BlackEnergy

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks against media companies. The Sandworm group, also known as BlackEnergy APT, operating under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST), first employed BlackEnergy in attacks against Ukraine in 2015. The malware can infiltrate systems through malicious Microsoft Office documents; once opened, it deploys the BlackEnergy 3 malware variant. The Industroyer main backdoor's strong code similarity to the Win32/Exaramel backdoor is the first public evidence linking Industroyer to TeleBots, and consequently to NotPetya and BlackEnergy. This linkage suggests that these tools are part of a larger arsenal employed by the same threat actors. Notable instances include the disruption of Ukraine's power grid in 2016 with the use of BlackEnergy malware by Russian threat actors, and other high-profile attacks on critical infrastructure networks. Despite their age, these tools remain active threats, demonstrating their lasting effectiveness. The evolution of the BlackEnergy malware is evident in its successors, GreyEnergy and Kapeka. These new variants share conceptual overlaps with BlackEnergy, suggesting a continuous development and refinement of this malware family. It is speculated that Kapeka is a successor to GreyEnergy, which itself likely replaced BlackEnergy in Sandworm's arsenal. These developments highlight the persistent and evolving nature of cyber threats posed by sophisticated actors like Sandworm.
What's your take? (Question 1 of 5)
cefc3586-b3c8-453c-a023-727a85169b76 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sandworm
5
Sandworm is a threat actor, often linked to Russia, known for its high-profile cyber attacks. The group gained notoriety for compromising 11 Ukrainian telecommunications providers and infiltrating Ukraine's telecom giant Kyivstar for months. In addition, Sandworm was responsible for disrupting power
Industroyer
4
Industroyer, also known as CrashOverride, is a potent form of malware designed to target Industrial Control Systems (ICS), particularly those used in electrical substations. Its functionality supports four critical industry protocols and has been notably deployed by the Russia-backed group Sandworm
GreyEnergy
4
GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps
Telebots
3
TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
Sandworm Team
2
The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Apt
Espionage
Ukraine
Russia
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NotPetyais related to
4
NotPetya is a destructive malware that masquerades as ransomware, originally identified in 2017. This malicious software was developed by the highly skilled cyber group known as Sandworm, which is reportedly responsible for large-scale cyber-attacks including the Ukraine power grid hack in December
Kapekais related to
4
Kapeka is a previously unknown backdoor malware linked to the Russian Advanced Persistent Threat (APT) group known as Sandworm. Discovered in 2022, Kapeka has been used in attacks against Eastern Europe, particularly targeting water supply facilities. The malware operates as a Windows DLL with a sin
StuxnetUnspecified
2
Stuxnet, a malicious software (malware), emerged as one of the most infamous Advanced Persistent Threat (APT) attacks in 2010. It was specifically designed to target Iran's nuclear program, making it a unique example of malware used for international conflict. This military-grade cyberweapon was co-
GoziUnspecified
2
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
ZeusUnspecified
2
Zeus is a Trojan Horse malware, infamous for its ability to exploit and damage computer systems. It was created by Evgeniy Bogachev and gained notoriety for its ability to infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Zeus can steal per
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QuedaghUnspecified
2
None
GamaredonUnspecified
2
Gamaredon is a threat actor, or hacking team, believed to be Russian in origin and has been actively tracked since 2013. The group primarily targets Ukraine using malicious documents that deliver a range of home-brewed malware. The European Union's Computer Emergency Response Team (EU CERT) cites Ga
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2014-4114Unspecified
2
CVE-2014-4114 is a significant vulnerability that lies within the design or implementation of software. This flaw specifically targets the Microsoft Windows OLE Package Manager, enabling remote code execution. The exploit was primarily used in .pps files, which are PowerPoint presentation files, mak
Source Document References
Information about the BlackEnergy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry | WeLiveSecurity
GovCERT CH
a year ago
Microsoft patches three zero-day vulnerabilities - what does that mean to you?
MITRE
a year ago
New TeleBots backdoor: First evidence linking Industroyer to NotPetya | WeLiveSecurity
CERT-EU
a year ago
APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.
MITRE
a year ago
Sandworm Team and the Ukrainian Power Authority Attacks | Mandiant
MITRE
a year ago
KillDisk Disk-Wiping Malware Adds Ransomware Component
CERT-EU
a year ago
Bulletproof hoster who helped distribute Gozi and Zeus sentenced to 3 years in prison
CERT-EU
3 months ago
Operational Technology Threats - ReliaQuest
MITRE
a year ago
VOODOO BEAR | Threat Actor Profile | CrowdStrike
Securityaffairs
a year ago
Sandworm APT uses WinRAR in destructive attacks on Ukraine
MITRE
a year ago
Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers
Securityaffairs
a year ago
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine
Securityaffairs
a year ago
Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal
ESET
a year ago
RansomBoggs: New ransomware targeting Ukraine | WeLiveSecurity
MITRE
a year ago
KillDisk Variant Hits Latin American Financial Groups
Securelist
a year ago
Reassessing cyberwarfare. Lessons learned in 2022
MITRE
a year ago
TeleBots are back: Supply‑chain attacks against Ukraine | WeLiveSecurity
Securityaffairs
a month ago
Previously unknown Kapeka backdoor linked to Sandworm APT
CERT-EU
a year ago
Romanian Operator of Bulletproof Hosting Service Sentenced to Prison in US
DARKReading
a month ago
Dangerous New ICS Malware Targets Orgs in Russia and Ukraine