The BlackEnergy toolkit seems to have been deployed as early as 2007 when publicly analyzed by Arbor Networks. It was a DDoS attack using just HTTP and PHP. It evolved in 2008 into a rootkit, BlackEnergy2, which was, according to, whose paper gives a complete analysis, similar enough to the existing rootkit Rustock to sometimes be detected as such. BlackEnergy2 had a banking plugin designed to steal banking credentials from infected users. It could then corrupt the disk, making it non-bootable, and then shut down the system (presumably so that the owner could not check the compromised bank account.) The 2014 evolution, described by ESET and also by F-Secure, was used in various industries of the Ukraine and Poland.

BlackEnergy3 is another variant, used by actors identified as the Quedagh gang (possibly Russian government sponsored), which F-Secure reports as being used to target political organizations with crimeware.

BlackEnergy3 is similar to the BlackEnergy used to infect various industrial control systems. Infected programs include GE’s Cimplicity, Siemens’ WinCC, and Advantech/Broadwin’s WebAccess. There are also some similarities to the malware Sandworm, which was used in a 2013 Russian cyberattack against NATO, the European Union, overseas telecommunications, and energy sectors. These various links and similarities give rise to speculation of a larger, government sponsored, program.

This all bothered DHS enough to issue, on October 29, 2014, a threat alert. Sadly, this has been reported as business as usual for the nation’s two regulated (nuclear and power grid) industries. It is not clear to me that the threat alert was a good idea; it’s a little like crying “wolf” when there’s no wolf … yet….


Tags: , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: