More Phishing Attacks Target Ukraine Energy Sector

Anti-Malware , Cybersecurity , Fraud

New Warnings Over Spear-Phishing Campaign, Airport Malware Outbreak More Phishing Attacks Target Ukraine Energy Sector

The Ukrainian energy sector continues to be targeted by spear-phishing emails, security experts warn. But it's not clear if the latest phishing campaign ties to last month's power blackout in parts of the Ukraine, which officials have blamed on a "hacker attack" (see Ukrainian Power Grid: Hacked).

See Also: Stop Fraud, Not Customers: Focus On Good User Experience

To recap: On Dec. 23, 2015, at least three energy providers in the country's western Ivano-Frankivsk region lost power for up to six hours, affecting hundreds of thousands - if not millions - of customers. The Ukrainian Computer Emergency Response Team, CERT-UA, says that it's recovered an espionage Trojan called BlackEnergy from systems inside at least two of the compromised utilities, and suspects that spear-phishing emails carrying Excel documents with a malicious macro were involved (see How to Block Ukraine-Style Hacker Attacks).

Cybersecurity experts say it's the first time that a power outage has been directly tied to a hack attack. And the incident occurred at a period of heightened tensions between Ukraine and Russia, over the separatist conflict in eastern Ukraine that has lasted for nearly two years.

But investigators have yet to release any evidence relating to who launched the malware, or which could confirm whether it directly caused the power outage. Michael Assante, who heads SANS Institute's industrial control system and supervisory control and data acquisition security efforts, has described the hack attack as "malware-enabled but not likely malware-caused," meaning malicious code may have given attackers access to the energy providers' IT environments, as well as helped them to prolong the outage.

New Energy Sector Phishing Attack

On Jan. 18, Ukraine's CERT-UA issued a new alert, warning of additional waves of attacks against Ukrainian organizations, which it suspected were employing BlackEnergy malware. CERT-UA also published indicators of compromise in the form of IP addresses for known C&C servers. "We recommend checking the log files and network traffic for the presence [or] absence of these indicators," it said. The agency also directed potential victims to a BlackEnergy overview from Moscow-based Kaspersky Lab for additional information.

But Robert Lipovsky, a senior malware researcher at Slovakian security firm ESET, says this new wave of phishing attacks does not appear to be using BlackEnergy. "The malware is based on a freely available, open-source backdoor - something no one would expect from an alleged state-sponsored malware operator," he says in a Jan. 19 blog post.

As with many previous 2015 phishing attempts against Ukraine targets, these spear-phishing emails include an attached Excel file with a malicious macro. "It tries, by social engineering, to trick the recipient into ignoring the built-in Microsoft Office security warning, thereby inadvertently executing the macro," Lipovsky says. "Executing the macro leads to the launch of a malicious Trojan downloader that attempts to download and execute the final payload from a remote server."

If the payload successfully executes, it allows the attacker to push further modules to the victim's system as well as execute shell commands. "The backdoor is controlled by attackers using a Gmail account, which makes it difficult to detect such traffic in the network," Lipovsky says.

Spear-Phishing Attack Wields Malicious Office Macros

image
A malicious Excel file attached to a spear-phishing email - sent to Ukrainian electric power industry targets on Jan. 19, 2016 - warns recipients: "Attention! This document was created in a newer version of Microsoft Office. Macros are needed to display the contents of the document." (Source: ESET)

Threat intelligence firm iSight Partners reports in a Jan. 22 research note that the malware used in the attacks is GCat, a fully featured backdoor that uses Gmail as a C&C server, and which is freely available from code-sharing site GitHub (see Why FireEye Snapped Up iSight Partners).

However, the related attack infrastructure is now offline: ESET says it alerted CERT-UA as well as Ukraine's financial services computer emergency response team, CYS-CERT, to the attack campaign, and they've taken offline the related command-and-control server.

Malware Infection Hit Airport

Also this week, Ukraine officials warned that the IT infrastructure at Kiev's main airport was infected by malware that tied to a command-and-control server based in Russia, Reuters reports, noting that authorities do not yet know if the malware was BlackEnergy.

"The control center of the server, where the attacks originate, is in Russia," military spokesman Andriy Lysenko tells Reuters, noting that the malware had been found and eliminated before it caused any damage. But the C&C server's location is no smoking gun; anyone can rent hosting space in Russia (see Hacker Havens: The Rise of Bulletproof Hosting Environments).

Until more evidence comes to light, SCADA expert Robert M. Lee, CEO of industrial control system security tool vendor Dragos Security, cautions against jumping to any conclusions.

I've seen the reports on the cyber attack on the Ukrainian airport but there's no data/evidence presented so I'll hold judgement until then

Don't Rush Attribution

Indeed, what remains unclear is the identify of the culprit - or culprits - behind any of the aforementioned incidents in Ukraine. And the motive of the hacker or hackers also remains unknown. Even if BlackEnergy malware is tied to more incidents, just because that Trojan has previously been used by an advanced persistent threat group called the Sandworm group - which appears to have a pro-Russian-government agenda - that doesn't mean the same group is at work.

"There's an important distinction between intrusion, compromise, espionage, etc. and an attack," Lee says via Twitter.

With regards to the Ukrainian power outage please be aware what many call "attacks" ongoing are intrusions. Only 1 attack has occurred.

Russia is the obvious suspect, and Ukraine's SBU state security service has in fact blamed its eastern neighbor for many of the recent incidents (see Russians Suspected in Ukraine Hack). But Ukraine's energy ministry says it's withholding attribution for the December attack until it completes a full digital forensic investigation. The U.S. Department of Homeland Security says it's assisting with that probe.

"Great care should be taken before accusing a specific actor, especially a nation state," ESET's Lipovsky says. "We currently have no evidence that would indicate who is behind these cyberattacks and to attempt attribution by simple deduction - based on the current political situation - might bring us to the correct answer, or it might not."

In fact, he says, the operations might be designed as a "false flag" to try and cast blame on a nation state that wasn't actually responsible.