Spear-Phishing email with Microsoft Office Attachments Takes down Power Grid in Subzero Temps - Adaptus

Last month, Ivano-Frankivsk, a city and province on the far western side of Ukraine suffered a new attack: malware, planted by Russian hackers in several power stations which left hundreds of thousands without electricity in subzero conditions. Cybersecurity firms SANS ICS and iSight Partners have attributed the blackout to Russian hacking group Sandworm and its malicious software, BlackEnergy 3.

According to researchers, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents.

If true, it’s distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy.  It’s also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people.

The attack scenario is simple:

  • The target gets a spear-phishing email that contains an attachment with a malicious document.
  • A Ukrainian security company published two screenshots of emails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to Rada (the Ukrainian parliament).
  • The document itself contains text trying to convince the victim to run the macro in the document. This is an example where social engineering is used instead of exploiting software vulnerabilities. If victims are successfully tricked, they end up infected with BlackEnergy3.
  • Once inside the network, the system either shut down parts of the power station’s infrastructure or provided remote access to the attackers, giving them the controls to shut it down.

As a result, as many as 80,000 residents in western Ukraine lost power for six hours on December 23 in sub-zero temperatures.

Although this attack did not occur within the Salesforce application, the example leads to the importance of protecting against such attacks in the business environment. EZProtect™ anti-virus scanner is the ONLY virus scanning application available for Salesforce users and easily scans chatter files, documents, attachments and content for harmful viruses. Contact us today to request a demo and discuss pricing for your organization.



EZAssign Version 1.31 Pre-Release for Customers Attending Dreamforce this week? Look for EZAssign and EZProtect in the Developer Lounges!