Please note! This essay has been submitted by a student.
Introduction: Blackenergy is the cyber-attack that has been active over the past few years affecting majorly government sectors of media, power, railway and mining sectors. It is designed using multiple software like shell scripting, SQL Injections, Macros Using the excel, and other popular programming languages. The attackers first select the target system which can be easily vulnerable for the attack system from the organization and sends a script in the form official mail/popup/update. If the user selects the update option then the whole system gets corrupted through the code which the attacker has sent and runs and enhances the malware as it the primary functionality of a malware is to multiply the codes within the system. (Lee, 2016).
It mostly targets the end system which are vulnerable, in which the software is mismatched or not in use or not updated by the admin. No recent updates regarding the patches provided by the officials needs to be removed because it is vulnerable for the attack. (Trivellato, 2016) Though it may not completely possible to identify and eliminate the malware, but an organization can detect through the early actions of the attacker. There are two main steps which helps in detecting easily. One being the communication between any machines that got infected and then report the information gathered through traffic capture capability and the second being the actions done by the attackers to remotely open the substation breakers and cause the outage.
One of the tools that comes in handy when detecting malwares like Blackenergy is Silent Defense. It is an advanced platform and monitoring network used by critical operators worldwide to stabilize their ICS/SCADA networks. Some of the ways in which the Blackenergy attacks in Ukraine could be detected are built-in detection modules, communication blueprints, protocol blueprints and network intelligence framework. The other ways in which the malware could be detected are by analysis of real-time network traffic and comparing it with validated communication blueprints from before. (Trivellato, 2016)
Working of the attack: There are three main steps involved in the working of Blackenergy are the malware component, denial of service and opening of substation breakers. The malware lets the attacker’s access to the system. Denial of service floods the target infrastructure and this prevents customers from reporting the outage. In the last step, the breakers are opened which causes power outage. (Nazario, 2007) DDoS: It is a kind of malware attack using trojan horse system which targets the whole organization level. It achieves access for the individual and official classified information through conducting a survey regarding the vulnerable systems and attacking the systems from the user’s end, entering into the operational database and creating the bots which can multiply the users automatically and increase the memory utilization and gets an access retrieve all the organizational information and introduce the malware and making them unavailable to anyone. Earlier detection is difficult for this type of attack and not possible to block the machine from letting the user to log into the system. (Nazario, 2007) Once it affects one system it gets access to the whole server and leads to server damage after getting the personal information. It attacks all the layers in OSI and there is no establishment between the connection layers particularly network, session and data link layer. It attacks the BIOS too. (Nazario, 2007)
Phishing: Phishing is an attack that takes place through the text/email from an attacker that seems to be true content. The individual thinks that it is a true message from the service or from the organization with a slight modification in the name. When a user chooses that information, it will enter the user account and run multiple bots, this hijacks the passwords and confidential information from the user’s account. It consists of DLL, Lib Files which helps in transferring the information from one source to attacker. It at times consists of images and hyperlinks. If the user clicks on it there is a chance of intrusion. It takes advantage of the end client software vulnerability that makes strength for the attacker to gain access and introduce bots into the end person software and can make the system unusable. It attacks the Network layers of the system. (Ciampa, 2014) Software used to design the malware Blackenergy uses SQL Standard queries which are unauthorized to use. They gain access to that and send the code to the vulnerable system as an update through pop ups, stating that an update is required for the better performance.
When a user selects to update the file, it penetrates to the user’s system and performs various operations that can be used by the attacker to gain the access to the system. The access can either be network Access, BIOS setup and windows account access, password stealer for the system or/and from the network. (Rhodes-Ousley, 2013) Tools Used to transmit the Malware Microsoft Word/Excel: An attacker sends an update to the target system which is vulnerable for the attack with zip files which include DLL/Exe/Lib files. When a user clicks on the link all the zip files are extracted on to the user system and these acts like messenger to the attacker. (Stallings, 2005) This in turn sends all the information to the attacker such as passwords, confidential information and network usages.
SQL Injections: Structured Query Language is the most used programming language to retrieve the data from one or more table or data bases. It is used by the attacker to inject a SQL Injection that acts as a messenger to the attacker. It does consist of SQL Portion that can retrieve the passwords and confidential information from the target database. He creates insert bots into the system by gaining the authentication and making the data base information inaccessible to other people in the organization. (Ciampa, 2014) Shell Scripting: Shell Scripting works to identify the kernel information as it is the heart of any operating system. It has all the information regarding the system process. By gaining the access to the kernel, the user can destroy the networks integrated with that system. (Ciampa, 2014) Organizations and Users Impacted One of the prime aims of Blackenergy attack was Ukraine. The first attack was detected as early as 2007. Since then the attacks have not been just used for cybercrime but also for cyber outage. Some of the other countries that fell prey to Blackenergy attacks were USA, Austria and Germany. The attacks just did not take place once but have been in action several times since the past few years.
The attacks in May 2014 used spear-phishing emails with a zip archive that included the Blackenergy executable whereas the one in August 2014 used a PowerPoint presentation in the spear-phishing emails. In February 2015, the attackers again started sending out spear-phishing emails and the major attack took place on December 23 the same year. Blackenergy attackers were able to cut off power for three hours. The attack was targeted to three energy companies in Ukraine. According to a report by Ukrainian Kyivblenergo, an energy company, almost 225,000 lost power across various regions of the country. Over the time Ukraine has remained the main target of Blackenergy attackers, but they have also affected Industrial Control Systems (ICS) companies as well as energy companies worldwide.
In October 2014, Department of Homeland Security (DHS) issued a warning. (Wueest, 2014). DHS stated that Blackenergy attackers were targeting human-machine interface of DHS’s ICS. They majorly attacked Electricity boards from different parts of the world and Media and railways are also vulnerable for the attacks achieving anti-social engineering. (Wueest, 2014) How to Prevent the attacks Preventing methods from the user side: The user should use tools which are published by the official publisher and always update the official patches provided by the publisher. Users should be wary of sharing passwords or any confidential information to any individual in the organization. Updating anti-virus is another important fact that user should take care of.
Whenever there is an update from the organization to update any software, they should contact the administration to make sure of its legitimacy. This helps in reducing the attacks from intruder. Preventive measures from the organizational level is an important factor needs to follow: Enabling the Fire wall: Updating and maintaining the latest versions of the firewalls help in reduction of the malicious attacks over the network and helps the organization to keep the data secured and confidential so that it can help in maintaining the data secured. (Ciampa, 2014) Authentication: Authentication process should be given to the person who is well reputed in the organization. There should be proper backups and well-maintained log files so that if a person messes up with something data can be restored from the server. (Lee, 2016) Email Filter: Email filter should be placed for the filtering of emails. Emails from any suspicious domain should be blocked.
This helps in maintaining the domain structure safe and to reduce the attack. (Rhodes-Ousley, 2013) Monitoring VPN: Virtual private networks are to be monitored every time and necessary updated should be made to the VPN as it is more vulnerable to the attack. (Rhodes-Ousley, 2013) System Protection: Protect the system from new procedures and policies. This helps in preventing the exploit of software and hardware for an organization. Most of bots use the new domain as it is not identified as a suspicious malware. (Stallings, 2005) Interesting facts: There were many reasons for the attacks to be popular. They took place in Ukraine when the country was already in the middle of a tense geopolitical situation. While most of the cyberattacks deal with data breaches, the major attack of black energy was on power outage. They were the only cyber warfare attacks that attacked civilians. The attackers were not involved in any kind of cybercrime but in cyber outage. The types of files that were used to spread the attacks were Microsoft files. They attacked the whole network instead of a IP address. The content in the files was visually appealing to users and one could not detect that the files carried malware. Their main target was energy sector whereas most other cyber-attacks are usually carried on sites with huge amounts of customer data. For different categories of users, the attackers had different templates of files that they sent out. (Lee, 2016)