BlackEnergy Malware: HMI Targeting

TL;DR

BlackEnergy3 is confirmed to have targeted Human Machine Interfaces (HMIs) in the Ukrainian power grid attacks. BlackEnergy2, while a precursor and used extensively, did not directly target HMIs. This guide explains how researchers determined this.

Understanding the Malware Families

Both BlackEnergy2 and BlackEnergy3 are sophisticated malware families used in targeted cyber security attacks, particularly against critical infrastructure. They share some similarities but have key differences that explain their varying capabilities and targets.

1. Identifying the Key Differences

1. BlackEnergy2 (circa 2014-2015): Primarily a remote access trojan (RAT) used for espionage, data exfiltration, and initial compromise. It relied heavily on custom modules loaded after infection.
2. BlackEnergy3 (circa 2015 onwards): Built upon BlackEnergy2 but included more advanced capabilities specifically designed to disrupt industrial control systems (ICS), including direct manipulation of HMIs.

2. Evidence from the Ukrainian Power Grid Attacks

The attacks on the Ukrainian power grid in December 2015 and subsequent incidents provided crucial evidence.

1. Initial Compromise (Both): Both BlackEnergy2 and its successor were used to gain initial access to the networks of energy companies. This involved spear-phishing emails with malicious attachments.
2. Credential Harvesting (Both): Once inside, both families harvested credentials to move laterally within the network.
3. ICS Protocol Exploitation (BlackEnergy3): BlackEnergy3 uniquely exploited industrial control protocols like DNP3 and Modbus to directly interact with SCADA systems and HMIs. This allowed attackers to open breakers, shut down power substations, and cause outages.

3. Analysing the Malware Samples

Researchers analysed malware samples recovered from infected systems.

1. BlackEnergy2 Analysis: Disassembly of BlackEnergy2 samples revealed no native support for ICS protocols or HMI communication libraries. Its modules focused on network reconnaissance, file manipulation, and remote command execution.
2. BlackEnergy3 Analysis: Samples of BlackEnergy3 contained code specifically designed to parse and manipulate DNP3 responses. This is demonstrated in the following (simplified) example:

   
   // Simplified DNP3 parsing snippet
   buffer = read_network_data();
   if (buffer[0] == 0x05 && buffer[1] == 0x64) {
     // Process DNP3 response...
   }
   

3. HMI-Specific Modules: BlackEnergy3 included modules capable of directly reading and writing data to HMIs, allowing attackers to alter process values and control system operations.

4. Examining the Kill Chain

Mapping the attack kill chain revealed distinct differences.

1. BlackEnergy2 Kill Chain: Compromise -> Reconnaissance -> Credential Theft -> Data Exfiltration. No direct interaction with ICS/HMIs.
2. BlackEnergy3 Kill Chain: Compromise -> Reconnaissance -> Credential Theft -> ICS Protocol Exploitation -> HMI Manipulation -> Disruption of Operations.

5. Tools Used for Analysis

• Static Analysis: Tools like IDA Pro and Ghidra were used to disassemble the malware samples and identify code patterns.
• Dynamic Analysis: Sandboxes (e.g., Cuckoo Sandbox) allowed researchers to observe the malware’s behaviour in a controlled environment.
• Network Monitoring: Wireshark was used to capture network traffic and analyse ICS protocol communications.