Today the DHS ICS-CERT updated their advisory on “Ongoing Sophisticated Malware Campaign Compromising ICS”, or BlackEnergy. The original advisory was published in October 2014 and updated in October and December of that year.
The update is based on information about the recent cyber based attack on Ukrainian power distribution systems over the Christmas holidays. More detailed information on that attack can be found on the SANS ICS Blog. The ICS-CERT update makes the point that a new variant of BlackEnergy (BlackEnergy 3) has been associated with this event and that the vector for the delivery of the malware appears to have been via “spear phishing via a malicious Microsoft Office (MS Word) attachment”.
The second addition to this advisory deals with the use of YARA rules to detect BlackEnergy infections. ICS-CERT maintains that the originally published YARA rules “has been shown to identify a majority of the samples seen as of this update and continues to be the best method for detecting BlackEnergy infections”. They also point out that using YARA signature with a control system must be done carefully since there are potentials for unintended interactions with control systems. They note:
“ICS-CERT has published instruction for how to use the YARA signature for typical information technology environments. ICS-CERT recommends a phased approach to utilize this YARA signature in an industrial control systems (ICSs) environment. Test the use of the signature in the test/quality assurance/development ICS environment if one exists. If not, deploy the signature against backup or alternate systems in the top end of the ICS environment; this signature will not be usable on the majority of field devices.”