Press Center

On December 23 2015, around 700 thousand people in the Ivano-Frankivsk region in Ukraine, half of the homes there, were left without electricity for several hours. ESET researchers discovered that the power outage – the Ukrainian media outlet TSN was first to report it - was not an isolated incident. Other power distribution companies in Ukraine were targeted by cybercriminals at the same time.

According to ESET researchers, the attackers have been using the BlackEnergy backdoor to plant a KillDisk component onto the targeted computers that would render them unbootable.

The BlackEn ergy backdoor trojan is modular and employs various downloadable components to carry out specific tasks. In 2014 it was used in a series of cyber-espionage attacks against high-profile, government-related targets in Ukraine. In the recent attacks against electricity distribution companies, a destructive KillDisk trojan was downloaded and executed on systems previously infected with the BlackEnergy trojan.

The first known link between BlackEnergy and KillDisk was reported by the Ukrainian cybersecurity agency, CERT-UA, in November 2015. In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents have been destroyed as a result of the attack.

The KillDisk variant used in the recent attacks against Ukrainian power distribution companies also contained some additional functionality. In addition to being able to delete system files to make the system unbootable – functionality typical for such destructive trojans – this particular variant contained code specifically intended to sabotage industrial systems.

“Apart from the regular KillDisk functionality, it would also try to terminate processes that may belong to a platform commonly used in Industrial Control Systems,” explains Anton Cherepanov, Malware researcher at ESET.

If these processes are found on the target system, the trojan will not only terminate them but also overwrite their corresponding executable file on the hard drive with random data in order to make restoration of the system more difficult.

“Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that the same toolset that was successfully used in attacks against the Ukrainian media in November 2015 is also theoretically capable of shutting down critical systems,” concludes Cherepanov.

Read more about the attack on Ukrainian power distribution companies and the BlackEnergy/KillDisk malware at ESET’s WeLiveSecurity blog.

About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit www.eset.sg or follow us on Facebook and Twitter.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Version 2 Singapore Pte Ltd is the local office of Version 2 Limited.
For more information, please visit www.version-2.com.sg or call (65) 6296-4268.