The Malware That Led to the Ukrainian Blackout

In late December, at least two Ukrainian power companies were hacked, dropping tens of thousands of people into darkness. Experts generally agree that although malware didn't cause the blackout itself, a cyberattack did play an important role.

The malware found in affected networks was a variant of BlackEnergy, a Russian-linked program with much humbler cybercrime roots than is suggested by its apparent use in the sabotage of critical infrastructure.

In 2007, "it was available as a crimeware tool" for sale in the digital underground, Artturi Lehtiö, a researcher from cybersecurity company F-Secure, told Motherboard in a phone interview. Because of the malware's simplicity, graphical user interface, and accompanying help file, pretty much any budding hacker could deploy it with only a minimal set of skills. One screenshot of the software's point-and-click panel says BlackEnergy was made by a hacker, or group of hackers, called "Crash."

Nine years ago, BlackEnergy was a relatively basic piece of technology designed to infect computers and add them to a botnet, creating a zombie army of machines ripe for firing distributed-denial-of-service (DDoS) attacks. Researchers found that BlackEnergy went for as little as $40, or even free, and the malware was used to launch attacks on Russian websites.

It wasn't until around 2010 that BlackEnergy got its first major update, and became something of a digital Swiss Army knife.

"BlackEnergy2 is a modular malware, so it supports the use of various plugins or modules that can be loaded later during the course of the attack," Lehtiö said. (There is slight disagreement between researchers as to what warrants a new numerical iteration of BlackEnergy. Russian firm Kaspersky, for instance, said that BlackEnergy2 instead came out in 2008 when modifications were made to the software, and other firms have their own dates.)

Those plugins included an add-on for sending mountains of spam emails, and another for stealing banking credentials. Indeed, the tool was used to rip finances from Russian banks, and then DDoS the same banks, perhaps so the institutions were distracted from the theft going on under their noses.

"This malicious tool has high potential, which naturally makes it quite a threat," Dmitry Tarakanov, a researcher from Kaspersky, wrote in 2010.

At this point, BlackEnergy2 was still being used by criminal gangs to pinch finances, but it became clear that another sort of hacker had taken interest in it. A group, likely Russian, used BlackEnergy2 to target high level government bodies, academics, federal emergency services, and industrial control systems, and developed its own custom modules for the malware.

The go-to name for this group is Sandworm—the name researchers from iSight gave it after discovering references to the science-fiction novel Dune within the group's modifications to BlackEnergy variants. But because the group has not officially identified itself, other security firms refer to it by different names: Kaspersky called the group BE2, after its heavy use of BlackEnergy2, and wrote that the group is likely made up of a "small team of plugin and multiplatform developers." F-Secure, meanwhile, named the group Quedagh, referring to a ship that was captured by infamous privateer Captain William Kidd, because of the apparent mobilization of a criminal tool for more government-driven purposes.

"This group has quite a slack operational tempo," Lehtiö said, meaning that it hasn't hit a large number of targets frequently. Instead, it has spread those attacks out, over months and years. While the politically-focused group with an interest in harvesting information has largely relied on the criminal-turned-espionage BlackEnergy tool, Sandworm eventually made use of a Microsoft Windows zero-day vulnerability to gain access to systems of NATO, the European Union, and energy sectors.

In May 2014, according to F-Secure's timeline, BlackEnergy3 entered the scene. "It's a sort of stripped-down version," Lehtiö said, "where they streamline it, and cut it down to only the core, important functionality."

Although Sandworm at the time was using BlackEnergy to infect targets in various countries, the number of attacks carried out by the group against Ukrainian systems shot up around summer 2014.

"Though it may be unrelated, it is interesting to note that this change conveniently coincides with the ongoing crisis in that country," F-Secure wrote in a 2014 white paper, referring to the escalation of political tensions as Russia campaigned for the annexation of Crimea.

Come December 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) from the US Department of Homeland Security posted an alert about an ongoing, sophisticated campaign targeting industrial systems with BlackEnergy malware.

The following Christmas, the power was pulled in areas of Ukraine, and researchers reported that variants of BlackEnergy had been found in affected networks. iSight attributed the attack to Sandworm.

Although BlackEnergy likely did not cause the blackout itself, there is a consensus among experts and researchers that the malware played some role, perhaps by giving an attacker remote access in order to tamper with the power companies' breakers used for regulating the flow of electricity.

It's unclear whether the creators of the original BlackEnergy had any idea their malware would grow from a basic DDoSing tool, but it's safe to assume they probably didn't think it would lead to one of the more significant hacks in recent history.