Word up: BlackEnergy SCADA hackers change tactics
TV stations the latest targets
A new BlackEnergy spear-phishing campaign is targeting more Ukrainian firms, including a television channel.
A spear-phishing document found by Kaspersky Lab analysts mentions the far-right Ukrainian nationalist political party "Right Sector" and appears to have been used in an attack against a popular television channel in Ukraine. Ukrainian TV station "STB" was previously named as a victim of the BlackEnergy Wiper attacks in October 2015.
The Russian-speaking BlackEnergy APT group are notoriously blamed for malware-based attacks against utilities that led to short power outages in the days before Christmas.
The BlackEnergy APT group has been actively using spear-phishing emails carrying malicious Excel documents with macros to infect computers in a targeted network since the middle of last year. However, in January this year, Kaspersky Lab researchers discovered a new malicious document which infects the system with a BlackEnergy Trojan. Unlike the Excel documents used in previous attacks, this was a Microsoft Word document.
Upon opening the document, the prospective mark is presented with a dialog recommending that macros are enabled in order to view the content. Enabling the macros triggers the BlackEnergy malware infection. Depending on the version of Trojan used, the functions of such additional payload may vary, ranging from cyber-espionage to data wiping.
"In the past, we've seen the BlackEnergy group target entities in Ukraine using Excel and PowerPoint documents," said Costin Raiu, director of the global research & analysis team at Kaspersky Lab.
"The use of Word documents was also expected, so this confirms our suspicions. In general, we are seeing the use of Word documents with macros becoming more popular in APT attacks. For instance, recently we observed the Turla APT group using documents with macros to launch a similar type of attack. This leads us to believe that many of these attacks are successful and that this is why their popularity is increasing."
Endpoint security specialists SentinelOne has also spotted [PDF] the recent change-up in tactics to target specific individuals running Microsoft Office.
The BlackEnergy APT group captured Kaspersky Lab's attention back in 2014 when it began deploying supervisory control and data acquisition (SCADA)-related plugins against victims in the industrial control systems and energy sectors around the world.
Subsequent research by Kaspersky and others suggests that the group is particularly active in the following sectors: energy, government and media in Ukraine, ICS/SCADA companies worldwide, and energy companies worldwide. The BlackEnergy hacking crew started with DDoS attacks before progressing onto more destructive payloads, including Siemens equipment exploitation and router attack plugins. ®