What the BlackEnergy Attacks Can Teach UK Critical Infrastructure Firms

by Ross Dyer

Looking back at the past 12 months you could be forgiven for thinking that cyber security is about little more than stopping data breaches and ransomware. These two trends have certainly dominated the headlines of late. But there’s another strain of cyber threat, which is potentially far more serious than losing some data – however damaging that might be to a company or individual. I’m talking about attacks on critical national infrastructure (CNI) designed to cause physical damage and disruption.

We recently discovered that one of the most potent such campaign of late – involving the BlackEnergy/Kill Disk malware – is far more widespread than at first though. Its effect on public and critical infrastructure in the Ukraine should serve as a stark reminder to CNI firms in the UK.

From Stuxnet to BlackEnergy
We all know about Stuxnet – the sophisticated state-sponsored malware which disrupted nuclear facilities in Iran. But real world examples of similar attempts to use malicious code to effect physical damage in systems are hard to come by. That was until we discovered an attack campaign against energy companies in Ukraine late last year. A campaign using the infamous BlackEnergy malware – used for years to target industrial control systems (ICSs) – cut off power in Western Ukraine for tens of thousands just before Christmas.

Now Trend Micro has discovered that same campaign has likely been expanded to target at least one large train company and mining firm in the former USSR state. There’s a high probability that these attacks are the result of politically motivated destructive attack campaign designed to cripple Ukrainian public and critical infrastructure.

The UK story
In the UK we’d like to think our CNI is better protected. And in many cases it may be. But critical infrastructure is comprised of hundreds or even thousands of individual – mainly privately held companies – all with their own computer systems. There is no one-size-fits-all approach to security here, although the government, GCHQ and Centre for the Protection of National Infrastructure are actively improving information sharing and security standards here.

The problem with many of the IT systems in such organisations is that they were never meant to be connected to the internet, so they’re not designed to withstand the kind of remote attacks now flooding the web. Being used to run critical systems also makes them difficult to power down and patch – so many are left running without proper protections in place. Unfortunately, where once ‘security by obscurity’ worked well enough, that’s no longer the case.

As we’ve seen, CNI is becoming an increasingly popular target for nation states. But there are also risks from financially motivated cybercriminals who may be looking to extort money from victims in return for calling off an attack – or even hacktivists out to make a point.

There’s no silver bullet for 100% protection here, but a few best practice tips could help IT leaders in charge of ICSs to minimise their risk exposure:

  • Review the number of unsupported operating system versions and have a protection and migration plan
  • Where possible, take time to test and patch systems regularly
  • Manage any machines that don’t need to be internet facing, reducing your attack surface
  • Consider advanced intrusion prevention, anti-malware, file/system integrity monitoring and log inspection tools to help spot and stop targeted attacks
  • Don’t forget to manage third party risks outside of the firm which may introduce threats

Leave a Reply

Your email address will not be published. Required fields are marked *