On December 23rd, a large swathe of Ukraine suffered a massive power outage. This week, it’s come to the light that it could have been the result of destructive malware.
In a blog post, a team from security researchers iSIGHT explains that the attack seems to have used a piece of malware called BlackEnergy which can be used to “plant a KillDisk component onto the targeted computers that would render them unbootable.” It seems such attacks were levelled at three regional power authorities in Ukraine, leaving half of homes in the Ivano-Frankivsk region of Ukraine without electricity.
The malware appears to be spread using Microsoft Office files that contain malicious macros. Hackers simply send out emails with such files contained as attachments, in this case using email addresses spoofed to appear as being sent from the national parliament. The text in the message encourages the recipient to run the macros in the file, in turn installing a version of BlackEnergy on the computer.
From there, the system can install KillDisk malware or make use of a SSH backdoor to provide attackers with remote access. “After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down,” write the researchers. “ We can assume with a fairly high amount of certainty that the described toolset was used to cause the power outage in the Ivano-Frankivsk region.”
If these claims are true, it’s fairly worrying that it’s possible to bring about power outages using malicious Microsoft Office files.
Image by Nick Page under Creative Commons license