A new wave of cyber attacks has hit power companies in Ukraine.
The attacks come barely a month after what is believed to be the first time that cyber attacks have directly caused power cuts.
On 23 December 2015, cyber attacks plunged half the homes in Ukraine’s Ivano-Frankivsk region into darkness for several hours.
Researchers at security firm Eset said they have uncovered spearphishing emails sent to Ukrainian electricity distribution companies with a malicious Microsoft Excel (XLS) file attachment.
The final malware payload is not the same as that used in the December attacks, raising the possibility that the latest onslaught was the work of different attackers.
The BlackEnergy Trojan was identified as a key component in the December attacks, prompting speculation that the attacks were carried out by the associated Sandworm group believed to have Russian state support.
But the malware used in the latest spearphishing attacks is based on a freely available open-source backdoor, which is “something no one would expect from an alleged state-sponsored malware operator”, Eset malware researcher Robert Lipovsky wrote in a blog post.
However, he said the attacks use the same technique as used by the Sandworm group in the past.
The spearphising emails contained HTML content with a link to a PNG image file located on a remote server to notify the attackers that the email has been delivered and opened.
The malicious macro-enabled XLS file tries to trick the recipient into ignoring the built-in Microsoft Office security warning and inadvertently executing the macro.
The text in the document, translated from Ukrainian, reads: “Attention! This document was created in a newer version of Microsoft Office. Macros are needed to display the contents of the document.”
Running the macro launches a malicious trojan-downloader that attempts to download and execute the final payload from a remote server.
The server hosting the final payload is located in Ukraine, but was taken offline after a notification from the Ukraine’s computer emergency response team, Cert-UA.
Eset researchers expected the BlackEnergy malware would be the final payload, but found instead modified versions of an open-source gcat backdoor written in the Python programming language.
“The Python script was converted into a standalone executable using PyInstaller program,” wrote Lipovsky.
This backdoor, he said, can download executables and execute shell commands, and is controlled by attackers using a Gmail account, which makes it difficult to detect such traffic in the network.
Lipovsky said that while the attacks on power companies in Ukraine have sparked much speculation about the identity of the attackers, there is currently no evidence that would indicate who is behind these attacks.
He also noted that while Eset’s latest discovery raises the possibility of “false flag operations”, it does not help to uncover the origins of the attacks in Ukraine.