Ukrainian power distribution firms under cyber-attacks, again

Ukranian power distribution companies were targets, once again, of a cyber-attack. Security firm ESET was the first to report on the attack, saying it was similar, but still somewhat different from the attacks that occurred in December last year.

Unlike last year's attack, when BlackEnergy malware was used, this time the malware is based on a freely-available open-source backdoor.

This is important to notice as ESET pointed how the use of BlackEnergy could mean the attack was state-sponsored, concluding that Russia is most likely behind it.

This time, it says the use of a freely-available backdoor is "something no one would expect from an alleged state-sponsored malware operator”.

The attack itself works the same way – an email is sent to an employee, which contained an attachment with a malicious XLS file. It tries to trick the user into ignoring the built-in Microsoft Office Security Warning and execute the macro by saying: "Attention! This document was created in a newer version of Microsoft Office. Macros are needed to display the contents of the document.” (translated from Ukrainian).

If the macro is executed, a malicious Trojan downloader is launched, which will try to download and execute the final payload from a remote server.

ESET security solutions detect the threat as:

  • VBA/TrojanDropper.Agent.EY
  • Win32/TrojanDownloader.Agent.CBC
  • Python/Agent.N

ESET says that these attacks have gained widespread media attention for two reasons – this being the first time a cyber-attack led to a power outage, and that it was (probably) Russian, state-sponsored.

The security firm is very tentative in these statements, saying that whether the cyber-attack was to blame for the power outage, or it simply ‘enabled’ it was up for debate, as well as the idea that Russia was behind it.

“To sum it up, the current discovery does not bring us any closer to uncovering the origins of the attacks in Ukraine. On the contrary, it reminds us to avoid jumping to rash conclusions,” it says.