BlackEnergy APT Attacks in Ukraine
Virus Type: Spyware, Advanced Persistent Threat (APT), Trojan
What is BlackEnergy?
BlackEnergy is a Trojan that is used to conduct DDoS attacks, cyber espionage and information destruction attacks. In 2014 (approximately) a specific user group of BlackEnergy attackers began deploying SCADA-related plugins to victims in the ICS (Industrial Control Systems) and energy markets around the world. This indicated a unique skillset, well above the average DDoS botnet master.
Since mid-2015, the BlackEnergy APT group has been actively using spear-phishing emails carrying malicious Excel documents with macros to infect computers in a targeted network. However, in January this year, Kaspersky Lab researchers discovered a new malicious document, which infects the system with a BlackEnergy Trojan. Unlike the Excel documents used in previous attacks, this was a Microsoft Word document.
Upon opening the document, the user is presented with a dialog recommending that macros should be enabled in order to view the content. Enabling the macros triggers the BlackEnergy malware infection.
Who are the victims of its attacks?
The BlackEnergy APT group is active in the following sectors:
- ICS, energy, government and media in Ukraine
- ICS/SCADA companies worldwide
- Energy companies worldwide
Am I at risk?
The group is active against Ukrainian entities, especially those in the energy sector, government and media. It also attacks ISC/SCADA and energy companies worldwide. You could be at risk if you work, own, or cooperate with organizations of this kind.
How do I know if I’m infected?
Kaspersky Lab products detect the various Trojans used by BlackEnergy as:
Indicators of compromise can be found in a blogpost on Securelist.
How can I protect myself?
A standard anti-malware solution is not enough. To prevent a BlackEnergy malware attack Kaspersky Lab recommends using a multi-layered approach that combines:
- Administrative OS and network-based measures;
- Security controls and vulnerability assessment/patch management systems
- Application control
- Whitelisting-based controls
- Email-based spear-phishing
- Cybersecurity awareness training (educating your staff)