The Malware That Led to the Ukrainian Blackout

The control panel for a BlackEnergy DDoS bot. Image: Arbor Networks
In late December, at least two Ukrainian power companies were hacked, dropping tens of thousands of people into darkness. Experts generally agree that although malware didn’t cause the blackout itself, a cyberattack did play an important role.


The malware found in affected networks was a variant of BlackEnergy, a Russian-linked program with much humbler cybercrime roots than is suggested by its apparent use in the sabotage of critical infrastructure.

In 2007, “it was available as a crimeware tool” for sale in the digital underground, Artturi Lehtiö, a researcher from cybersecurity company F-Secure, told Motherboard in a phone interview. Because of the malware’s simplicity, graphical user interface, and accompanying help file, pretty much any budding hacker could deploy it with only a minimal set of skills. One screenshot of the software’s point-and-click panel says BlackEnergy was made by a hacker, or group of hackers, called “Crash.”

Nine years ago, BlackEnergy was a relatively basic piece of technology designed to infect computers and add them to a botnet, creating a zombie army of machines ripe for firing distributed-denial-of-service (DDoS) attacks. Researchers found that BlackEnergy went for as little as $40, or even free, and the malware was used to launch attacks on Russian websites.

read more