ICS malware analysis study: BlackEnergy

Posted date 15/02/2024
Threat analysis study decorative image

With the passage of time, it has been possible to observe the great growth of cyber-attacks that are affecting industrial environments and critical systems. This is largely due to the fact that these are targets where very sensitive information can be obtained and cause very serious problems for organisations, both economically and socially.

One of the best examples is the electric sector. This sector had suffered different important cyberattacks, one of most recognised cyberattacks was BlackEnergy malware.

- BlackEnergy temporary line -

This malware became known for being able to compromise several electricity distributors on 23 December 2015, causing households in the Ivano-Frankvisk region of Ukraine (a population of around 1.5 million) to be without electricity. This malware don´t start with the same characteristics that have currently, but, due to the new technologies and the requirements, it has gone envolving over time. This evolution was great that firstly it started out as a troyan, with the capabilities to create botnets and perform DDoS (Distributed Denial of Service) attacks. Afterwards, it continued to improve with the use of rootkits that allowed access to the system in an imperceptible way, continuing to evolve with various improvements until it became the APT (Advanced Persistent Threat) that we all know today.

For these problems, it must try to be prepared for such cyberattacks, in case they happen again, it is advisable to carry out a series of activities to anticipate and minimise any considerable damage caused. For example, investigating the behaviour of the malware when it enters the system, how it is introduced into the assets, key features to detect it, etc.

All the information obtained from the research can be used to create intelligence, for example, rules that can detected malware, the creation of specific honeypots or deceptions to be attacked with this particular malware and many more examples that would allow the damage caused by this type of cyberattack to be reduced.

The following study addresses different aspects that can help improve cyber security against these types of cyberattacks by documenting the different ways to perform malware analysis and using an example of active analysis of the BlackEnergy malware using Volatility.

Finally, indicators of compromise (IOCs) and Yara rules for this malware are also included. The full study can be downloaded at the following link: