Thanks to James Wyke and Anna Szalay of SophosLabs for doing the hard parts of this article.
You may have read news stories over the New Year’s break about hackers causing power outages in Ukraine, using malware as their primary toolkit for attack.
Ars Technica went as far as to lead with the headline: “First known hacker-caused power outage signals troubling escalation.”
(You may have to read that headine several times: you need to parse signals as a verb, not a noun; and troubling as an adjective, not a verb.)
The article was perhaps a little more circumspect, suggesting that “if confirmed it would be the first known instance of someone using malware to generate a power outage,” but the story is worth learning from nevertheless.
Whether the malware was the cause of an outage, or merely a symptom of a more general security problem, isn’t clear.
The story goes roughly like this:
- Company X receives an Excel file via mail. The file contains macros, which don’t run by default, but if the recipient clicks to allow them, the macros install malware from a family called BlackEnergy.
- BlackEnergy is what is known as a bot or zombie, which calls home to receive instructions from the remote attackers. (The malware name predates any connection with the energy industry.)
- The attackers can then install various additional malware items, such as a data-trashing Trojan called KillDisk, and a hacked copy of the DropBear SSH server that has backdoor “master passwords” programmed into it.
According to security firm ESET, this malware cocktail, or parts of it, appeared at various Ukraine energy companies in December 2015.
What actually happened can only be guessed at, of course, but if you were to end up with a raft of infected Windows computers inside your electricity distribution control centre, and those computers could be used to manage load and control power connections in your local area…
…then an attacker who could login remotely (because he knew the secret password for a remote access Trojan you didn’t realise was installed), run commands of his choice, and then zap data on your computers to the point that they would crash and not reboot (because he could run a disk-killing Trojan from afar) would cause considerable disruption.
If he were to turn off power to a region, or a suburb, or even an individual property, that would cause an outage.
If you tried to turn the power connections back on but found you couldn’t do so until after IT had rushed around reimaging the broken computers in your control centre, that might make the outage last hours rather than minutes.
As it happens, the KillDisk Trojan that ESET says was found along with the BlackEnergy malware in Ukraine, is well-equipped to leave your computer a digital mess.
KillDisk includes numerous different data-wiping components, presumably with the intention that if the more serious ones don’t work because your security settings are strict enough, you may nevertheless end up in trouble.
In increasing order of severity, KillDisk has code for each of these:
- Wipe out the Windows event log.
- Delete all Windows Shadow Copy backup files.
- Reinitialise logical volumes with the FORMAT command, as you might when reinstalling your operating system.
- Overwrite all physical sectors (including boot sector, operating system files, swap files, applications and data) on up to 10 hard disks.
The last item really lives up to the name KillDisk, but any of the others are likely to cause significant trouble for you and your IT department, and would put a very serious dent in your day.
WHAT TO DO?
- Use email filtering to remove risky attachments as early as possible in the delivery chain.
- Treat unsolicited attachments with great caution.
- Don’t enable Excel or Word macros just because an emailed document tells you to. Doing so is equivalent to downloading and running a program, and clicking through all the warnings, just because an unknown person told you to.
- Consider using Microsoft’s dedicated Word and Excel viewer programs to look at email attachments. Most documents will display just fine, but embedded macros aren’t supported and thus cannot run.
- Use the most recent Windows version you can for added protection against tricks such as physical disk wiping.
- Use web filtering to limit the ability of unknown software to download and install new content, and to block “call home” requests that are likely to be associated with zombie malware.
- Make sure your anti-virus software is up-to-date and that its active protection is turned on (on-access or real-time scanning), so that you can not only detect the presence of malware, but also block it from running in the first place.
SOPHOS PRODUCTS DETECT AND BLOCK THIS MALWARE AS FOLLOWS
• Booby-trapped XLS document: Troj/DocDl-AQE
• BlackEnergy malware installers: Troj/BlackEn-C
• Various BlackEnergy components: Mal/BlackEn-(A,B,C)
• KillDisk and components: Mal/Defkill-A, Troj/Agent-(APPL,APUJ)
• DropBear-based SSH backdoor: Troj/DrpBear-A
(Note that BlackEnergy, KillDisk and the SSH backdoor are independent malware items that could be delivered separately or in combination with other malware, which is why we detect them separately.)