Malware used in the attacks against Ukraine’s energy sector targeted other organizations, researchers said.
The Russia-linked BlackEnergy malware, known to target SCADA systems in Europe and the United States, and KillDisk, a plugin designed to destroy files and make systems inoperable, were spotted last year in attacks aimed at Ukraine’s energy sector, said researchers at Trend Micro.
Ukrainian authorities accused Russia of being behind the attacks that resulted in significant power outages.
An analysis of the campaign revealed while BlackEnergy and KillDisk were on the targeted systems, the malware was likely not directly responsible for the outages.
Trend Micro researchers said they found BlackEnergy and KillDisk samples on the systems of a Ukrainian mining company and a major railway operator. Researchers said these assaults ended up conducted by the same attacker that targeted the country’s power companies.
In the case of the infections at the Ukrainian mining company, experts uncovered several samples where the names and functionality was similar to the samples spotted in the power utility attacks.
The malware, used in November and December, communicated with some of the same command and control (C&C) servers observed in the energy attacks.
Trend Micro noticed the systems of the same mining company were also infected with multiple variants of KillDisk. The samples don’t match the ones used in the energy attacks exactly, but they do exhibit the same functionality.
Trend Micro also spotted KillDisk infections on the systems of a Ukrainian railway company that is part of the country’s national railway system. The KillDisk sample found by researchers matched one used in the electric utility attacks.
“This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network,” Trend Micro senior threat researcher, Kyle Wilhoit, said in a blog post.
Based on the similarities between the samples, naming conventions, infrastructure overlaps, and the timing of the attacks, experts believe the same threat actor targeted all of these Ukrainian organizations, and they have several theories about the attacker’s goals.
“One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities,” Wilhoit said. “Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.”
The United States fear that attacks like the one aimed at Ukraine’s energy sector could end up launched against its own critical infrastructure.