Second Quarter of Ukrainian power grid attack

Second Quarter of Ukrainian power grid attack

A wave of ups and downs. The Ukrainian power grid was interrupted due to a Trojan attack on December 23, 2015. This was the first time that a malicious software attack caused national infrastructure paralysis, as a result, nearly half of households (about 1.4 million people) in the Ukrainian city of ivanovovovsk experienced several hours of Power paralysis on the eve of the Christmas Eve of 2015. This incident has made the security of industrial control systems more important.

The threat information recently captured by weibu online shows that a new wave of attacks have quietly started, targeting multiple Ukrainian power companies. The attacker disguised as a Ukrainian national power company to send specially disguised phishing emails, and the trojan used this time was not notorious as BlackEnergy.

I. Attack process and method

On the afternoon of October 16, January 19, 2016, the attack kicked off by emails sent from "Ukrenergo" to [email protected] and [email protected. The attack email came from the time zone (UTC-). The attacker disguised the email as UKrenergo from the Ukrainian State-owned power company. The attack targets the information consulting service of Cherkasyoblenergo, the electric power company in the causse region, kondrashov Alexander from Central Energy System of SE, a subsidiary of Ukrenergo, who serves as the substation Director (Chief of substationsof Central ES)

Micro-step online analysis found that this attack was carried out using the traditional method of sending phishing emails. Add a malicious Excel file named ocenka.xls as an attachment and add malicious macro code to the file.

 

The email contains a PNG file hosted on the remote server 62.210.83.213, which is used to report the Email Delivery status.

 

The body of the email is from Ukraine:

 

Original fish-and-fork-phishing attack email

The content is roughly translated as follows:

"In accordance with Ukrainian law" operating the Ukrainian electricity market principles "and" the order preparation system operator development plan for the Ukrainian joint energy system in the next decade ", the No. 20140929 system operator approved by the Ministry of Industry and Energy of Ukraine released on its official website. The theme is: "Ukraine's Joint Energy System Development Plan from 2016 to 2025 ".

The specific draft content of the development plan is included in the email attachment:

"According to chapter 5 of the preparatory process, a hearing will be held at two o'clock P.M. on April 9, 750 in the conference room Kyiv (Kyiv district, Makarov district, sports nalyvaykivka saint, September 11-B, provide feedback on the draft of the development plan."

Click the attachment as an Excel file. The opening information is as follows:

 

The online translation content is roughly as follows:

Necessity of Power Generation Evaluation and Optimization

The combined energy system of Ukraine operates in parallel with the total capacity of thermal, nuclear, hydraulic, wind, and solar power stations. As of December 31, 2015, the total annual capacity reached 554.68 million kilowatts (excluding the electricity generation facilities of the special economic zone "Crimea)

The most striking information in the entire file is "important tips ". Cleverly trick users into enabling the macro function, which is disabled by default in Microsoft Office software. This is also the last line of defense for the victim's terminal. Note! This file is created in the new version of Office software. To display the file content, you need to enable the Macro ." The security warning of Excel was eclipsed by the huge information, and the victim clicked the open Macro Button.

Ii. Malicious Load Analysis

After the user opens the macro, the malicious macro code embedded in the file will be executed. A Trojan file named test_vb.exe is created and saved in the system % TEMP % directory. The macro source name is "This book" in Russian ".

 

After test_vb.exe is executed, it tries to download the program from the link text hxxp: // 193.239.152.131/8080/templates/compiled/synio/root.cert, and then put it in the % appdata % folder.

Iesecurity.exe is a backdoor written in Python and converted to a custom version of open-source GCAT (https://github.com/byt3bl33d3r/gcat) that can execute PE files through the Python installer.

GCAT backdoors use Gmail as the command and control server to send commands to clients. The email address of this controller in this attack is [email protected]

 

The email address has been frozen by Google.

Custom Backdoor programs can remotely execute the provided shellcode, download files, and force host registration on the client according to the commands sent by gmail mail.

 

Iii. Threat Intelligence Sharing

Machine-Readable credit index (IOC ):

Ocenka.xls: B209A3EB543622195E13CE32490189F1

(VirusBook: https://www.virusbook.cn/view_report/scan/0bb5e98f77e69d85bf5068bcbc5b5876f8e5855d34d9201d1caffbf83460cccc-1453977855488)

 

Test_vb.exe: 057D6A1F26C102187D90B5AD43741CC7

(VirusBook: https://www.virusbook.cn/view_report/scan/43b69a81693488905ef655d22e395c3f8dee2486aba976d571d3b12433d10c93-1453977898349)

 

Iesecurity.exe: 6903A0CE131CF0E1B105EC844E846173

(VirusBook: https://www.virusbook.cn/view_report/scan/54517e2a85509bc7109b7befd7151a058c1b0cc90d38d19dad189f308fc9f3c7-1453977997975)

 

 

Remote Control Server IP Address:

62.210.83.213)

193.239.152.131 (Ukraine, Ukraine)