A highly destructive Trojan (detected by Symantec as Trojan.Disakil), reportedly used in recent attacks against the Ukrainian energy sector, was also earlier used against media targets in the same country. Symantec telemetry confirms that several computers in a major Ukrainian media company were compromised by Disakil in late October and may have been destroyed by the malware.
One computer at the media company was compromised by a new variant of the BlackEnergy Trojan (detected by Symantec as Backdoor.Lancafdo). The attackers appear to have used this infection to retrieve administrator credentials and used them to execute Disakil on a number of computers. Communication from these computers halted after Disakil was executed, suggesting that it succeeded in wiping them and rendering them inoperable.
The group behind the Black Energy Trojan is known as Sandworm and has a history of targeting organizations in Ukraine. It has also been known to attack NATO, a number of Western European countries, and companies operating in the energy sector.
Link to Ukrainian power outages
While Symantec does not have telemetry relating to more recent Disakil targets, the malware has been linked by others to attacks in late December against the energy sector in the Ukraine, which led to power outages in the country.
A press statement on the Security Service of Ukraine (SBU) website, alleged the discovery of malicious software responsible for these outages on the networks of regional power companies. According to the SBU press statement, the cyberattack was accompanied by a barrage of phone calls to their technical support telephone numbers, which would have acted like a denial of service (DoS) attack.
A blog from the SANS ICS team meanwhile reported that it received a sample of Disakil from a trusted source which was used in one of the attacks, on December 23.
Disakil in action
While Symantec cannot confirm Disakil has been used in any cyberattack causing power outages at this time, we can confirm its destructive nature.
Disakil is a multi-stage threat whose main characteristic is its appetite for destruction. If executed, it sets about rendering the infected system unusable by using a number of relatively simple but effective techniques such as overwriting the MBR (Master Boot Record) and overwriting certain file types with junk data. It also attempts to cover its tracks by clearing Windows log files and destroying the malware structure before restarting the system.
A notable feature of Disakil is that it attempts to stop and delete a service named “sec_service”. This service appears to belong to ‘Serial to Ethernet Connector’ software by Eltima. This software allows access to remote serial ports over network connections. A lot of legacy SCADA systems still use serial ports for RTU (Remote Terminal Unit or Remote Telemetry Unit) communications. This software is the type of solution a company would implement in their environment for communicating remotely with these legacy devices.
According to manufacturers, RTU features can include discrete alarms to monitor device failure, redundant backup communication for monitoring during a LAN failure and analog alarm inputs which monitor voltage, temperature, humidity and pressure. Hypothetically, if an attacker knew that their target was using this software for communicating with their legacy SCADA devices, stopping the service and any communications would increase the potential for damage within their environment.
Attacks of this nature against the energy sector are not unheard-of. In 2012 Symantec reported on the Shamoon attacks, where at least one organization in the energy sector was attacked using very similar techniques to render the targeted system unusable. The destructive capabilities of Disakil would make it ideal for use in any attack looking to inflict severe damage to a target’s environment.
Symantec and Norton products protect against Disakil and related threats with the following detections:
Intrusion prevention system