Recent targeted attacks on the information and telecommunication systems of Ukraine linked to the newer variant of Industroyer
- SBU accused the Russian-linked APT group who utilized BlackEnergy malware kit and NotPetya ransomware during 2015-2017, for the targeted attacks.
- SBU managed to determine that the malware involved in the attack was an updated version of Industroyer backdoor.
Ukraine’s main security agency - Security Service of Ukraine (SBU) - for the areas of counterintelligence activity and combating terrorism wing has reported newer targeted attacks on IT and communication systems. The SBU also accused the Russian-linked APT group who utilized BlackEnergy malware kit and NotPetya ransomware during 2015-2017, for the targeted attacks.
According to a recent press release by SBU, “The Security Service of Ukraine has received more evidence of the aggressive actions of Russian intelligence services against Ukraine in cyberspace using a controlled hacker group responsible for carrying out cyber attacks on Ukraine’s critical infrastructure facilities during 2015-2017, known as BlackEnergy and NotPetya.”
BlackEnergy malware kit made headlines on December 23rd, 2015, when the BlackEnergy backdoor was used to plant a KillDisk component onto the targeted computers that would render them unbootable. This resulted in a massive power outage, that left Ivano-Frankivsk region in Ukraine without electricity for a few hours. Since then, the hacker group continued to enhance the features of the notorious malware kit to target SCADA systems.
A newer sample of Industroyer backdoor
However, recent attacks suggest that the hacker group is using newer variants of BlackEnergy malware kit.
According to the SBU, BlackEnergy hacker used new samples of malware in a recent series of attacks. The new malicious code used by the malware could also act as a surveillance software. It also seemed that the hacker group has added many other remote surveillance features to control the activities of the newly added surveillance capabilities.
SBU managed to determine that the malware involved in the attack was an updated version of Industroyer backdoor.
Industroyer covers greater lengths
Researchers suspected that Industroyer malware could have been the tool used by attackers to cause the power outage in Ukraine in December 2016. However, the infection vector still remains unknown.
When compared to the toolset used by threat actors in 2015, (BlackEnergy, KillDisk, and other supportive components) the group behind Industroyer went on to controlling switches and circuit breakers in the attack.
According to ukrinform.net website report, the malware used in the recent attacks has a number of similar characteristics such as code snippets, computing capabilities of infected systems etc.
Investigations also helped Ukraine SBU to attribute the attack previous targeted attacks conducted by the hacker group. They also urged necessary mitigations to protect the IT infrastructure of government agencies.