BlackEnergy trojan also hit Ukrainian mining firm and railway operator

Security researchers have linked attacks against Ukrainian power utilities in Dec 2015, which used the BlackEnergy trojan, to similar attacks against a mining company and a large railway operator in Ukraine.

The new research, by Kyle Wilhoit of Trend Micro, casts fresh light on what’s arguably the most significant malware-based hack attack since Stuxnet hobbled Iranian nuclear centrifuges back in 2010.

Wilhoit and his team identified the new victims after looking for traces of original indicators of compromise associated with BlackEnergy, including reconnaissance and lateral movement tools and KillDisk, a disk-wiping malware payload, among others.

The Ukrainian mining company and a large Ukrainian train company were identified as victims based on a combination of telemetry data from open-source intelligence and data from Trend Micro’s Smart Protection Network.

The two unnamed organisations were affected by some BlackEnergy and KillDisk infrastructure that were seen in attacks against energy firms Prykarpattya, Oblenergo and Kyivoblenergo.

Trend Micro reckons that the same group of hackers who hit the mining company and train firm with malware are also behind the Ukrainian power utility attack. The general consensus is that infections at the power firms resulted in local power outages, although this is disputed by some. If confirmed, it would be the first incident of hackers taking down a power grid, a feat regularly accomplished by animals (particularly squirrels).

Trend Micro explores the possible motivations of the hackers – which range from an attempt to disable Ukraine economically to a test of the power of their malware against real life targets – as well as new details of the campaign in a blog post here. ®