Sunday, January 24, 2016

Netiquette IQ Blog Of 1/24/2016 - Cyber Attacks On Power Plants Or Process Control Manufacturring And A Powerful Security Product To Combat Them

New Wave of Cyberattacks Against Ukrainian Power Industry
 ROBERT LIPOVSKY POSTED 20 JAN 2016 - 06:59PM from

The cyberattacks against the Ukrainian electric power industry continue. Background information on this story can be found in our recent publications:
Yesterday (January 19th) we discovered a new wave of these attacks, where a number of electricity distribution companies in Ukraine were targeted again following the power outages in December. What’s particularly interesting is that the malware that was used this time is not BlackEnergy, which poses further questions about the perpetrators behind the ongoing operation. The malware is based on a freely-available open-source backdoor – something no one would expect from an alleged state-sponsored malware operator.
Details of the cyberattacks
The attack scenario itself hasn’t changed much from what we described in our previous blog post. The attackers sent spearphishing emails to potential victims yesterday. The email contained an attachment with a malicious XLS file.
 Spearphishing email from January 19, 2016
The email contains HTML content with a link to a .PNG file located on a remote server so that the attackers will get a notification that the email was delivered and opened by the target. We have observed the same interesting technique used by the BlackEnergy group in the past.
HTML content of email with PNG file on remote server
Just as interestingly, the name of PNG file is the base64-encoded string “mail_victim’s_email”.

The XLS file used in attacks
The malicious macro-enabled XLS file is similar to the ones we’ve seen in previous attack waves. It tries, by social engineering, to trick the recipient into ignoring the built-in Microsoft Office Security Warning, thereby inadvertently executing the macro. The text in the document, translated from Ukrainian reads: Attention! This document was created in a newer version of Microsoft Office. Macros are needed to display the contents of the document.

Executing the macro leads to the launch of a malicious trojan-downloader that attempts to download and execute the final payload from a remote server.)
The server hosting the final payload is located in Ukraine and was taken offline after a notification from CERT-UA and CyS-CERT.

We expected to see the BlackEnergy malware as the final payload, but a different malware was used this time. The attackers used modified versions of an open-source gcat backdoor written in the Python programming language. The python script was converted into a stand-alone executable using PyInstaller program.

This backdoor is able to download executables and execute shell-commands. Other GCat backdoor functionality, such as making screenshots, keylogging, or uploading files, was removed from the source code. The backdoor is controlled by attackers using a GMail account, which makes it difficult to detect such traffic in the network.
ESET security solutions detect the threat as:

Thoughts and conclusions
Ever since the first blogposts following our discovery of these cyberattacks, they have gained widespread media attention. The reasons for that are twofold:
·         It is probably the first case where a mass-scale electrical power outage has been caused by a malware cyberattack.
·         Mainstream media have popularly attributed the attacks to Russia, based on claims of several security companies that the organization using BlackEnergy, a.k.a. Sandworm, a.k.a. Quedagh, is Russian state-sponsored.
The first point has been a subject of debate as to whether the malware actually caused the power outage or whether it only “enabled” it. While there is a difference in the technical aspects between the two, and while we’re naturally interested in the smallest details when conducting malware analysis, on a higher level, it doesn’t really matter. As a matter of fact, it is the very essence of malicious backdoors – to grant attackers remote access to an infected system.
The second point is even more controversial. As we have stated before, great care should be taken before accusing a specific actor, especially a nation state. We currently have no evidence that would indicate who is behind these cyberattacks and to attempt attribution by simple deduction based on the current political situation might bring us to the correct answer, or it might not. In any case, it is speculation at best. The current discovery suggests that the possibility of false flag operations should also be considered.
To sum it up, the current discovery does not bring us any closer to uncovering the origins of the attacks in Ukraine. On the contrary, it reminds us to avoid jumping to rash conclusions.
We continue to monitor the situation for future developments. For any inquiries or to make sample submissions related to the subject, contact us at:
Indicators of compromise
Malicious XLS SHA-1s:
Executables SHA-1s:


A great security tool to address SCADA and combat threats for Industrial Automation and Control Systems (ICAS) with dynamic deception is Attivo Systems.

SCADA systems had originally been designed to monitor critical production processes without consideration to security consequences. Security had been generally handled by keeping the devices off the network and the Internet using “air gaps” where malware could only be transmitted by the thumb drives used by technicians. However, today vulnerable SCADA systems are increasingly being connected to the corporate IT infrastructure and Internet, making them easily accessible to a remote attacker. Examples of this would be the Sandworm malware that attacked Telecommunications and Energy sectors, Havex malware that infected a SCADA system manufacturer, and BlackEnergy malware that attacks ICS products manufactured by GE, Siemens, and Advantech. These attacks primarily targeted the operational capabilities of these facilities. With the increased malicious and sophistication of malware, concerns are now escalating to fears of an irreversible disaster.

For more information, a WebEx, Demo or trial, please contact or call direct at 609 818 1802.
For a great satire on email, please see the following:
Good Netiquette And A Green Internet To All! 

Special Bulletin - My just released book

"You're Hired. Super Charge our Email Skills in 60 Minutes! (And Get That Job...) 

is now on sales at 

Great Reasons for Purchasing Netiquette IQ
·         Get more email opens.  Improve 100% or more.
·         Receive more responses, interviews, appointments, prospects and sales.
·         Be better understood.
·         Eliminate indecision.
·         Avoid being spammed 100% or more.
·         Have recipient finish reading your email content. 
·         Save time by reducing questions.
·         Increase your level of clarity.
·         Improve you time management with your email.
·        Have quick access to a wealth of relevant email information.
Enjoy most of what you need for email in a single book.


**Important note** - contact our company for very powerful solutions for IP
 management (IPv4 and IPv6, security, firewall and APT solutions:

Another Special Announcement - Tune in to my radio interview,  on Rider University's station, I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.   

In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:

In addition to this blog, I maintain a radio show on BlogtalkRadio  and an online newsletter via have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and  PSG of Mercer County, NJ.

I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services.  Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me

No comments:

Post a Comment