BlackEnergy Cyber-Attackers Attacked On Ukraine Railway And Mining Company
In December, those BlackEnergy cyber-attackers who had attacked the two power facilities in Ukraine, now recently they have again attacked against the Ukraine largest railway operator and a mining company.
According to the TrendMicro (from Fresh intelligence), rather than the attacks targeted at Ukrainian critical and public infrastructure only the BlackEnergy has evolved to an energy sector problem. According to them, it can be for the politically purpose also.
In a forensics breakdown, firm explained that
“When We pivoting off the original indicators of compromise, we came upon these findings. Original indicators of compromise include lateral movement tools, KillDisk (disk-wiping malware) and BlackEnergy reconnaissance, among others,”
“When me and my senior fellow threat researcher at Trend Micro began hunting for malware samples and additional infections all, that related to the incident. We quickly realized that Prykarpattya Oblenergo and Kyivoblenergo were not the only targets revolving around the newest BlackEnergy campaign.”
According to the telemetry data, we found that the reason behind this attacks could be the possible infections that were existing in mining and railway organizations, that's why they had overlap with the BlackEnergy and KillDisk samples used in the Ukrainian power incident.
Researchers concluded that,
“There is remarkable overlap between the malware used, infrastructure, naming conventions and to some degree, the timing of use for this malware, therefore leading us to believe the same actors are not only attacking power utilities, but also large mining and railway organizations throughout Ukraine,”.
Motive of attackers behind this attack could be the following:
Destabilize Ukraine through disruption(that may include mining, power, transportation)
Deploying malware to different critical infrastructure systems.
The infections that were existing in the mining and train companies may have the reason or place where, the attackers are just attempting to test the code base.
“Whichever is the case, attacks against industrial control systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions,” Trend Micro noted.