BlackEnergy

Malware updated 7 months ago (2024-05-04T20:53:32.718Z)
Download STIX
Preview STIX
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks against media companies. The Sandworm group, also known as BlackEnergy APT, operating under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST), first employed BlackEnergy in attacks against Ukraine in 2015. The malware can infiltrate systems through malicious Microsoft Office documents; once opened, it deploys the BlackEnergy 3 malware variant. The Industroyer main backdoor's strong code similarity to the Win32/Exaramel backdoor is the first public evidence linking Industroyer to TeleBots, and consequently to NotPetya and BlackEnergy. This linkage suggests that these tools are part of a larger arsenal employed by the same threat actors. Notable instances include the disruption of Ukraine's power grid in 2016 with the use of BlackEnergy malware by Russian threat actors, and other high-profile attacks on critical infrastructure networks. Despite their age, these tools remain active threats, demonstrating their lasting effectiveness. The evolution of the BlackEnergy malware is evident in its successors, GreyEnergy and Kapeka. These new variants share conceptual overlaps with BlackEnergy, suggesting a continuous development and refinement of this malware family. It is speculated that Kapeka is a successor to GreyEnergy, which itself likely replaced BlackEnergy in Sandworm's arsenal. These developments highlight the persistent and evolving nature of cyber threats posed by sophisticated actors like Sandworm.
Description last updated: 2024-04-30T21:16:44.241Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sandworm is a possible alias for BlackEnergy. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
5
Industroyer is a possible alias for BlackEnergy. Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
4
GreyEnergy is a possible alias for BlackEnergy. GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps
4
Telebots is a possible alias for BlackEnergy. TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
3
Sandworm Team is a possible alias for BlackEnergy. The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Apt
Espionage
Ukraine
Russia
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The NotPetya Malware is associated with BlackEnergy. NotPetya, a destructive malware posing as ransomware, was unleashed in 2017, causing widespread global damage while primarily targeting Ukraine's infrastructure. The cyberattack, commonly attributed to Russia, was so devastating that it led many to consider it an act of cyberwar, despite no officialis related to
4
The Kapeka Malware is associated with BlackEnergy. Kapeka is a previously unknown malware that operates as a backdoor into systems, linked to the Russian Sandworm Advanced Persistent Threat (APT) group. The malicious software can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, iis related to
4
The Stuxnet Malware is associated with BlackEnergy. Stuxnet, discovered in 2010, is one of the most infamous malware attacks in history. It was a military-grade cyberweapon co-developed by the United States and Israel, specifically targeting Iran's nuclear enrichment facility at Natanz. The Stuxnet worm infiltrated Windows systems, programming logic Unspecified
2
The Gozi Malware is associated with BlackEnergy. Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a cUnspecified
2
The Zeus Malware is associated with BlackEnergy. Zeus is a notorious malware, short for malicious software, designed to exploit and damage computer systems. It is often spread through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, it can steal personal information, disrupt operationsUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The threatActor Quedagh is associated with BlackEnergy. Unspecified
2
The Gamaredon Threat Actor is associated with BlackEnergy. Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement oUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2014-4114 Vulnerability is associated with BlackEnergy. CVE-2014-4114 is a significant vulnerability that lies within the design or implementation of software. This flaw specifically targets the Microsoft Windows OLE Package Manager, enabling remote code execution. The exploit was primarily used in .pps files, which are PowerPoint presentation files, makUnspecified
2
Source Document References
Information about the BlackEnergy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
7 months ago
Securityaffairs
7 months ago
DARKReading
7 months ago
BankInfoSecurity
7 months ago
CERT-EU
9 months ago
DARKReading
9 months ago
Securityaffairs
a year ago
CERT-EU
a year ago
Securelist
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago