In what is apparently the first major cyber attack to successfully strike public utilities, hundreds of thousands of homes in Ukraine were left without electricity last week. It is reported that at least three substations in Ivano-Frankivsk were disconnected due to a malware infection. Unsurprisingly, given the geopolitics of the region, inferences of attribution are in the direction of Russia, though this is by no means certain.
Researchers have stated that these substations were not the only targets and other electricity companies were also targeted with the same malware, known as BlackEnergy. This family of malware has previously only been associated with acts of targeted espionage, so this departure to attack public utilities is a concerning one.
Even more concerning, the ESET team of analysts outline how the attack was implemented. From a relatively simple spear-phishing email, with an attached Microsoft Office document embedded with malicious code, if the recipient clicked on the encouraging link, (‘enable macros’), they ended up infected with malware. This goes to show, once again, how the most important technical systems can be compromised by poor end user knowledge and education.
The technical details of the attack vector can be found on WeLiveSecurity here: BlackEnergy by the SSHBearDoor.