SentinelOne claims BlackEnergy 3 is being spread by insiders at Ukrainian power station
SentinelOne claims BlackEnergy 3 is being spread by insiders at Ukrainian power station
Security vendor SentinelOne claims that the BlackEnergy 3 malware is an insider job. The malware has been identified as being involved in an attack on SCADA systems at a Ukrainian power station. It’s a bold claim that makes a number of assumptions such as IT properly patching systems and users being educated enough not to click documents containing infected macros.

SentinelOne is promising a more detailed analysis at a later date but for now it has put out a interim document that seeks to back up the insider claims. For those not aware of BlackEnergy, it is a malware family that has been around since 2007 when it was developed to support Distributed Denial of Service (DDoS) attacks.

Since then, like a lot of malware, it has evolved substantially. SentinelOne claims that this latest version is now far more than just crimeware. It openly alleges that this is a nation-sponsored campaign and that there is not just one or two individuals or organisations behind it but a significant number of different groups. Each of those groups has developed part of the rootkit which has then been assembled into its final form by another team.

To back up the claim of multiple individuals, SentinelOne points out that iSight Partners have already proven a link between BlackEnergy and the Sandworm Team. Since then, a number of other groups have joined the project as apparently evidenced by the different styles, approaches and signatures that can be found in the different components.

BlackEnergy 3 using MS Office

Like a lot of malware today, especially spear phishing malware, MS Office documents with infected macros are being used to help distribute BlackEnergy 3. The majority of the document types used are Microsoft Excel, presumably because it is easier to hide a macro inside a complicated spreadsheet than a Word document or PowerPoint presentation.

Microsoft has already issued a patch for CVE-2014-4144, the exploit that was being used by BlackEnergy 3. This has not stopped the spread of the malware leading SentinelOne to determine that the only way infection rates are continuing is through deliberate action on behalf of an employee. In the release it states:

“At this point it would be highly unlikely that organizations have not deployed the patch against CVE-2014-4114, thus the most likely conclusion is use of an internal actor. ”

This statement from SentinelOne offered up with no evidence that they have talked to affected organisations is strange. Yes there is a patch for the CVE but as we’ve seen with other attacks it can take a long time before patches are applied in some organisations. In addition, they seem to be dismissing the possibility that the writers are using another unknown exploit that negates the patch and assuming that the patch is a perfect fix. As we’ve seen before with other attacks, both of these are possibilities here.

All the signs point to Russia

This is the second time in a week that a security company has pointed the finger at Russia as the source of malware. In this case, SentinelOne has stepped up its game by not only pointing at Russia but alleging that this is nation-sponsored malware.

The evidence for this is provided early in the piece where it appears the malware authors left details of their debugging environment in the final code. The SentinelOne analysis is that it points to the toolkit/s used being authored for ‘black ops’ and in use by multiple groups. They highlight malware stealing banking credentials in Georgia during its conflict with Russia. In addition they link it to attacks that shutdown Estonian government websites and Internet in 2007.

Circumventing network controls

Hidden inside BlackEnergy 3 is its ability to take advantage of RAW sockets. What this means is that the malware can create its own network connections below the level of the existing network stack. As a result it is capable of using its own protocols and spoofing network addresses and MAC addresses.

The use of RAW sockets was in the original version of BlackEnergy and goes back to the origins of the malware as a DDoS tool. Since it first came out Microsoft has moved to limit the use of RAW sockets but the fact BlackEnergy 3 is still using them and using them effectively suggests more needs to be done.

This creates a problem for network security teams as the malware is able to pretend to be another machine on the network making it hard to track down. One solution is to use data analytics to identify traffic flow on the network rather than rely on IP and MAC addresses. This should help to reduce the locations where BlackEnergy 3 is located and make detection easier. Analytics would also help to identify which users were logged on when the malware was activated helping to identify the ‘insider’ responsible.


This is not the last time we will see reports of macros being used to drop malware and it shows just how effective spear phishing and infected Office documents can be. It highlights the ongoing dangers in Office documents making it as much of a problem for many companies as Adobe Flash. The problem is what can companies do to reduce the danger?

UK security company Glasswall would like to see white lists deployed but that requires a major process and culture change inside organisations. Microsoft is becoming more responsive to Office exploits but there will always be a drag between detection, solution and systems being patched. User education is another route but that requires companies to invest in their staff. Ultimately all of these may have a part to play.

There are questions over the SentinelOne claim of a malicious insider but it is as good an assumption as the failure of organisations to properly patch or another zero-day attack. It will be interesting therefore to see the final detailed report. In particular the evidence of nation-state sponsorship will be looked at carefully by others along with links to other malware and crimeware.


Please enter your comment!
Please enter your name here