Go to the profile of The Goat Tree
The Goat Tree
We cannot unsee the things we have seen in Tech!

Black Energy 3 Trojan and the Ukrainian Infrastructure attack.

It seems the Infrastructure vulnerability alarm bells have sounded across the land, honestly I am surprised it has taken this long, I also suspect the situation will get worse as the Internet of Things mushrooms with all sorts of devices.

There was an event that went unnoticed by all but a few in the InfoSec threat intelligence sector. On December 26, 2015 thru January 2, 2016 was a massive world wide surge in cyber attacks, I truly thought a global cyber war had kicked off… I am still suspicious this was a rehearsal for the big show.

Because as quickly as this massive cyber attack started, it ended and now the infosec industry is sorting though the aftermath of it. I think it is safe to say the Ukrainian Electric Grid attack was the most prolific of this “rehearsal”. As details of the Black Energy 3 exploit emerge, it is clear to me this is a lab experiment and the exploit is evolving or has the potential to evolve. But may I make a suggestion to the experts working on Black Energy 3?

Focus on this…. the rest is smoke and mirror diversions.

BlackEnergy 3 plug-ins*:

  • fs.dll — File system operations
  • si.dll — System information, “BlackEnergy Lite”
  • jn.dll — Parasitic infector
  • ki.dll — Keylogger
  • ps.dll — Password stealer
  • ss.dll — Screenshots

vs.dll — Network discovery, remote execution

  • tv.dll — Team viewer
  • rd.dll — Simple pseudo “remote desktop”
  • up.dll — Update malware
  • dc.dll — List Windows accounts
  • bs.dll — Query system hardware, BIOS, and Windows info

HINT… REMOTE EXECUTION! But it is not the type of REMOTE EXECUTION you are seeking or thinking. I expect you will find the delivery system in a remote unexpected place. Perhaps along the lines of…

Представлен Raspberry Pi 2 — Windows 10

Perhaps extended Daisy Chains? It would certainly explain the Case of Mistaken Identity information being fed into the public arena.

A Case Of Mistaken Identity? - Dark Reading
Co-authored by Raj Samani, Chief Technology Officer of Intel Security's Europe, Middle East, and Africa division Recent…www.darkreading.com

It may also explain the strange MD5 hashing sequences and other slippery binaries? Perhaps not?

Perhaps some remote air gapping device(s) doing some emulations? Hotspots? Blue tooths? I am not familiar enough with the exact details of Ukrainian Infrastructures or system design. But have seen variations of these sorts of remote modded RAT/botnet type apparatus in the wild. No matter how it is bundled you can bet it is there!

Also it is highly unlikely you will find the source if it/they have gone to sleep, the only thing you can be certain they are waiting to be woken up. In other words probably disguised as some unknown or malfunctioning sensor (s) no employee is 100% certain of what it does, but it has all the earmarks of being a critical part of the system, thou shall not touch.

It is going to require some field work. Some GRID INSPECTION!

Even if you “patch” or isolate the BLACK ENERGY 3 it has the potential to morph into whatever, if the RAT device(s) are still present on the grid, InfoSec is going to have to get their walking shoes on and do some very intensive inspection field work. That is all I am going to say about that… I do not want to be giving ideas to the wrong people with motives to do bad things.

Which brings us to our current project… Behind the Doors Garage of Doom. https://medium.com/@The_Goat_Tree/behind-the-doors-of-the-garage-of-doom-part-2-de054f42403c#.vwdhrao87

Is this project the solution? No it is merely a starting point, a tool to start assisting identifying and closing some of the gaps that plague 95% of the Global critical infrastructure systems, not limited exclusively to Ukrainian Electric Grid.

It is time to get serious about this very real problem… time is not on our side!