The IT Law Wiki


In October 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced that several industrial control systems had been infected by a variant of a Trojan horse malware program called BlackEnergy.[1] Originally designed for "nuisance spam attacks," the software for BlackEnergy was first reported in 2007 and is designed to target critical energy infrastructure.

BlackEnergy is a special concern for critical infrastructure companies because the software is being used in an Advanced Persistent Threat (APT) form ostensibly to gather information.

BlackEnergy specifically targets human machine interface (“HMI”) software, which enables users to monitor and interact with industrial control systems such as heating, ventilation, and air conditioning systems through a dashboard or other type of graphical interface. HMI software is typically running 24/7, can be remotely accessed, and is rarely updated, thus making it a favorite target for opportunistic hackers.41

While no attempts to “damage, modify, or otherwise disrupt the victim systems’ control processes were found,” the ICS-CERT alert indicates that this APT variant of BlackEnergy is a special concern because it is a modular malware capable moving through network files onto removable storage media.

[T]ypical malware deployments have included modules that search out any network- connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims.42

Hackers are reported to have used the BlackEnergy Trojan horse to deliver plug-in modules used for several purposes, including keylogging, audio recording, and grabbing screenshots. Researchers looking at the BlackEnergy malware are reported to have identified a plug-in that can destroy hard disks, and believe that the attackers will activate the module once they are discovered in order to hide their presence.43


  1. See ICS-CERT alert (full-text).