National Critical Infrastructures: Ubiquitous, Connected, and Vulnerable

Recently, a dangerous type of malicious code, or malware, called “GreyEnergy,” has been detected in Ukraine and Poland. At least three energy and transport companies have been affected, for at least three years, according to the Slovakia-based ESET cybersecurity company, which in the past helped to investigate the 2015 Ukrainian energy grid hack.

In fact, GreyEnergy is just a new name for a well-known hacker program called “BlackEnergy” that has targeted Ukraine in the past. This malware family is designed to collect, manipulate, and/or destroy data specific to national critical infrastructures.

ESET attributed these attacks to a hacker group that the US and the UK have associated with Russian military intelligence.

Our Task Force will keep an eye on this evolving threat because successful cyberattacks on critical infrastructure have the potential to cause economic and societal disruption—which in turn could negatively impact the upcoming 2019 presidential election.

Modern Information Technology (IT) is uniquely powerful—and uniquely vulnerable. Cyberattacks, which exploit gaps in the security of IT, are often compared to a Swiss Army knife: in a complicated and interconnected world, they can be used to accomplish just about anything. For example, on a military battlefield, computer hacking might be used to disrupt communications or destroy the functionality of a weapon system; during an election, digital information operations in social media can be used to sway the opinion of voters.

GreyEnergy can be used to target modern critical infrastructures, as well as the nations and citizens they serve, which are dependent on the proper functioning of IT—and are vulnerable to human, network, and computer hacking. Anytime critical infrastructures fail, there can be unpredictable, cascading effects within the affected economy and society.

The malware family called BlackEnergy was first seen on the Internet over a decade ago, in 2007. Originally, BlackEnergy attempted to compromise as many Internet-connected computers as possible, in order to enlist them into a botnet army that was often used for denial-of-service attacks, likely for crimes such as  extortion. The malware’s primary propagation method involved sending potential victims a Microsoft Word, Excel, or PowerPoint file laced with malicious code.

Successful malware families evolve over time, often adding new functionality and improving ease-of-use. Even in version 1.0, BlackEnergy was sophisticated code, for example it used encryption to evade detection by security software. However, in 2010 BlackEnergy 2 (BE2) appeared, and it was a significant upgrade. BE2 had a powerful “dropper” for installation and a “rootkit” for system access and evasion. But above all, BE2 now came with a modular, customizable architecture that could be used for tailored operations against a greater number and variety of targets.

In 2014, BE3 (BlackEnergy 3) was released, along with a host of new features such as keystroke logging, password theft, screenshots, remote software updates, network scanning, and a helpful feature called “Destroy System”. Again, not all of this functionality needs to be installed on every infected computer — only what the hacker requires for a given operation.

In the past, BlackEnergy has been detected on computer networks in both the United States and Ukraine. In the U.S., computer networks managing water, energy, real estate, and telecommunications infrastructure were targeted, as early as 2011. It is unknown whether the U.S. networks suffered data manipulation or destruction; however, it is possible that these compromises could be strategic in nature, intended as a latent tool for coercion during some future diplomatic or military crisis. Four years later in Ukraine, BE3 was found to have been used as a reconnaissance tool prior to the infamous power outages of Christmas 2015, which affected approximately 225,000 people.

In both cases, it is unknown whether BlackEnergy played a direct role in infrastructure manipulation, but we know that it was used as a way to collect information about the target network and ICS environment, and perhaps to compromise user credentials on the network. Employees at Ukrainian ICS, energy, government and media companies were sent BE3 via spear-phishing emails and weaponized Microsoft Word documents. For the actual data destruction, another hacker tool called “KillDisk” was used.