Home / Blog / Protecting yourself from BlackEnergy: detecting anomalies

Protecting yourself from BlackEnergy: detecting anomalies

Posted on 05/05/2016, by INCIBE
Protecting yourself from BlackEnergy

In the article "BlackEnergy and critical systems"a technical analysis was produced for the Trojan, indicating its different versions and infection methods and some measures to take into consideration to mitigate the risk of a potential attack. In this article, we are going to focus on its behaviour following infection and on how it can be detected by searching for anomalies through the analysis of communications.

To put ourselves in the context, we can summarise BlackEnergy’s operation in three functions:

  • Communication with C&C One of the first actions attempted by BlackEnergy in order to be able to download new components and upload the information extracted.
  • Network scans Wide searches for running services related to energy sector protocols, such as ICCP or IEC 104, in order to obtain information on the network.
  • Sending of commands To execute orders that included the opening and closing of circuit breakers many times in a limited period.

The malware’s first two actions could be detected and blocked by practically any firewall or commercial IDS/IPS device. These would not need to be specifically designed for control systems, as it is only necessary to monitor the destination of the information through the IP.

It is the third action whose detection and mitigation require specific tools. In general, BlackEnergy uses commands which are allowed by the system, but with high frequency in relatively short timeframes. This task requires a network traffic analyser that is able to understand industrial protocols. For BlackEnergy, these would be the protocols specific to the electricity sector.

Passive traffic analysis tools complement the tasks carried out by IDS and IPS to alert operators to possible failures or attacks. The advantage of these tools in control systems is that they analyse traffic passively, meaning that they do not interfere in system processes, which can cause delays or block signals. In addition, they detect problems that can generate traffic that is allowed but is outside of habitual usage patterns.

We are going to choose a commercial tool as an example of what is on offer on the market, in order to establish a testing scenario. This will enable us to analyse the tests run with the tool, detecting the actions carried out by the BlackEnergy malware.

A tool: SilentDefense ICS

SilentDefense ICS, developed by the company Security Matters, is an intruder detection and network monitoring platform designed to protect critical infrastructure and automation systems from internal and external digital threats.

This tool has a control panel which can be accessed through an Internet browser. Here, all options can be configured and the security status, alerts generated and the dashboard can be observed.

SilentDefense ICS dashboard

- SilentDefense ICS dashboard -

SilentDefense ICS provided with data on network traffic by one or more sensors that monitor this traffic. These sensors typically consist in enabling port mirroring in a switch that collects all the traffic from the interfaces of the network we want to monitor. Depending on the desired level of precision, network monitoring profiles for this sensor can be set to include only a subset of what is monitored or to carry out deep inspection on packets to select very specific parts or protocols to monitor

Sensor configuration

- Sensor configuration -

Parameters can be set for rules in SilentDefense ICS through specific modules by which features may be modified or added depending on the needs of the environment. This demonstration uses a parameter specifically designed for IEC 60870-5 network protocols, described in greater detail below.

Laboratory testing environment

Communications at electric companies tend to be based on IEC 60870-5 protocols (typically IEC101 for serial communications and IEC104 for TCP) for communications with transformer units and substations, and on ICCP for communications between different control centres or with other companies in the sector. IEC104 was chosen as the communications protocol for the laboratory.

Types of commands allowed in IEC 104 (ASDU TypeID)

- Types of commands allowed in IEC 104 (ASDU TypeID) -

The following diagram shows the network infrastructure used in the laboratory:

Network diagram

- Network diagram -

This architecture is a network in which 3 machines are running a slave of the IEC104 protocol, simulating electric substations, and 1 machine which would be analogous to the control centre, running an IEC104 master. The simulation carried out by the IEC104 protocol master and slave elements employed the free applications IEC Server , IEC 60870-5-104 Client/Server and the demo version of the IEC 870-5-104 Simulator software.

All traffic generated in these communications was captured by the monitoring tool through a port mirror.

In parallel to the substation network, there is an administration network, from which the tool’s control panel was administrated and system security and the alerts produced were checked.

In-use test: SilentDefense ICS

The first step in detecting possible attacks with the tool is to allow it access to all the network traffic that we wish to protect.

Given that manual configuration can be somewhat tedious, the tool has a learning mode that determines what traffic is considered normal in the network. This automatic learning is limited in that if there is already some type of malware in the system that is communicating with undesired sites, this will be interpreted as normal traffic. For that reason, a manual review of the patterns is required after the learning process in order to correctly parameterise the system.

Once this set-up is completed, the system is able to detect different types of anomalies or attacks related to non-parameterised traffic. It is therefore now possible to detect the first two actions that BlackEnergy carries out.

In the testing environment, a simulation was run where one of the substations was accessed by the control centre via remote desktop. Given that this communication is within the learnt traffic, it generated a medium- level alert due to the appearance of traffic using non-permitted protocols.

Alert of access using non-permitted protocol

- Alert of access using non-permitted protocol -

The same happens with C&C communication: as the IP is unknown and is not whitelisted, a medium-level alert is also generated.

Alert of communication with an unknown address

- Alert of communication with an unknown address -

Detecting BlackEnergy’s third action is more complicated, as it involves the detection of illegal or problematic actions carried out using permitted traffic. This requires parameterisation to be carried out by the tool’s manager or administrator.

For the malware to send orders to the substations, it is necessary for a new IEC 104 communication master to appear in the network. This can be detected in a similar way to the other two actions, as a new IP or port appears in the network. The difference is that in this case, as it detects the IEC 104 protocol, the tool allows a more specific alert to be generated.

Commands sent by an unauthorised master

- Commands sent by an unauthorised master -

The opening and closing of breakers, or rather the orders sent to open and close breakers in a short timeframe, was in fact what caused the power blackout that BlackEnergy generated in Ukraine. Detecting these actions is more complicated, as individually all the orders are allowed. This is where the tool’s intelligence and the parameterisation carried out by its administrator come into play.

Configuration parameters

- Configuration parameters -

In the testing environment, a simulation was run in which an attack generated IEC 104 orders between a master (the control centre) and a slave (a substation) to open and close 5 breakers in a very short space of time.

Traffic captured with Wireshark

- Traffic captured with Wireshark -

Alert of various breakers being opened in a short space of time

- Alert of various breakers being opened in a short space of time -

Alert of various breakers being closed in a short space of time

- Alert of various breakers being closed in a short space of time -

The existence of traffic analysis tools such as SmartDefense ICS and others (FlowBat, Achilles, etc.), which are able to work with industrial protocols is demonstrates the growing interest among security tool manufacturers to target their products at such a specific setting as industrial control systems. The experience gained constitutes a significant contribution to improving and increasing security in industrial settings, both in general and in response to specific demands which have been put to the test with specific malware, as is the case with BlackEnergy.