New BlackEnergy victims discovered in Ukraine

Earlier, we wrote about a series of cyberattacks on industrial facilities in Ukraine using the BlackEnergy Trojan. One of the most famous victims of the Trojan was the energy company Prikarpatyeoblenergo, which supplied electricity to the Ivano-Frankivsk region in western Ukraine. Another famous victim of BlackEnergy was the computer network of Boryspil Airport, on one of the computers of which a trojan was also detected. This was announced by the speaker of the presidential administration of Ukraine on ATO issues Andriy Lysenko.



The department also indicated that Kyivoblenergo, Chernivtsioblenergo, Khmelnitskoblenergo and Kharkivoblenergo were subjected to cyber attacks. Ukrainian security company CyS Centrum, which also investigated these cyber attacks, in its studynamed the mentioned airport Boryspil as victims, as well as the Ukraine International Airlines company, on whose computers the BlackEnergy driver was detected.


Fig. An example of a phishing email that was used in a malicious campaign (CyS Centrum data).


Fig. Appearance of the bait document (CyS Centrum data).

CERT-UA Computer Incident Response Center of Ukraine has published a list of IoC indicators by which BlackEnergy can be compromised. The following IP addresses are listed there.

146.0.74.7
148.251.82.21
188.40.8.72
31.210.111.154
41.77.136.250
5.9.32.230
88.198.25.92
41.77.136.250

It also shows an example of checking log files.


Fig. Example of a system check for BlackEnergy infection (CyS Centrum data).