BlackEnergy Malware Raises Serious Concerns

BlackEnergy Malware Raises Serious Concerns

The Evolution of Black Energy


BlackEnergy was a malicious piece of software spotted several years ago by Arbor Networks for the purpose of DDOS (Distributed Denial of Services) attacks world wide. Black Energy was in its infancy until the malware authors began to implement custom plugins. This essentially hardened their platform and led to BlackEnergy’s second generation.

BlackEnergy Version 2.0

BE2 integrated custom plugins to aid computer hackers in spreading spam and stealing financial credentials. This over the years has been mostly utilized by criminal organizations but has recently taken a turn in demographic, governments.


BlackEnergy was originally intended for distributing spam and collecting bank credentials.

Government and Nation State Use

Trend Micro has recently released a report stating the intended and potential targets of this new campaign dubbed “Sandstorm”.

BlackEnergy2 victims are widely distributed geographically. We identified BlackEnergy2 targets and victims in the following countries starting in late 2013. There are likely more victims.

  • Russia
  • Ukraine
  • Poland
  • Lithuania
  • Belarus
  • Azerbaijan
  • Kyrgyzstan
  • Kazakhstan
  • Iran
  • Israel
  • Turkey
  • Libya
  • Kuwait
  • Taiwan
  • Vietnam
  • India
  • Croatia
  • Germany
  • Belgium
  • Sweden

Victim profiles point to an expansive interest in ICS:

  • power generation site owners
  • power facilities construction
  • power generation operators
  • large suppliers and manufacturers of heavy power related materials
  • Investors

However, we also noticed that the target list includes government, property holding, and technology organizations as well:

  • high level government
  • other ICS construction
  • federal land holding agencies
  • municipal offices
  • federal emergency services
  • space and earth measurement and assessment labs
  • national standards body
  • banks
  • high-tech transportation
  • academic research

This is obviously quite concerning with the risk and vulnerability of our infrastructure to online threats world wide.

DHS Report Summery

On October 28, 2014 the Department of homeland security released a report that include the following summery of the recent malware campaign.


BlackEnergy is effecting various types of industrial automation equipment.

This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01 Ongoing Sophisticated Malware Campaign Compromising ICS that was published October 28, 2014, on the ICS-CERT web site.

ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).

What Does this Mean?

All though this all sounds like we are at great risk there are still many details that have not yet been released.

With the discovery of such malware it brings out the true reality of some of the dangers we face online and also as a society.

There will be more updates to come.