On the 23rd of December, a cyber attack left hundreds of thousands of people in the Ukrainian region of Ivano-Frankivsk without power. This was the first confirmed incident of cyber attackers taking down a power grid. Various reports have since indicated that this was a coordinated, sophisticated effort which employed a trojan called BlackEnergy. As someone born and raised in Ukraine, this hit close to home for me. I have since read reports on BlackEnergy and this attack, both by Ukrainian, Russian and American companies, and I couldn’t help but notice something…
Macros in Microsoft Office documents.
A simple Google search will show that BlackEnergy has been utilized in Ukraine for the last two years now, frequently for espionage against government targets. While the actual implementation requires skill, customization, advanced coordination, more than a little programming ability, the delivery method was always the same – macros in MS Office documents.
Ukrainian Excel Document with a Macros Warning
Macro malware has been around since the 90s, and has recently grown in popularity. Office applications run internal macros written in Visual Basic for Applications (VBA). VBA macros are intended to make your job easier, automating repetitive and time consuming tasks within the office document. However, VBA features like the ability to automatically download files and run applications should trigger red flags for potential abuse. Mix these features with a little social engineering such as an urgent email containing a malicious spreadsheet, and delivering malware into a network becomes a simple task.
Every organization is comprised of peripheral employees whose day to day tasks involve using email, editing documents, and being on a computer with access to the company network. Most people know not to to download and run .exe files. Microsoft office documents are different. Despite nearly 20 years of these types of attacks, employees are expected to open MS documents when they receive them, especially when they appear to be coming from someone in their organization. It’s almost too easy.
Before trying to implement complicated strategies against complex software, companies should mount a concerted effort to educate their employees about these ancient, simple, but extremely effective malware delivery mechanisms. In the world of information security, it’s the simple and overlooked things that cause big problems. That is why we strive to not only find vulnerabilities in our tests, but also to educate those who could encounter these threats on a daily basis through our user awareness training. Afterall, a little knowledge about these simple threats could go as far as preventing a city wide power outage.
Many are convinced that Russia is behind the attack, and will continue to engage Ukraine in a similar fashion. But even outside of Eastern Europe, cyber incursions like this one, targeted towards low level employees with very little information security knowledge, are sure to become a primary aspect of future warfare. Delivery mechanisms for malware will rely on social engineering, leaving countries with a high level of corruption to be at the greatest disadvantage.
While there will always be sophisticated attackers out there who come up with complex malware, this particular attack was brilliant in its simplicity. Let’s make it a little bit harder for bad guys to attack us.
Lisa, originally from Ukraine, is a software engineer at BHIS and in her free time enjoys rock climbing on the awesome routes in the Black Hills of South Dakota. Read more about her here.
Who Wouldn’t Want Their Network to Become a Viral Fishtank??