BlackEnergy – What We Really Know About the Notorious Cyber Attacks

Friday 7 October 14:30 - 15:00, Green room

Robert Lipovsky (ESET)
Anton Cherepanov (ESET)

In the past two years, BlackEnergy has become one of the top malware families of interest to system administrators with the responsibility of protecting the networks of potential targets, to security researchers that have the family in their sights, and also to the media – both technical and main-stream.

BlackEnergy recently made the headlines again after we discovered that it was used in cyber attacks against electricity distribution companies, which resulted in massive power outages in Ukraine in December 2015.

But cyber attacks using the BlackEnergy malware are nothing new. We first discussed the malware and the perpetrators behind it (later nicknamed Sandworm Team) during our talk at the Virus Bulletin conference in 2014, where we discussed how it transformed from a regular piece of crimeware for DDoS attacks and online banking fraud into a complex piece of malware for espionage and industrial sabotage. Now we are publishing the most comprehensive paper on the cybercrime operations based on our three years of research.

One of the main reasons why the BlackEnergy attacks have grabbed so much attention is because they were – and still are – used in the midst of a tense geopolitical situation in Ukraine. In addition to electricity distribution companies, the targets in that country have included state institutions, news media organizations, airports, and railway companies. Ukrainian officials were quick to point an accusing finger at Russia, and many others – including security companies – followed with similar allegations. The power grid compromise has become known as the first-of-its-kind confirmed cyber warfare attack affecting civilians.

In our paper we share insights about the discoveries and our following research, including previously unpublished details. We attempt to separate facts from speculations, reality from hype, and clearly state what we know and don't know – both in regard to attribution, as well as other disputed details of the attacks.

Click here for more details about the conference.


Robert Lipovsky

Robert Lipovsky is Senior Malware Researcher in ESET's Security Research Laboratory, having worked for ESET since 2007. He is responsible for malware intelligence and research and leads the Malware Research team in Bratislava. He is a regular speaker at security conferences, including Virus Bulletin, EICAR, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater, and the Comenius University. When not bound to a keyboard, he enjoys sports, playing the guitar and flying an airplane.


Anton Cherepanov

Anton Cherepanov graduated from the South Ural State University in 2009. Currently working at ESET as a malware researcher, his responsibilities include the analysis of complex threats. His research has been presented at numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on IT security, reverse engineering and malware analysis automation.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.