Ukrainian officials stated over the weekend that they have traced a targeted attack against Boryspil International Airport back to the BlackEnergy trojan.
Last week, Specialists of the State Service of Special Communications and Information Protection of Ukraine revealed that malware had infected one of the workstations at Boryspil. That workstation was connected to the airport’s main IT network, which includes the airport’s air traffic control center.
“The control center of the server, where the attacks originate, is in Russia,” Presidential Administration Spokesman for the Anti-Terrorist Operation (ATO) Andriy Lysenko said by phone, writes Reuters.
He also stated that the malware had been detected early in the airport’s system and that no damage had been done.
Following his initial report last week, Lysenko confirmed on Saturday that the BlackEnergy trojan had targeted Boryspil and infected one of its workstations.
“Specialists of the State Service of Special Communications prevented a possible hacker attack by Russia,” he said at a briefing, as reported by Interfax. ‘Yesterday, the communications specialists established that one of the workstations at the Boryspil airport was infected by Black Energy virus. The PC was disconnected from the airport’s network, and the experts from the CERT UA group were informed on the incident.”
Ukraine is very familiar with BlackEnergy by now. On December 23rd last year, the Western Ukrainian power company Prykarpattyaoblenergo reported an outage that affected an area including the regional capital Ivano-Frankivsk. An investigation into the matter determined that BlackEnergy had infected the networks of Prykarpattyaoblenergo and two other power companies, reportedly causing the first malware-related power outage ever to be documented.
In light of the malware attack against Boryspil, Ukraine’s Computer Emergency Response Team (CERT-UA) is warning of the possibility of future BlackEnergy attacks.
“Attention to all system administrators … We recommend a check of log-files and information traffic,” CERT-UA said, according to Reuters.
A special page has been created by CERT-UA to help sysadmins identify BlackEnergy. That resource is located here.