Power firms in the Ukraine have once again become the target of cybercriminals, with a new wave of cyberattacks targeting them having been recently discovered. The latest attack follows the power outage in December 2015 that left homes in the western Ukraine region of Ivano-Frankivsk without electricity for several hours.
The malware found in the recent attacks does not belong to the BlackEnergy family that was found in the power station attack; instead it is based on an open-source backdoor. While there is no evidence that these attacks are linked, there seems to be no difference in their execution.
Attack through phishing email
According to cybersecurity researchers at ESET, which first spotted the new cyberattacks, the attackers sent phishing emails containing an attachment with a malicious XLS file to the victim.
Attackers would receive a notification if the email had been delivered and opened by the target, as the email had HTML content along with a link to a .PNG file that is located on a remote server. A similar technique was used by the authors of the BlackEnergy group.
Besides, the malicious XLS file in the mail is similar to the ones found in the previous attacks. The file tries to trick the recipient into ignoring the Microsoft Office Security Warning and directly executing the XLS file. The warning in the document reads, "Attention! This document was created in a newer version of Microsoft Office. Macros are needed to display the contents of the document."
Executing the XLS file launches the malicious Trojan downloader, which in turn downloads and executes payload from a remote server. The server with the final payloads is located in Ukraine and was taken offline following a notification from the state run Computer Emergency Response Team of Ukraine (CERT-UA) and CyS-CERT.
The malware, according to ESET researcher Robert Lipovsky, is a modified version of an open-source gcat backdoor that was written in Python programming language. The backdoor can download and execute commands and is controlled by the attackers using a Gmail account, which makes it difficult to detect unauthorised traffic in the network.
While the Russian hacking collective Sandworm is said to be responsible for the first power station attack, ESET says that it has not found any evidence so far to link the group or any individual behind the latest cyberattacks.
"We currently have no evidence that would indicate who is behind these cyberattacks and to attempt attribution by simple deduction based on the current political situation might bring us to the correct answer, or it might not. In any case, it is speculation at best. The current discovery suggests that the possibility of false flag operations should also be considered," said Lipovsky.