New email ‘attack’ in Ukraine: false flag or new predator?

The new wave of tainted e-mail messages to Ukraine power companies brings up new questions in the power hack investigation.

If you work at a power company in Ukraine, you might be on high alert. Just last month, someone hacked into power systems in three regions, leaving hundreds and thousands of people in the dark, and they may have used e-mail to get in, researchers say.

Now, a new round of malicious e-mails has appeared in power company in-boxes, according to ESET researchers and Ukrenergo, the country’s national power company.

“…We discovered a new wave of these attacks, where a number of electricity distribution companies in Ukraine were targeted again following the power outages in December,” wrote Robert Lipovsky with ESET in his analysis on WeLiveSecurity.

 “The Ukrainian power grid is dealing with ‘fire’ after ‘fire’ it seems,” said industrial control systems security expert Chris Sistrunk with Mandiant, a FireEye company.

Lipovsky told Archer News he is not sure how many companies were affected, but he knows how the attack took place.

How it went down

Ukrenergo issued a notice saying someone had sent out e-mails pretending to be from the organization, telling people there had been a change in date for some events.

The message looked like it came from “info@ukrenergo.energy.gov.ua,” according to Lipovsky. 

But it was not from Ukrenergo, and instead contained a malicious XLS file, he said. Attackers then received notification if the target received it and opened it.

The e-mail’s goal—to get you to open the macro, despite your security system in place.

“It tries, by social engineering, to trick the recipient into ignoring the built-in Microsoft Office Security Warning, thereby inadvertently executing the macro,” Lipovksy said.

“The text in the document, translated from Ukrainian reads: Attention! This document was created in a newer version of Microsoft Office. Macros are needed to display the contents of the document,” he explained.

“Executing the macro leads to the launch of a malicious trojan-downloader that attempts to download and execute the final payload from a remote server,” Lipovksy said.

Was it BlackEnergy?

This was not BlackEnergy malware, like the malware found on Ukraine power systems after the attack and outage on December 23, Lipovsky said.

Could this malware do the same kinds of things as BlackEnergy?

“No, this latest backdoor is much more limited in functionality in comparison with BlackEnergy,” Lipovsky told Archer News. “But it is able to download other malware to the system and to execute commands. Difficult to say what was its intended purpose.”

The server hosting that final payload is in Ukraine, according to ESET, and has been taken offline.

Was it the same attacker?

This is the question under debate. The malware is different, but the targets are similar.

Cybersecurity experts say attackers can use many strategies.

Lipovsky said analysts may want to examine the idea that the same attacker is deliberately using a new tactic to complicate the case.

“The current discovery suggests that the possibility of false flag operations should also be considered,” he wrote.

Others in the industry agree that is an option.

“This could be a ‘confuse the investigator’ campaign,” said Andrew Mazurek, a cybersecurity professional based in Toronto.

 “This, or someone is using now-public knowledge of their ‘security.’ Maybe common criminals trying to extort.”

“It could be copycat,” said Sistrunk. “I think it’s best to treat this as a separate incident until we can definitively tie the two together.”

A regular thing?

Some cybersecurity experts say power companies in the U.S. receive these kinds of phishing e-mails regularly.

“From a high-level view on the activity reported on, it’s unrelated to the December attack and looks like normal phishing activity that companies are used to seeing,” said Robert M. Lee with the SANS Institute.

He said this does not reach the level of an ‘attack,’ in his view, but instead an intrusion or compromise.

“It is definitely interesting to see ongoing intrusions into companies, but these are commonplace across industries, and without any evidence tying the activity to the attack that occurred in December, it’s of less importance,” said Lee.

 “The only reason it’s of interest to folks right now is because it’s against other energy companies in Ukraine,” he added. “The timing is something to watch, but the activity does not appear related or in any way relevant.”

More investigation

 The Ukrainian Ministry of Energy and Mines said a work group is going to continue to look into the December 23 “disturbance” that it says affected three regions—Kiev, Ivano-Frankivsk, and Chernivtsi.

The work group met this week and decided there was a need to collect more data, according to an announcement on the agency web site.

“As a result of the meeting, the group decided on the extension of its work for a more complete and comprehensive clarification of the causes and consequences of the situation, and the development of a plan of measures to strengthen the information technology system security of the energy supply in the future,” the announcement said.

On alert

The Computer Emergency Response Team of Ukraine sent out a new warning about e-mail attacks in the country and said it blocked the malicious server in the latest incident.

It also gave three recommendations, useful for anyone, anywhere, not just for power companies in Ukraine.

The recommendations, as translated by Google:

1) Once again, the inadmissibility of opening attachments received by email (without confirmation of sending an e-mail to its sender).

2) System administrators and security administrators should pay attention to filtering input/output information flows, including email and web traffic.

3)  E-mail users should be careful when opening attachments, even if they come from well-known destinations.