Cyber attacks against the Ukraine power industry look set to continue after security firm ESET uncovered evidence of a fresh wave of malware strikes on the country's critical infrastructure.
However, unlike previous attacks that hit a power grid in December and a major airport last week, the BlackEnergy malware is not thought to be involved.
Instead, the new variant is reportedly based on a freely available open source backdoor written in the Python programming language. ESET explained that this is a technique not often used by state-sponsored hackers.
"We expected to see the BlackEnergy malware as the final payload, but a different malware was used this time," said ESET researcher Robert Lipovsky.
The malware has changed, but the attack remains similar. The hackers use spearphishing emails containing malicious XLS files, the same technique used by the Sandworm group in the past.
The XLS file attempts, with the help of social engineering tactics, to trick the recipient into ignoring the built-in Microsoft Office security warnings, according to Lipovsky. Text in the document reads: 'Attention! This document was created in a newer version of Microsoft Office. Macros are needed to display the contents of the document.'
The macro launches a trojan that attempts to execute a final payload from a remote server. "The server hosting the final payload is located in Ukraine and was taken offline after a notification from CERT-UA and CyS-CERT," said Lipovsky.
However, despite numerous fingers being pointed at Russia as the culprit, ESET said that it remains unclear who is actually responsible.
"We currently have no evidence that would indicate who is behind these attacks and to attempt attribution by simple deduction based on the current political situation might bring us to the correct answer, or it might not. In any case, it is speculation at best," Lipovsky stressed.
"The current discovery suggests that the possibility of false flag operations should also be considered. We have stated before that great care should be taken before accusing a specific actor, especially a nation state."
The Ukrainian Computer Emergency Response Team warned of an increased risk of cyber attack last week after an airport was hit with an attempted infection.
"Attention to all system administrators. We recommend a check of log-files and information traffic," the organisation said on its website, via Google Translate.
The warning to IT teams across Ukraine comes after a suspected malware attack on Kiev's main airport of Boryspil. The malware is thought to be a similar strain to that used on Ukrainian power firms in late December.
Military spokesman Andriy Lysenko told Reuters: "The control centre of the server, where the attacks originate is in Russia." He added that the malware variant detected by the airport's computer system was stopped before any damage could be done.
Ukrainian investigators are now probing whether the malware is connected to the BlackEnergy strain suspected to have been used in the previous attacks on national critical infrastructure.
A 'coordinated attack'
Meanwhile, detailed analysis by cyber experts at SANS Industrial Control Systems (ICS) confirmed that the previous outage at a Ukraine power grid was a "coordinated intentional attack".
"After analysing the information that has been made available by affected power companies, researchers and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine," said Michael Assante, director of SANS ICS.
"We assess with high confidence based on company statements, media reports and first-hand analysis that the incident was due to a coordinated intentional attack."
The SANS ICS research team, which works alongside firms that manage critical infrastructure to strengthen cyber security, has been analysing fragments of malware from the suspected Russian attack since the incident took place.
SANS said that the attackers, who remain unknown at this time, demonstrated "planning, coordination and the ability to use malware and possible direct remote access" to cause the power grid blackout and hinder the emergency response at Prykarpattyaoblenergo, a power company in western Ukraine.
"This attack consisted of at least three components: the malware; a denial-of-service [DoS] to the phone systems; and the missing piece of evidence of the final cause of the impact," reported Assante.
"Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts."
The "coordinated" DoS assault on the power firm's phone lines was designed to limit the ability of first responders and customers to report the power cut.
Additionally, the security researchers assess "with high confidence" that there were other attacks against regional power companies.
Security firms including ESET and iSight Partners produced evidence that the blackout may have been the work of the Sandworm hacker group using a malware tool known as BlackEnergy with a new component called KillDisk.
But these assertions have been disputed by the SANS research. "Malware likely enabled the attack. There was an intentional attack, but the KillDisk component itself did not cause the outage," said Assante.
"We assess currently that the malware allowed the attackers to gain a foothold at the targeted utilities, open up command and control, and facilitate the planning of an attack by providing access to the network and necessary information."
The SANS director commended the response of the Ukrainian power plant operators for being able to fix the systems in such a short time.
"Field staff at the affected power companies manned the required substations, transferring from automatic to manual mode, and manually re-closed breakers to energise the system," he said.
"Restoration varied but all services were restored in three to six hours. In many ways, the Ukrainian operators should be commended for their diligence and restoration efforts."
Finding the culprit
Previously, the cyber attack was linked to the Russian hacking group Sandworm Team by US security firm iSight Partners.
"We have linked Sandworm Team to the incident, principally based on BlackEnergy 3, the malware that has become their calling card," John Hultquist, director of cyber espionage analysis at iSight Partners, said in a blog post.
"We have analysed the forensic evidence we have been able to obtain from the region, contextualising it within our knowledge of cyber espionage actors. Many details of the event remain unknown and, given the nature of the incident, especially the use of destructive malware, we do not anticipate every detail will be exposed."
iSight has been tracking the Sandworm group for over a year, disclosing in October 2014 that it had used a zero-day exploit to target Ukrainian government officials, and members of the EU and NATO. Shortly after these findings, security experts at Trend Micro reported the group was also targeting SCADA systems that control and monitor industrial automation.
Attack could happen anywhere
Meanwhile, it has been said that the malware suspected to have been used in the cyber attack "could be directed anywhere", posing a threat to all nations, according to a former FBI cyber expert.
Leo Taddeo, who is currently chief security officer at US firm Cryptzone, warned that the type of malware used to target energy companies in Ukraine is not confined to the region.
"Geography is no barrier to attack in our connected world. This attack appears to be focused on the Ukrainian media and energy sectors, but that's likely due to the attacker's desire to disrupt those specific targets, rather than any technical limitation of the malware," he said.
Ukraine has blamed Russia for the attack. This is difficult to prove, but Taddeo explained that the evidence points towards the involvement of a nation state.
"Sophisticated criminal groups would not expend the time or resources to target media outlets or critical energy infrastructure. Those targets don't offer payoffs that criminal groups look for," he said.
"On the other hand, a nation state, most likely Russia or one of its proxy hacking groups, is behind the attacks. The tactics and targets fit into Russia's past use of cyber weapons in support of its military and political objectives."
Jens Monrad, threat intelligence liaison manager EMEA at FireEye, agreed that attacks on critical infrastructure "can happen everywhere" but stopped short of suggesting who might be responsible for the power grid incident.
"While there is attention on attacks on industrial control system [ICS] environments, the reality is that there is little data gathered and therefore the insight into potential attacks, malicious payloads and potential breaches is limited," he told V3.
However, Monrad said that attacks on key sectors such as energy are likely to increase as reliance on the internet grows. "These environments are becoming more connected and operated via network connected environments, some even directly operated via the internet," he said.
"Companies need to ensure they have a plan and the right maturity to detect threats, respond to them and contain the breach, so they can continue operating while they are under attack."
Robert M. Lee, a former US intelligence expert and current CEO of Dragos Security, managed to acquire a sample of the original malware used in the attack and has published some initial analysis on his website.
"The malware is a 32-bit Windows executable and is modular in nature indicating that this is a module of a more complex piece of malware," he said.
Lee speculated that the wiping function of the malware is "likely to be for the purposes of cleanup after the attack" and does not appear to be capable of causing the outage.
He added: "Security personnel in ICS organisations should be actively looking for threats. The Ukrainian incident should not be seen as an incident that only affects one site in a foreign country, although no panic or alarm should be taken, only due diligence towards defence."
Multiple teams are now analysing the malware, according to Lee. "I passed the malware sample to Kyle Wilhoit, a senior threat researcher at Trend Micro, who has done great work in the ICS community before, who confirmed through static analysis that the malware has the a wiping routine that would impact infected systems," he said.
"The idea of a cyber attack on infrastructure that leads to an impact to operations is very serious in nature and must be handled with care, especially when there is geopolitical tension in an area such as Ukraine."
Following the news that Ukraine is investigating the power grid failure, security firm ESET revealed evidence that the malware may be a variant of BlackEnergy, which has been in circulation in various forms since 2007. This, however, is now in dispute by the latest SANS research conclusions.
A report on Reuters initially claimed a large section of the grid was taken offline by "interference" on 23 December, and that the blame had been pinned on Russia. The SBU, a Ukrainian security service, said that, if undetected, it would have left the region facing a major power blackout.
The Energy Ministry in Kiev said in an update that the department will set up a special commission to investigate the incident, Reuters also revealed.
Russia and China are thought to have the most sophisticated cyber capabilities alongside the Five-Eyes cyber alliance of Australia, Canada, New Zealand, the UK and the US.
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix