Article by Mr. J. Tate, Chief Intelligence Officer, bits&digits, Peerlyst.com, published April 2016.
As a member of the Infragard community, this initial cyber mitigation strategy may be of use to our associates within the Power /Utility industry in light of the recent Power Plant outage in Ukraine.
I read over the tactics, techniques, and protocols observed by leading security vendors and investigating threat intelligence notes on the Black Energy variant used in Ukraine. Afterwards, I developed an initial plan of action document for System Engineers to implement within their enterprises as a 2nd Layer of defense. (First being the technologies and security policies the institutions should have in place.)
Network Defense Action Wednesday, January 6, 2016
Subject: Information Security Information Alert – Immediate Signature Implementation and IP Trap list for Black Energy
Purpose: To provide awareness and risk mitigations of the Infraguard / SCADA community for mitigation of Black Energy Trojan infection.
Background: On December 23, 2015, around 700,000 people in the Ivano-Frankivsk region, Ukraine, were left without electricity for several hours. This is about half of the homes there. Disakil (Black Energy) is a multi-stage threat whose main characteristic is its appetite for destruction. According to ESET researchers, the attackers have been using the Black Energy backdoor to plant a KillDisk component onto the targeted computers to render them unbootable.
The above black energy trojan does not complete the trifecta exploit chain used to take down the Ukrainian Power Plant. Black Energy is the injector. C2 (command and control) along with auxiliary code embarkment is handled by an SSH backdoor which installs an SSH Server (DropBear) on the infected host to listen on port 6789. This port is not common within the SCADA, or Power / Utility organization enterprise and should be monitored for use at all internal and external filtering devices.
Finally the Coup-De-Grace (Touch of Death) as demonstrated in the Ukrainian Power Plant incident is the KillDisk malicious code element known in Eset /McAfee and Symantec as the following.
ESET- Mal/Defkill-A, Troj/Agent-(APPL,APUJ) Symantec – Backdoor.Lancafdo
1. Because this trojans delivery mechanisms all seem to stem from a email containing Excel (.xls) files with executable macros, please consider the following:
- Ensure all windows Operating Systems have the latest OS patch and security update available. Current analysis indicates Windows 7, Windows Vista, Windows XP are primarily affected by this malicious code element.
- Enable “Attachment Filters” at all Mail Gateway technologies. “Capture, block, or trap” emails with (.xls) attachments. Such email filters can be implemented in properly configured Anti-virus Gateways, Web-Filters with SMTP Capable Services, and firewall / IDS technologies.
- If technologically feasible, implement group policy Objects to Disable All macros with Notification by activating this feature within the trust Center > macro Settings > Disable All macros (with or without notification depending on enterprise policy).
- Force Anti-Virus and Host Based Security System (Host Based IDS) policy updates to ensure all nodes are updated and policies are propagated at all end-points. Because the core code elements are 2 years old Anti-Virus vendors have signatures to capture older variants of this Trojan.
- All Firewall, network Devices, Intrusion Detection Systems should monitor for traffic to or from ports 6789. Identified hosts communicating on these ports should be investigated for infection in a “sandbox” environment immediately. Proper VLAN and network segmentation should allow for proper mitigation controls to ensure propagation is minimized.
- Ensure NAT (network address translation) table logs are maintained for an adequate time period to ensure in the event of infection detection from perimeter network appliances (Firewalls, IDS, JIDS, Web Proxies, etc) all reversal host lookups are made possible.
- Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available. This is achievable within GPO configurations.
- Because password files are contained in older versions of this Trojan, it would behoove system engineers to ensure the passwords below are not currently within the organizations access control device landscape (Windows Accounts, SCADA Systems, Telnet,SSH,etc).
Should anyone have any questions or concerns regarding the material within this article, please feel free to ask, I hope this gets widespread dissemination, furthermore I will be working on more forensic research of this threat to deploy a more comprehensive mitigation Strategy report to follow for Top Layer and Host Level integration. If anyone has feedback it would be greatly appreciated.