Threat Analysis of BlackEnergy Malware for Synchrophasor based

Threat Analysis of BlackEnergy Malware for Synchrophasor basedReal-time Control and Monitoring in Smart Grid

Khan, R., Maynard, P., McLaughlin, K., Laverty, D., & Sezer, S. (2016). Threat Analysis of BlackEnergy Malwarefor Synchrophasor based Real-time Control and Monitoring in Smart Grid. In 4th International Symposium forICS & SCADA Cyber Security Research 2016 (pp. 53-63). BCS. DOI: 10.14236/ewic/ICS2016.7

Published in:4th International Symposium for ICS & SCADA Cyber Security Research 2016

Document Version:Peer reviewed version

Queen's University Belfast - Research Portal:Link to publication record in Queen's University Belfast Research Portal

Publisher rights© 2016 The Authors.

General rightsCopyright for the publications made accessible via the Queen's University Belfast Research Portal is retained by the author(s) and / or othercopyright owners and it is a condition of accessing these publications that users recognise and abide by the legal requirements associatedwith these rights.

Take down policyThe Research Portal is Queen's institutional repository that provides access to Queen's research output. Every effort has been made toensure that content in the Research Portal does not infringe any person's rights, or applicable UK laws. If you discover content in theResearch Portal that you believe breaches copyright or violates any law, please contact [email protected].

Download date:14. Feb. 2018

https://pure.qub.ac.uk/portal/en/publications/threat-analysis-of-blackenergy-malware-for-synchrophasor-based-realtime-control-and-monitoring-in-smart-grid(df705d06-011e-481b-95cd-59dbd3f29b09).html

Threat Analysis of BlackEnergy Malware forSynchrophasor based Real-time Control and

Monitoring in Smart Grid

Rafiullah Khan, Peter Maynard, Kieran McLaughlin, David Laverty and Sakir SezerQueen’s University Belfast, Belfast, United Kingdom

{rafiullah.khan, pmaynard01, kieran.mclaughlin, david.laverty, s.sezer}@qub.ac.uk

The BlackEnergy malware targeting critical infrastructures has a long history. It evolved over time froma simple DDoS platform to a quite sophisticated plug-in based malware. The plug-in architecture has apersistent malware core with easily installable attack specific modules for DDoS, spamming, info-stealing,remote access, boot-sector formatting etc. BlackEnergy has been involved in several high profile cyberphysical attacks including the recent Ukraine power grid attack in December 2015. This paper investigatesthe evolution of BlackEnergy and its cyber attack capabilities. It presents a basic cyber attack model usedby BlackEnergy for targeting industrial control systems. In particular, the paper analyzes cyber threatsof BlackEnergy for synchrophasor based systems which are used for real-time control and monitoringfunctionalities in smart grid. Several BlackEnergy based attack scenarios have been investigated byexploiting the vulnerabilities in two widely used synchrophasor communication standards: (i) IEEE C37.118and (ii) IEC 61850-90-5. Specifically, the paper addresses reconnaissance, DDoS, man-in-the-middle andreplay/reflection attacks on IEEE C37.118 and IEC 61850-90-5. Further, the paper also investigates protectionstrategies for detection and prevention of BlackEnergy based cyber physical attacks.

BlackEnergy, Malware, Cyber Attacks, Synchrophasors, Smart Grid, IEEE C37.118, IEC 61850-90-5.

1. INTRODUCTION

Synchrophasor based systems play a vital role inreal-time and wide-area monitoring, protection andcontrol in modern power grids. It involves measure-ment of electrical quantities in real-time at differentpoints in the grid, time-stamped using a commonprecise time source (e.g., GPS) and transmitted tothe control center using a suitable communicationframework. Synchrophasor applications range fromsimple grid dynamics visualization/recording to pro-tection in distributed generation and synchronousislanding (Schweitzer et al. (2011)). At present,two communication frameworks are available forsynchrophasor technology: IEEE C37.118 and IEC61850-90-5. Both have their own unique featuresand limitations (Khan et al. (2016)). Due to in-volvement of critical infrastructure in synchrophasorbased systems and possible transmission of dataover insecure wide-area network, a strong protectionmechanism against cyber attacks is necessary.

The role of malware in modern sophisticated multi-stage cyber attacks cannot be ignored. The successof a cyber attack depends on the attacker’s ability

to install malware on a targeted system withoutbeing noticed by the system owner. The time amalware can disguise itself and persist inside aninfected system is also an important factor forsuccessful cyber attacks. BlackEnergy evolved asone of the most sophisticated and modular malwarefor targeting critical infrastructures since its firstdiscovery. Originally designed for Distributed Denialof Service (DDoS) attacks, BlackEnergy evolved intoa plug-in based architecture easing the developmentof new attack-specific modules for espionage, DDoS,spam and fraud. BlackEnergy has been involved inseveral major cyber attacks including coordinatedDDoS attack on Georgia’s finance, military andgovernment agencies (Hollis (2011)), fraudulentbank transactions and the Ukraine power grid.Its concealment ability inside an infected systemis evident from the US Department of HomelandSecurity revelation in 2014 that the softwarecontrolling several national critical infrastructuresremained compromised by BlackEnergy since 2011(ThreatSTOP (2016)).

c© The Authors. Published by BISL. 1Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016

Threat Analysis of BlackEnergy Malware for Synchrophasor based Real-time Control and Monitoring in Smart GridKhan • Maynard • McLaughlin • Laverty • Sezer

Based on the capabilities and success stories ofBlackEnergy, it is also a major threat for synchropha-sor applications. Any cyber attack on synchrophasorbased systems can lead to extreme consequencesincluding blackout, financial loss and physical dam-age to the grid. This paper investigates key featuresand capabilities of BlackEnergy and analyzes threatsagainst synchrophasor based control and monitoringsystems. It presents a basic attack model usedpreviously in BlackEnergy based cyber attacks andanalyzes it for synchrophasor technology. In partic-ular, this paper investigates vulnerabilities in bothIEEE C37.118 and IEC 61850-90-5 synchropha-sor communication frameworks which could be ex-ploited through cyber attacks including reconnais-sance, DDoS, Man-In-The-Middle (MITM) and replayattacks. The paper presents several attack scenarioswhich alone or in combination could severely impactmonitoring and control functionalities of synchropha-sor applications. The aim of paper is to investigatepotential BlackEnergy threats which could aid thedevelopment of cyber security solutions. Based onpresented attack scenarios, this paper also presentspossible protection strategies for prevention or miti-gation of BlackEnergy based cyber attacks.

The remainder of the paper is organized as follows:Section 2 presents background and related workfrom literature. Section 3 presents formal analysis ofBlackEnergy variants evolved over time. Section 4analyzes threats of BlackEnergy for synchrophasorbased systems by demonstrating different possibleattack scenarios. Section 5 presents possibleprotection and prevention strategies. Finally, Section6 concludes the paper.

2. BACKGROUND AND RELATED WORK

This section presents background and related workon (i) synchrophasor technology and its securitychallenges and (ii) history of cyber attacks utilizingBlackEnergy.

2.1. Synchrophasor Technology

Synchrophasor technology is used for real-time gridmonitoring and control (Schweitzer et al. (2011)).It tracks power system dynamics in real time andenables taking prompt actions when necessary.Fig. 1 depicts a generic synchrophasor basedsystem consisting of the following basic components:Phasor Measurement Units (PMUs), Phasor DataConcentrators (PDCs), communication network andcontrol center. The PMUs are placed at differentpoints in the grid and measure voltage and currentwaveforms in real-time which are transmitted tothe control center. They are equipped with GPSantenna for time-stamping synchrophasor databefore transmission. The PDC is a device that

Substation 1

LANPDC

GP

S A

nte

nn

a

Substation N

LANPDC

GP

S A

nte

nn

a

Control Center

Monitoring / Visualization

PDCControl

Software

Archive

Network /Internet

PMU

PMU

PMU

PMU

PMU

PMU

Figure 1: Generic synchrophasor communication system.

receives data from multiple PMUs, aggregates itbased on GPS timestamps and sends as a singleoutput stream. The PDC input streams may beoriginating from PMUs or PDCs or both. The controlcenter processes data for real-time grid monitoring,control or simply archive for post-analysis in case ofany disaster.

Synchrophasor technology requires a suitable com-munication framework for transmitting grid statusinformation in real-time over a wide area network(Martin (2013)). IEEE developed the IEEE 1344standard which was improved over the time andultimately replaced by IEEE C37.118-2. Martin et al.(2008) explains the evolution of IEEE standards andhighlights the key improvements over time. The IEEEC37.118-2 has several limitations including (i) lack ofsecurity mechanism, (ii) limited interoperability andintegration support and (iii) no defined transport pro-tocol and multicast features. IEC recently establisheda working group for development of a synchrophasorstandard. The group developed the IEC 61850-90-5standard and also proposed a security mechanism(Madani et al. (2015)). The security mechanism isbased on Group Domain Of Interpretation (GDOI)that ensures highest level of security for synchropha-sor communication. To protect communication fromcryptanalysis, GDOI periodically refreshes securitypolicies and keying material. However, IEC 61850-90-5 adaptation is quite limited and most commer-cially available PMUs still support IEEE C37.118.Khan et al. (2016) presented detailed comparison ofIEEE C37.118 and IEC 61850-90-5.

Laverty et al. (2013) presented an OpenPMUproject, the first open source PMU project thatintegrates latest features and supports both IEEEC37.118 and IEC 61850-90-5. The literature mostlyfocuses on vulnerabilities in IEEE C37.118 dueto lack of built-in security mechanism (Khanet al. (2016)). Allgood et al. (2011) highlightedthat synchrophasors are transmitted over wide-area networks and an insecure communicationprotocol raises serious threats against potentialcyber attacks. Stewart et al. (2011) addressedbest practice strategies and explained the roleof Virtual Private Network (VPN) and firewall inprotection against cyber attacks. Morris et al. (2011)

2


tested the resilience of PMUs against Denial ofService (DoS) attacks and monitored their degree ofunresponsiveness when flooded with ARP requestsand IPv4 packets. The authors also performedprotocol mutation experiments and tested resilienceagainst malformed packets. Coppolino et al. (2014)also augmented the work on PMU vulnerabilitieswhen using IEEE C37.118. Shepard et al. (2012)addressed GPS spoofing that can severely impactpower system e.g., intentional tripping of generatorsor physical damage to equipments. In short, cyberattacks on a synchrophasor based system could leadto extreme consequences. Several survey articles(Yan et al. (2012), Boyer et al. (2009), Beasley etal. (2014)) have addressed security challenges forsynchrophasors and smart grid in general.

An investigation is necessary to determine resilienceof IEEE C37.118 and IEC 61850-90-5 against insiderattacks based on BlackEnergy. Further, knowledgeof countermeasures is necessary to effectivelymitigate them.

2.2. History of Black Energy

The history of BlackEnergy and its involvement indifferent cyber attacks is depicted in Fig. 2. It wasfirst discovered by Arbor Networks (Nazario (2007))as a simple HTTP based botnet. It is regardedas BlackEnergy version 1 (BE1) and specificallydesigned for DDoS attacks. It provides an attackeran easy to control HTTP based bot with minimalsyntax for control functionalities. Arbor Networksdetected that most BE1 Command & Control (C&C)servers were located in Malaysia and Russia. Adistinguishing feature of BE1 DDoS is its capabilityto target more than one destination IP addressper hostname (Nazario (2007)). This makes thecoordinated DDoS much more effective even if thetarget is using DNS load balancing. The bot alsouses encryption at runtime to prevent detection byanti-virus software. The victims of BE1 are of twotypes: (i) several distributed compromised systemswith BE1 Trojan for launching coordinated DDoS,and (ii) the end targeted system of DDoS attack.The connection between both types of victims wasunclear. Arbor Networks identified 27 active DDoSnetworks based on BE1 Trojan located in Malaysiaand Russia, whereas, their main targets were alsolocated in Russian IP address space.

It is widely believed that BE1 was used fora DDoS attack on Georgia in 2008 during theRussian-Georgian war. However, there is insufficientinformation to prove this speculation. The attackwas highly successful resulting in 54 websitesinaccessible (Hollis (2011)). The attack left Georgia’sgovernment, military, finance and news agenciesunable to communicate with citizens from the

affected areas. It is believed that reconnaissanceattack took place several weeks prior to actualalleged Russian cyberspace DDoS attack.

In 2010, BlackEnergy version 2 (BE2) was discov-ered with new espionage, spam and fraud capabili-ties. SecureWorks research team revealed that BE2was involved in stealing financial and authenticationdata from Russian banks (Russian botnets targetinglocal banks) (ThreatSTOP (2016)). SecureWorks fur-ther revealed that BE2 has a modular design thatuses plugins for carrying out a specific maliciousactivity without re-writing completely new code. Afterstealing authentication data, BE2 utilized a DDoSplug-in against the same bank to take authenticationsystem offline for customers and distract them fromnoticing the fraudulent transactions. Further, BE2was also accompanied with a plug-in designed todestroy the filesystem on compromised machine.

BlackEnergy is also a major threat to critical in-frastructures. US Department of Homeland Securityrevealed in 2014 that the software controlling sev-eral national critical infrastructures including nuclearplants, electric grids, water filtration systems andoil and gas pipelines had been compromised byBlackEnergy since 2011 (ThreatSTOP (2016)). F-Secure labs researched two BlackEnergy samples in2014. The main victim of first sample was a politicalwebsite in Ukraine while NATO headquarters in Bel-gium was the main target for the second sample. Inthe same year, ESET also researched more than 100BlackEnergy victims mostly in Poland and Ukraine(ThreatSTOP (2016)).

The story of BlackEnergy continues and threeregional electric power distribution companies ofUkraine experienced coordinated cyber attacks inDecember 2015. The attacker utilized a new variantof malware, BlackEnergy version 3 (BE3) for illegalentry into the company’s computer and SCADAsystems. Attackers opened the breakers of seven110 kV and 2335 kV substations resulting in blackoutfor more than 225,000 people which took 6+ hoursto restore. To remove attack traces and elongatethe blackout period, attackers also utilized KillDiskmalware to wipe/erase several systems and corruptmaster boot records in all three companies. Inaddition, a custom firmware was deployed for serialto Ethernet converters that bricked the devices andprevented technicians from restoring power untilconverters were bypassed.

3. FORMAL ANALYSIS OF BLACKENERGY

The use of BlackEnergy for targeted attacks isattributed to a Russian based cyber gang knownas Sandworm. Until now, the gang has targetedNATO, several government organizations and critical

3


2007

2008

2010

2014

2015

BE v1 discovered (HTTP based botnet for DDoS attacks)

27 botnets detected mostly in Russia and Malaysia

BE v1 Objectives: Coordinated DDoS attacks

Used in a cyber attack on Georgia during Russian-Georgian war

54 Georgia's military, government and finance websites successfully hacked.

New version: BE v2 used in cyber fraud attack

Modularized and used plugins for targeting bank authentication system

DDoS: Prevent detection of fraudulent money transfers

BE v2 Objectives: DDoS, Espionage, Spam, fraud

Software for several US critical infrastructures detected compromised since 2011

Political party website attacked in Ukraine.

Over 100 victims of BE v2 attacks investigated in Ukraine, Poland and Belgium.

New version of malware (BE v3) involved in cyber attack on Ukraine power industry

Three regional electric power distribution companies experienced coordinated cyber attacks

Power outage for more than 6 hours.

Figure 2: History of Black Energy.

Table 1: BlackEnergy features and capabilities.

Feature BE1 BE2 Lite BE3

GUI Build Tools X X X XPlugin Support X X XDenial of service X X X XC2C Controller X X X XAV Obfuscation X X X XKernel rootkit X Xx64 support X Xbypass driver signing XReside only in memory Xrundll X XDetection of virtual environment XAnti-debugging methods XDetect security countermeasures X

infrastructures. Sandworm uses spear phishing astheir preferred infection tactic and the latest versionof BlackEnergy as signature malware. BlackEnergyenumerates all installed drivers on a system andidentifies those which are disabled. It randomlyselects a disabled driver, maliciously replaces it withits own driver and enables it on the compromisedsystem. The driver needs to have a valid signature.BlackEnergy bypasses such security features bymodifying system boot configuration data to enabletesting signatures and patches the user32.dll.mui orbypasses the UAC through shim. Table 1 describeshow BlackEnergy features evolved over time and isdiscussed in the following sections.

3.1. BlackEnergy 1

The BE1 is HTTP based botnet used for coordinatedDDoS attacks. It provides the attacker an easy tocontrol interface with minimal syntax and structure.The BE1 botnet configurations are stored and loadedfrom MySQL database (db.sql). Unlike traditionalbotnets, it does not communicate with botnet master

using Internet Relay Chat (IRC). Further, BE1 lacksthe exploit functionalities and relies on externaltools to load the bot. Nazario (2007) observed thatmost BE1 C&C servers were hosted in Russiaand Malaysia and attacking targets located inRussia. BE1 botnet uses HTTP POST messagesto communicate with its controlling servers andspecifies the bot’s ID inside each message. Keyfeatures of BE1 include: (i) ability to target morethan one IP address per hostname, (ii) a runtimeencrypter to prevent detection by antivirus software,and (iii) disguises itself by hiding its processesin a system driver (syssrv.sys). The BE1 bot hasthree different types of commands: (i) DDoS attackcommands e.g., ICMP flood, TCP SYN flood, UDPflood, HTTP get flood, DNS flood, etc, (ii) downloadcommands to fetch and launch a new or updatedexecutable from its server and (iii) control commandse.g., stop (to freeze DDoS), wait (a placeholder) ordie (kill or exit).

3.2. BlackEnergy 2

BE2 is a superior version of BlackEnergy discoveredin 2010. The malware was completely rewritten andevolved from basic DDoS specific architecture to amodular framework. BE2 provided extended func-tionalities with easily loadable attack-specific pluginsfor espionage, fraud, stealing user credentials orkey logger, scanning network, sending spam andmore. BE2 is a superset of BE1 and also containsplugin for the original DDoS functionality. The pluginsare downloaded/updated from its C&C servers oncompromised system in an encrypted format asdrivers. BE2 also contains a Trojan plugin that candestroy the complete filesystem of a compromisedsystem on kill command (ThreatSTOP (2016)). Thecapabilities of BE2 include: (i) execute local files,

4


(ii) download and execute remote files, (iii) updateitself and plugins with C&C servers and (iv) die ordestroy. The plugins and update features of BE2make it highly evasive with a much longer survivaltime on compromised systems. If the bot is detectedby antivirus software, the attacker only rewrites thediscovered part and sends the update to bots.

3.3. BlackEnergy 3

The BE3 is highly simplified version of BE2,first discovered in 2014. Compared to BE2, BE3bears minor changes and uses a different protocolfor communication with its plugins (ThreatSTOP(2016)). Further, the BE3 installer drops themain DLL component directly into user processes(specifically in svchost.exe) rather than usingdriver/rootkit component as in BE2. BE3 wasalso found scanning the internet for a specificHMI, the GE Intelligent Platforms HMI/SCADA -CIMPLICITY. The HMI was known to have a directorytraversal vulnerability in CimWebServer.exe (theWebView component) which allows remote attackersto execute arbitrary code via a crafted message toTCP port 10212, (ZDI-CAN-1623). BE3 targeted thisservice after detecting its network interface. Once itdetected an exploitable server, it has two options;download devlist.cim or config.bak which would thenuse to deploy BlackEnergy. Once on a system, BE3scans the network and local machines for data toexfiltrate.

3.4. BlackEnergy Lite

The BE Lite (also known as BE Mini) has differentbuild ID format, different plugin interface and hasmuch lighter footprint. Unlike BE2 and BE3, it doesnot use a driver for loading the main DLL but insteaduses more standard way for loading DLLs (e.g.,rundll32.exe). The configuration data of BE Lite isstored as X.509 certificates unlike other BlackEnergyvariants which store in XML files.

4. SECURITY CHALLENGES FORSYNCHROPHASOR BASED APPLICATIONS

BlackEnergy is one of the most sophisticatedmalware evolved over time and played key rolein several high profile cyber attacks on criticalinfrastructures in the past. It is also a major threat tosynchrophasor technology which is particularly usedfor monitoring and control of critical infrastructure.Depending on the type of cyber attack onsynchrophasors, the potential impact could bedifferent. The BE3 with DDoS plugin could leadto failure in a power grid leaving PMUs unable tocommunicate with the control centers. BE3 with fs.dlland dstr.dll plugins could destroy entire filesystem oncompromised system and leave devices completelyinoperable. BE3 with ps.dll and kd.dll plugins could

Reconnaissance

WeaponizationMalwareInjection

ConcealmentAssault / Execution

Destroy

Figure 3: The anatomy of cyber attack.

provide an attacker key logging and passwordstealing functionalities which could be necessaryfor remote access to critical system componentse.g., the PMU, and alter the configurations. BE3with scan.dll, vs.dll and rd.dll plugins could helpattacker scan the entire network and discoverthe devices of interest from compromised system,remotely access the compromised system andlaunch MITM, replay or other traffic manipulationattack on communication between PMUs and thecontrol center. Traffic manipulation attacks couldseverely damage physical equipment and result incomplete shutdown of grid components.

Depending on the communication framework (IEEEC37.118 or IEC 61850-90-5) used in a synchropha-sor based system, BlackEnergy kill chain processcould be slightly different. This section presents abasic cyber attack model derived from the analysisof previous BlackEnergy based cyber attacks. Basedon the attack model, several attack scenarios havebeen addressed in which BlackEnergy could playlead-role in executing cyber attacks on synchropha-sor based systems.

4.1. Basic Cyber Attack Model

A proper understanding of the anatomy of cyberattack could help detect and prevent future attacks.Fig. 3 illustrates steps involved in the launch of asuccessful cyber attack based on BlackEnergy inparticular but equally applicable to any malware ingeneral.

4.1.1. ReconnaissanceIt is the first step in any cyber attack to identifyand exploit vulnerabilities in the targeted systemincluding organizational structure, OS and softwaretypes and version, security credentials and anymisconfigurations. It is the identification of a weakinitial target that is either inside or connected to thetargeted organization.

4.1.2. WeaponizationOnce a weak target is identified, a weapon is pre-pared for initial attack. Weaponization often meanstrojanization of a genuine application, document orfile with malicious code. E.g., weaponization may

5


exploit macros in Microsoft word document or usePDF files in malicious way.

4.1.3. Malware InjectionThe next step is injection of malware or weaponizedapplication/document into the targeted system. Themost common method is spear phishing i.e., sendingweaponized document as email attachment or linkto weaponized application in email by impersonatingit as a link for necessary updates of a genuineapplication already installed on the system. TheBlackEnergy attack on Ukraine power companieswas based on spear phishing (ThreatSTOP (2016)).Another common malware injection strategy ispharming or driveby pharming i.e., redirectingtraffic to fraudulent website through exploitingvulnerabilities in DNS server.

4.1.4. ConcealmentOnce malware is successfully injected and executed,the next step is to disguise and remain undetectedby defense mechanisms on targeted system.BlackEnergy successfully replaces genuine systemdrivers to conceal itself. Concealment is necessaryto get enough time for attack preparation, testing andvalidation before the final execution to achieve thebest possible results.

4.1.5. AssaultAssault is the actual execution of an attack basedon the BlackEnergy version and plugins used. Theconcealed malware remains in contact with C&Cservers and executes the final attack only wheninstructed e.g., coordinated DDoS attack on Georgia(Hollis (2011)).

4.1.6. DestroyPost attack after achieving objectives, the attackerdestroys all traces leaving behind no clues of attackprocess. Cleaning logs and injecting mis-leadinginformation into the system could obfuscate forensicteam from revealing attack success reasoning. TheBlackEnergy attack on Ukraine power companiesused a KillDisk plugin to destroy the entire filesystem, destroy forensic evidences and significantlyincrease recovery time for power companies.

4.2. Coordinated DDoS Attack onSynchrophasor-based SystemThe DDoS attack floods target systems with trafficoriginating from potentially thousands of differentsources. The distributed nature makes it difficultto differentiate between legitimate packets andflood packets. Further, attack prevention cannot beachieved by simply blocking packets from a singleorigin IP. The DDoS attack leaves target systemirresponsive by consuming all of its processingresources.

Several synchrophasor applications involve localcommunication or use of secure VPNs which make

Attacker C&C Servers

1

2 2 2 2 2 2 2 2 2 2 2

3

4

5

Bo

tnet

s

Victim

PMU Control Server

6

Data Messages

Data Messages

Figure 4: Coordinated DDoS Attack on IEEE C37.118using BlackEnergy DDoS plugin.

DDoS attacks on a specific device difficult. Theattack scenario in Fig. 4 is limited to certain specificsynchrophasor applications involving transmissionover Internet without using VPN tunnels. It is similarto the DDoS attack on Georgia (Hollis (2011)) andconsists of following steps:

Step:1 It involves reconnaissance, weaponizationand malware injection (i.e., BE3 with DDoSplugin) steps of the attack model depicted inFig. 3.

Step:2 Execution of injected malware and conceal-ment.

Step:3 The victim sends basic information aboutcompromised system to C&C servers.

Step:4 The attacker gets information about compro-mised systems from C&C servers. It sendscommands (e.g., when to execute attack) toC&C servers.

Step:5 C&C servers send attacker commands tovictims.

Step:6 The victims execute coordinated DDoS wheninstructed by attacker through C&C servers.

Fig. 4 demonstrates DDoS by flooding ‘data’ mes-sages; a specific IEEE C37.118 message carry-ing actual synchrophasor measurements. Withoutknowing PMU configurations, the botnets could notconstruct correctly formated data messages. In caseof IEC 61850-90-5, the botnets will flood Sam-pled Value (SV) packets. However, botnet operatorswill most likely lack knowledge about security poli-cies and keying material. Thus, incorrectly formatedpackets or packets with invalid signatures will beimmediately discarded by the control server withoutbeing fully processed. This results in the reducedstrength of DDoS attack. For a much stronger DDoS

6


Internet

InternalServer

PLCs RTUsIEDs

Remote Access Devices

Supervisory Network

Victim

Attacker Command & Control Server

1

2

3

4

5

6

7

Inverters PMU

Figure 5: Reconnaissance/Eavesdropping attack scenarioon synchrophasor System.

attack with correctly formated flood packets, a multi-stage attack is addressed in Section 4.6.

4.3. Reconnaissance/Eavesdropping Attack onSynchrophasor-based System

Reconnaissance is unauthorized discovery of net-work and equipment configurations, system topol-ogy and system dynamics. Since synchrophasorscarry real-time dynamics about the power system,eavesdropping could reveal critical information tothe attacker. Reconnaissance itself is not harmfulbut can help discover system vulnerabilities, stealsecrets (e.g., login credentials for remote accessdevices) and can help determine the right time formore severe attacks through the knowledge of sys-tem dynamics.

A reconnaissance attack could be launched byeavesdropping on network traffic or by directlyaccessing the physical device. Depending on theattack strategy, the attacker could use BlackEnergywith one or more plugins such as scan.dll (i.e.,network scanning), kl.dll (i.e., key-logger), vs.dll (i.e.,network discovery & remote execution), ss.dll (i.e.,screenshot), ps.dll (i.e., password stealer), tv.dll (i.e.,teamviewer) or rd.dll (i.e., remote desktop). Fig.5 depicts the attack scenario for reconnaissancebased on BlackEnergy and consists of the followingsteps:

Step:1-5 Corresponds to steps 1-5 as in Fig. 4.

Step:6 The victim scans for an internal server orHMI device that has the ability to access/controlfield devices. Attacker uses remote executionvulnerability to implant BlackEnergy on internalserver. The internal server opens a SSHbackdoor and listens on specific port. Thisprovides the attacker more flexibility to controlinternal server/HMI.

Control Center

Substation Network

Attacker/Compromised PC

Gateway PMU

MAC = BB:BB:BB:BB:BB:BBIP = 192.168.1.55

MAC = AA:AA:AA:AA:AA:AAIP = 192.168.1.99

MAC = CC:CC:CC:CC:CC:CCIP = 192.168.1.1

Gratuitous ARP192.168.1.1 has

AA:AA:AA:AA:AA:AA

1

23 3

Figure 6: Traffic diversion based on ARP spoofing.

Step:7 The actual reconnaissance attack execu-tion by remotely accessing and monitoring thedevice or sniffing and monitoring its traffic(e.g., using traffic diversion mechanism demon-strated in Fig. 6).

The attacker will acquire PMU configurations (i.e.,necessary for IEEE C37.118) or security credentialfor IEC 61850-90-5 by either remotely accessing thePMU from a compromised server or by monitoringits traffic. Such information will also enable anattacker to control PMU operations. To eavesdropon traffic, the compromised internal server needs toimplement local traffic diversion. Fig. 6 depicts thetraffic diversion scenario based on ARP spoofing,which is one possible approach described as follows:

Step:1 Normal operations scenario when no trafficdiversion is activated.

Step:2 The attacker broadcast Gratuitous ARPinside local network to update ARP caches ofall LAN devices. Gratuitous ARP associatesPMU or gateway IP (i.e., one way trafficdiversion) or both IP addresses (i.e., two waytraffic diversion) with attacker’s MAC address.

Step:3 Final delivery of packets inside local networkis based on MAC address. Thus, all trafficto/from PMU goes to attacker who thenforwards to correct destination.

The attack scenario in Fig. 5 is also very similarto recent BlackEnergy attack on Ukraine powercompanies (Lee et al. (2016)). During step 6,BlackEnergy malware opened an SSH backdoor bylistening on port 6789. During step 7, attackersaltered configurations of inverters and createdblackout. The attackers took an additional step byexecuting KillDisk plugin to format/destroy the entirefile system of internal server. This left the attackimpact over a longer period and more time andefforts were required to recover the system fromattack. The attackers also launched a DDoS attack(similar to Fig. 4) on control center in parallel toprevent customers from reporting the blackout.

4.4. Man In The Middle Attack onSynchrophasor-based SystemThe MITM attack hijacks communication betweentwo devices and makes them believe that they

7


PMU Control Center

Command: Send Configurations

Configuration: CFG-2

Command: Start Data Transmission

Data: Synchrophasors

Command: Send Configurations

Configuration: CFG-2

ARP Spoofing – Traffic Diversion

Data: Synchrophasors Data: Modified Synchrophasors

Command: Stop Data Transmission

Attacker

Figure 7: MITM attack: Hijacking of IEEE C37.118communication.

are connected to each other directly. Instead, theattacker lies in the middle, sniffs and manipulatespackets in transit. In a successful MITM attack, theattacker can alter packets in transit or drops them orinjects new packets.

For a MITM attack, the attacker first needsto get access inside supervisory network bycompromising an internal server (i.e., similar toSteps 1-6 in Fig. 5). The next step is toimplement traffic diversion (depicted in Fig. 6)to get access to packets in both directions.Further steps after traffic diversion depend on thecommunication framework: IEEE C37.118 or IEC61850-90-5. The basic scenario to successfullyhijack IEEE C37.118 communication and performMITM attack is depicted in Fig. 7. To initiatecommunication with PMU, the control center sendsa command message to request configurationsfrom PMU. The PMU replies with a configurationmessage that contains information about thePMU as well as necessary decoding informationfor the upcoming synchrophasor data messages.Afterwards, the control center sends anotherrequest to the PMU to start the transmission ofsynchrophasor data messages. If an attacker sits inthe middle by implementing traffic diversion, it cannotunderstand/decode synchrophasor data messageswithout the knowledge of PMU configurations.Thus, the attacker sends command message toPMU to request the configurations. After storingconfigurations, the configuration message from PMUshould be dropped and prevented from traveling tothe control center. At this point, the attacker cansuccessfully decode synchrophasor data messagesin transit and manipulate/modify them before beingforwarded to the control center. An attackermay also interrupt communication by sendingcommand message to PMU to stop transmission ofsynchrophasors and generate packets from its ownand transmit to the control center. For synchrophasorcontrol applications, it can cause severe damageto physical equipments and financial loss as the

PMU

Sub

stat

ion

Net

wo

rk

Internet

Control Center

Attacker

Normal Operations: GDOI Exchanges

Normal Operations: IEC 61850-90-5

MITM attack on GDOI Exchanges

MITM attack on IEC 61850-90-5

IEC

61

85

0-9

0-5

GD

OI E

xch

ange

s

KDC

Figure 8: MITM attack: Hijacking of IEC 61850-90-5communication.

deceived control center unintentionally performsdecisions on incorrect data.

Unlike IEEE C37.118, the IEC 61850-90-5 com-munication cannot be hijacked easily due to GDOIsecurity mechanism. As depicted in Fig. 8, boththe PMU and control center first need to acquiresecurity policies and keying material from the KeyDistribution Center (KDC) through specific GDOIexchanges. The acquired security credentials thenenable the PMU and control center to securely com-municate with each other. For an attacker to play aMITM role, it needs to hijack both GDOI exchangesas well as IEC 61850-90-5 communication. BothGDOI exchanges and IEC 61850-90-5 messagesare encrypted leaving the attacker unable to decryptand manipulate the messages in transit. To acquiresecurity credentials for decryption, the attacker mayadopt one of two strategies: (i) compromise thePMU as well and steal security credentials, or (ii)persist inside the substation network until a newPMU or existing disconnected PMU (e.g., due tomaintenance) reconnects to the network and authen-ticates with the KDC. The authentication phase withKDC can be successfully hijacked by an attacker bya MITM attack on GDOI authentication exchanges(e.g., MITM attack on Diffie Hellman authenticationmechanism). The attacker masquerades as the PMUto the KDC, and as the KDC to the PMU. Thus,two authentications take place: (i) between PMUand attacker and (ii) between attacker and KDC.Once GDOI phase 1 (i.e., Diffie Hellman) has beencompromised, an attacker can successfully decryptand manipulate IEC 61850-90-5 packets in transitbetween PMU and control center by using acquiredsecurity credentials.

4.5. Replay/Reflection Attack onSynchrophasor-based System

The procedure and requirements of replay/reflectionattack are similar to the MITM attack as addressedin Section 4.4. It can hide the real-time power sys-tem dynamics by storing/recording communicationbetween a PMU and control center and plays itback to the control center later on. It can leadto incorrect decisions by the control center due toprocessing out-dated packets. It is particularly risky

8


Attacker C&C Servers4

5

Bo

tnet

s

Final Victim

PMU Control Server

Data Messages

Data Messages

BE3 Victim

1

2

BE3 using DDoS Plugin

InternalServer

3

6

7

8

9

9

10

11

16

12 12 12 12 12 12 12

13

14

15

Sub

stat

ion

Net

wo

rk

Figure 9: Strong DDoS attack based on two-stage interimattacks utilizing BlackEnergy plugins for credential theftand DDoS.

for real-time synchrophasor control applications suchas synchronous islanding and could cause physicaldamage to substation resulting in local blackout.For replay attack on IEEE C37.118, the attackerdoes not need to acquire configurations from PMU.However, the Second Of Century (SOC) count insideeach recorded packet should be adjusted by attackerbefore replaying to the control center. For a replayattack on IEC 61850-90-5, the attacker still needs toacquire security credentials as addressed in Section4.4. The attacker needs to decrypt packets and up-date session PDU numbers and security informationinside each packet before transmitting to controlcenter. This step is necessary as the GDOI securitycredentials have certain validity and replaced pe-riodically upon expiry. Otherwise, the packets withexpired security credentials will be silently ignoredby the control center without processing.

4.6. Multistage DDoS Attack onSynchrophasor-based System

As addressed in Section 4.2, the packets in simpleDDoS for IEEE C37.118 and IEC 61850-90-5 arepartially processed by control center and ignored.To launch a strong DDoS attack by enablingcontrol center to process flood packets completely,knowledge of PMU configurations for IEEE C37.118and security credentials for IEC 61850-90-5 is strictlynecessary. This requires a multi-stage attack utilizingBlackEnergy DDoS plugin along with other plugins(e.g., scan.dll, ps.dll, re.dll, etc) for informationstealing. The first stage attack is on the substationnetwork by compromising an internal server andstealing necessary information from PMU. In secondstage, DDoS botnets utilize stolen information andlaunch coordinated DDoS attack on control server.

The two stage attack scenario on synchrophasorbased system (depicted in Fig. 9) consists of thefollowing steps:


Step:7 Attacker implements traffic diversion to gainaccess to PMU messages.

Step:8 Attacker through reconnaissance finds thePMU configurations for IEEE C37.118 commu-nication framework which is necessary to buildand decode synchrophasor data messages. Incase of IEC 61850-90-5, security credentialsare also hacked as described in Fig. 8.

Step:9 Necessary synchrophasor information isreturned to the C&C servers.

Step:10 Attacker instructs C&C servers to providestolen synchrophasor information to DDoSbotnets when discovered.


Step:16 The DDoS botnets use stolen synchropha-sor information provided by the C&C serversand build correctly formated IEEE C37.118 orIEC 61850-90-5 messages and flood on thecontrol server for a very strong DDoS attack.

5. PROTECTION STRATEGIES

A basic level of protection can be achieved withanti-virus software and firewall configurations. Anupdated anti-virus software may detect knownvariants of BlackEnergy but cannot guaranteeprotection against its future updates. Also firewallsblock incoming connections at non-open portsbut are not effective in case of spear phishingemails. Sandboxes can also provide protection whiletesting/executing unverified applications/documents.This section presents protection strategies in ageneralized way with flexibility in mind to tackle withunforeseen future behavior changes in BlackEnergy.

5.1. Black-Listing and White-ListingConnections

The blacklisting and whitelisting of external destina-tion IP addresses can be one of the most effectiveprotection strategy against BlackEnergy. The unfore-seen future updates of BlackEnergy make impossi-ble to create a blacklist for its C&C servers. Instead, awhilelist of trusted destinations should be created forPMU and control center. Such defense may be localto device or system-wide. A device’s local defensesystem will monitor its inbound and outbound trafficand check with the whilelist. Whereas, a system-wide defense system will monitor the entire network

9


traffic. Blocking inbound as well as outbound con-nections which are not specified in whitelist will pre-vent BlackEnergy victim (e.g., if any compromisedthrough spear phishing emails or infected websites)to communicate with the C&C servers. This leavesthe attacker unable to communicate with victim inorder to execute the attack. This strategy will becomeineffective if any future variant of BlackEnergy per-forms its job without requiring communication withC&C servers.

5.2. Event Monitoring and Logging

Event monitoring and logging for both users andSCADA applications could help detect or identifysecurity breaches. First, a baseline should bedefined for defense system based on device routineactivities. The baseline for a synchrophasor basedsystem can be PMU configurations, messaging rate,drivers and firmware updates etc. An alert shouldbe raised if non-scheduled event such as driver orfirmware update or installation is detected. Further,the logs can also be used for forensic analysis incase of cyber attack.

5.3. End-to-End Encryption

The PMUs are specialized devices and the likelihoodof direct infection by BlackEnergy is very low.However, the malware can target a general purposeoffice PC or any PC-based host (HMI, historian, etc)in the control network and launch traffic hijacking,MITM and replay attacks on PMU traffic. Suchattacks can be launched on unencrypted IEEEC37.118 packets and GDOI security mechanismin IEC 61850-90-5. The attacks can be easilyprevented if end-to-end encryption is used bycommunicating devices without relying on externalKDC. Without the knowledge of security credentials,the attacker cannot manipulate PMU traffic in transit.However, this strategy brings more complexity andcommunicating devices need to know securitycredentials by some out of band method.

5.4. Remote Access to PMUs

Cyber attacks normally involve remote access tofield devices and altering their configurations e.g.,cyber attack on Ukraine power companies remotelyopened breakers (Lee et al. (2016)). The specializeddevices like PMUs are better to be controlled locallywith remote access features disabled. Eliminatingnetwork interface will prevent attacker to gain directaccess to PMUs. This strategy is particularly useful ifPMU communication is using end-to-end encryptionand its traffic cannot be manipulated in transit.

5.5. Protocol Specific Strategies

The defense mechanism on field devices should alsoraise an alert if any non-routine packet is detected.E.g., to implement reconnaissance or MITM attack

on IEEE C37.118, the compromised local systemrequests configurations from PMU to understand thedata messages. These request packets are normallyspoofed with the genuine recipient IP address.However, such activity should be marked suspiciousby a PMU as it has already provided configurations tothe recipient. For IEC 61850-90-5, the attacker mayattempt to disconnect a PMU from the KDC and thenattempt MITM on communication between the PMUand KDC. The PMU should be suspicious on suchevents and raise an alert. Further, the PMU shouldalso detect gratuitous ARP packets (i.e., used fortraffic diversion) and raise an alert.

6. CONCLUSIONS

BlackEnergy is one of the most sophisticatedmalware in active development and has been usedin high profile cyber attacks on critical infrastructures.Its concealing ability in infected systems, bypassingof UAC settings, bypassing driver signing policyand plugin nature of its recent variant increasedits scope to virtually unlimited cyber criminalactivities. A cyber attack may use more than oneplugin based on attacker intension where eachplugin performs a specific task e.g., scan.dll (i.e.,network scanning), kl.dll (i.e., key-logger), vs.dll (i.e.,network discovery & remote execution), ss.dll (i.e.,screenshot), ps.dll (i.e., password stealer), si.dll (i.e.,stealing information), rd.dll (i.e., remote desktop) etc.

This paper addressed BlackEnergy malware in de-tail and highlighted its features and capabilities. Itanalyzed how BlackEnergy can be utilized for target-ing critical infrastructures. Particularly, threats wereanalyzed for the synchrophasor technology which isused for real-time monitoring and control in smartgrids. The paper demonstrated DDoS, reconnais-sance, MITM and replay attacks on the commu-nication frameworks used in synchrophasor basedsystems. A successful DDoS attack could impairreal-time monitoring and control functionalities. Thereconnaissance attack could help attacker to launchmore sophisticated attacks by stealing configurationsand security credentials from PMU. The MITM andreplay attacks are most critical as they can leave con-trol center performing decisions on incorrect data.Based on the synchrophasor control application e.g.,synchronous islanding, such attacks can cause se-vere physical damage to grid and cause blackout.

The paper also addressed possible protection strate-gies for shielding synchrophasor based systemsagainst BlackEnergy. Absolute protection againstBlackEnergy could not be guaranteed due to un-foreseen future updates to its functionalities, plug-ins/capabilities and infection strategy. However thetask can become more challenging for attackers if

10


they must evade protection strategies such as Black-listing/Whitelisting external IP addresses, end-to-end communicating encryption, eliminating/disablingnetwork interface for field devices (e.g., PMUs).Regular monitoring of system logs and events couldalso help detect security breaches e.g., unscheduledupdate/installation of driver or firmware.

ACKNOWLEDGMENT

This work was funded by the EPSRC CAPRICAproject (EP/M002837/1).

REFERENCES

Schweitzer, E.O. et al. (2011) Advanced Real-Time Synchrophasor Applications. SEL Journal ofReliable Power, Vol. 2, No. 2.

Khan, R., McLaughlin, K., Laverty, D., and Sezer, S.(2016) Analysis of IEEE C37.118 and IEC 61850-90-5 Synchrophasor Communication Frameworks.IEEE PES-GM.

Hollis, D. (2011) Cyberwar Case Study: Georgia2008. Small Wars Journal.

ThreatSTOP (2016) Black Energy. Security Reportby ThreatSTOP.

Martin, K.E. (2013) Synchrophasor Standards andGuides for the Smart Grid. IEEE PES-GM.

Martin, K.E. et al. (2008) Exploring the IEEE Stan-dard C37.118-2005 Synchrophasors for PowerSystems. IEEE Transactions on Power Delivery.

Madani, V. et al. (2015) Challenges and LessonsLearned from Commissioning an IEC 61850-90-5 based Synchrophasor System. 68th AnnualConference for Protective Relay Engineers.

Laverty, D.M. et al. (2013) The OpenPMU Project:Challenges and Perspectives. IEEE PES-GM.

Khan, R., McLaughlin, K., Laverty, D., and Sezer, S.(2016) IEEE C37.118-2 Synchrophasor Communi-cation Framework: Overview, Cyber VulnerabilitiesAnalysis and Performance Evaluation. ICISSP.

Allgood, G. et al. (2011) Security Profile for WideArea Monitoring, Protection and Control. UCAIugSG Security Working Group.

Stewart, J. et al. (2011) Synchrophasor SecurityPractices. 14th Georgia Tech Fault and Distur-bance Analysis Conference.

Morris, T. et al. (2011) Cybersecurity Testingof Substation Phasor Measurement Units andPhasor Data Concentrators. 7th ACM CSIIRW.

Coppolino, L., Antonio, S. D., and Romano, L. (2014)Exposing Vulnerabilities in Electric Power Grids:An Experimental Approach. Int. Journal of CriticalInfrastructure Protection vol:7(1), pp:51-60.

Shepard, D.P., Humphreys, T.E., and Fansler, A.A.(2012) Evaluation of the Vulnerability of PhasorMeasurement Units to GPS Spoofing Attacks.Critical Infrastructure Protection Conference.

Yan, Y. et al. (2012) A Survey on Cyber Security forSmart Grid Communications. IEEE Communica-tions Surveys and Tutorials.

Boyer, W. F. and McBride, S. A. (2009) Studyof Security Attributes of Smart Grid Systems -Current Cyber Security Issues. Battelle EnergyAlliance LLC., Rep INL/EXT-09-15500.

Beasley, C. et al. (2014) A Survey of ElectricPower Synchrophasor Network Cyber Security.PES ISGT-Europe.

Nazario, J. (2007) BlackEnergy DDoS Bot Analysis.Arbor Networks Technical Report.

Lee, R.M. et al. (2016) Analysis of the Cyber Attackon the Ukrainian Power Grid. SANS ICS Report.

11

Documents

Threat Analysis of BlackEnergy Malware for Synchrophasor based