents or applications to disguise the malware as a harmless product. BlackEnergy used Microsoft documents as a carrier of malware and Spear phishing technique was used in the Ukraine Power plant attacks, where employees received attachments containing malware (Khan, Maynard, McLaughlin, Laverty, & Sezer, 2016). Once the documents are accessed by the employees, malware asks for enabling the macros. Enabling the macros sabotages the security controls of the computer which will later be used to gain unauthorized access by the attacker. After this, the attacker will make the necessary changes needed for the attack and prepares the system for the attack. The malicious software at this point, tries to impersonate as a genuine software and attempts to conceal itself from the anti-virus software and tries to spread around (Kurt & Maria, 2014). Once after the necessary groundwork is done, the attacker chooses a time to destroy the system’s functionality, resulting in the disruption of its services. In the Ukraine Power grid attack, the attacker chose to disrupt the services just two days before Christmas, thereby making it the most significant attack using Black energy as the tool (Richard, 2015).
Industrial Control Systems (ICS) functionality was compromised by the attack, and the attacker was able to override them and cause an outage in the services. Black Energy was first spotted in 2007. These attacks were made by botnets using HTTP functionality. At this time Black Energy was able to attack multiple destination IP addresses (Kyle, Deana, Jonathan, & Edward, 2016). Then came the improved version Black Energy 2 in 2010. This was used to take down the authentication system of online banking services and thereby to make the customers unaware of the unauthorized transactions. Black Energy 3 was used in the power grid attacks of Ukraine in 2016 (Anton & Robert, 2016). The attackers gained access to the control systems such as Human Machine Interfaces of the power grid and thereby causing a power outage.
Khan, R., Maynard, P., McLaughlin, K., Laverty, D., & Sezer, S. (2016). Image showing BlackEnergy features and capabilities. Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid. Retrieved from page 4 https://pure.qub.ac.uk/portal/files/86558342/Threat_Analysis_of_BlackEnergy_Malware_for_Synchrophasor_based_Real_time_Control_and_Monitoring_in_Smart_Grid.pdf
Countries like Russia, the United States of America and Ukraine are listed top among the victims of BlackEnergy malware. This was used for attacks on Georgia during the Russian-Georgian war claiming 54 websites as victims. In 2011 BlackEnergy was used to gain access into the nuclear plants, water filtration systems and oil and gas pipelines of United States of America. Apart from this the major incident that came into light in 2016 is the power blackout for more than 6 hours in Ukraine, causing inconvenience to more than 225,000 people, right around Christmas time (Daniel & Dennis, 2016).
Attacks like these cause significant disruption in the flow of services and thereby causing inconvenience to the people. Sabotaging the security of infrastructure and stealing confidential data, identity theft, privacy invasion, financial instability and loss of valuable data are some of the resultants of these kinds of attacks.
Visual Representation:
Flom, Z. (2016, April 25). Image showing timeline of attacks using BlackEnergy. Shedding Light on BlackEnergy With Open Source Intelligence. Retrieved from https://www.recordedfuture.com/blackenergy-malware-analysis/
The attack can be divided into 3 parts:
Planning: The hackers initially did an infrastructure study to make sure the malware introduced is hidden form sight
Execution: Initially BlackEnergy V.3 was sent via macros to the employees, through which the hackers were able to access employee credentials and introduce KillDisk malware into the environment. Later BlackEnergy V.2 was introduced into the environment through which rest of the data exfiltration was done
Effect: Once the malware was in, the hackers were able to do various harms to the power grids.
Table:
|
BlackEnergy |
Version |
Year |
Impact |
|
|
1 |
2007 |
HTTP based botnet for DDoS attacks. Detected in Russia and Malaysia |
|
|
|
2008 |
Cyber-attack on Georgia during Russian-Georgian war, where 54 government and finance websites were hacked |
|
|
2 |
2010 |
Modularized and plugin were used, cyber fraud attacks were executed |
|
|
|
2014 |
Several critical software websites in the US were attacked, political party website was targeted in Ukraine |
|
|
3 |
2015 |
Ukraine power industry was attacked, 250K people were affected with the loss of electricity for more than 6 hours, and the telephonic DDoS attack was executed as well |
|
|
Lite |
2016 |
Mini version of BlackEnergy. Lighter footprint and can be stored as X.509 certificates as well. |
|
Who |
Ukrainian Power Grid |
|
When |
23-Dec-15 |
|
What |
BlackEnergy 2,3 |
|
Version |
1, 2, 3, Lite |
|
How |
Cyber-attacks that were executed within 30 minutes of each other. The attack impacted 225,000 customers. |
|
|
Tools used by attackers include malware and exploit kits |
|
|
The possibility of a cyber-attack using social engineered malware succeeding is if the owner of the device clicks a link or visits the damaged site. |
|
|
When a computer is attacked, its anti-virus program, the anti-malware program and the firewall of the computer |
|
|
Black Energy Trojan assisted the hackers in installing malware into devices of the Ukrainian news media and the electrical power industry |
|
|
The attack damaged computer soft wares in the country making the whole of western Ukraine run into a blackout. |
|
|
The Ukraine Black Energy software is believed to have deleted the largest number of video materials and documents from devices in the history |
|
|
Including spear phishing emails, variants of the BlackEnergy 3 malware |
|
Impact |
Initially 80,000 cutomers, After 3 plants the impact rose to 225,000 customers |
|
|
Business Network breached |
|
|
Credential Theft |
|
|
VPNs Breached |
|
|
Important logs deleted |
|
|
Telephone denial-of-service attack on customer care center |
|
Fixes |
Multiple fixes: |
|
|
Manual Equipment Shutdowns |
|
|
Disabling Remote Management |
|
|
Disconnect building control Infrastructure system form ICS network |
After going through the cases of cyber-attack that has occurred in the past, we have discovered that lack of awareness about the dangers, causes and how to avoid the attacks was the main reason why the attack has been affecting many people. Educating people and creating awareness on ways in which they can protect their devices is a better way of fighting the increasing cyber-attack cases. All users should be informed about some dangerous links, websites, and documents that can be used to insert Kill Disk component into their devices. When such data is suspected to be containing such a virus, it should be deleted immediately to prevent the device from being invested. We also noticed that users should be educated on what they are supposed to do if they suspected their computer had been hacked. From our point of view, one should raise the alarm in case they suspect that their account cyber-attack in their devices. The next step should be changing the passwords of the device then trying to run security checks to determine if an attack occurred.
We also must change our opinion of detecting and dealing with the attacks. Even though our systems may not carry the valuable information, but they may be used as the source of the attack. Sometimes it may also not be the data on our systems that hackers need, but it’s the access we have for other sources. One more important thing to consider is that, the hackers' first criteria is to gain trust to retrieve maximum data. So, now our group is aware that the tools and efforts of cyber security can handle these attacks, but we are not totally safe from these cyber-attacks
References:
1. Robert, L., & Anton, C. (2016). BlackEnergy trojan strikes again: Attacks Ukrainian electric power industry. Retrieved from https://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/
2. Thomas, F. B. (2016). Ukraine Claims Hackers Caused Christmas Power Outage. Retrieved from https://cyber-peace.org/wp-content/uploads/2016/01/Ukraine-Claims-Hackers-Caused-Christmas-Power-Outage-Forbes.pdf
3. Khan, R., Maynard, P., McLaughlin, K., Laverty, D., & Sezer, S. (2016). Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart Grid. Retrieved from https://pure.qub.ac.uk/portal/files/86558342/Threat_Analysis_of_BlackEnergy_Malware_for_Synchrophasor_based_Real_time_Control_and_Monitoring_in_Smart_Grid.pdf
4. Richard, J. C. (2015). Cybersecurity Issues for the Bulk Power System. Retrieved from http://www.vnf.com/webfiles/cybersecurityissuesforthebulkpowersystem.pdf
5. Kyle, O., Deana, S., Jonathan, S., & Edward, S. (2016). MALWARE CAPABILITY DEVELOPMENT PATTERNS RESPOND TO DEFENSES: TWO CASE STUDIES. Retrieved from https://resources.sei.cmu.edu/asset_files/WhitePaper/2016_019_001_453290.pdf
6. Anton, C., & Robert, L. (2016). BLACKENERGY – WHAT WE REALLY KNOW ABOUT THE NOTORIOUS CYBER ATTACKS. Retrieved from https://virusbtn.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf
7. Kurt, B., Maria, G. (2014). BE2 custom plugins, router abuse, and target profiles. Retrieved from https://cyber-peace.org/wp-content/uploads/2016/01/BE2-Custom-Plugins-Router-Abuse-and-Target-Profiles-Securelist.pdf
8. Daniel, T., Dennis, M. (2016). Lights out! Who's next? Retrieved from https://tranzilla.ru/media/uploads/profile/1437/6281/a5c9/d62d/a8c8/3bfa/7a10/c7cb/b3fe/3758/939f/f494/c56b/2ef6/9b12/e978/whitepaperukraineen.pdf
9. Flom, Z. (2016, April 25). Shedding Light on BlackEnergy With Open Source Intelligence. Retrieved from https://www.recordedfuture.com/blackenergy-malware-analysis/
Infrastructure Study
BlackEnergy 3- Spear Phishing Emails
3 power plants affected
Malware Deployment
BlackEnergy 2
Credentials Theft
Planning
Execution
Effect
KILLDISK Malware Installation
VPN Access
Workstation Access
Data Exfiltration
9
