BlackEnergy
What is BlackEnergy?
BlackEnergyA modular malware family used by the Russian Sandworm group for espionage and destructive attacks, including the December 2015 Ukrainian power-grid blackout.
BlackEnergy started in 2007 as a commodity DDoS toolkit but evolved through versions 2 and 3 (BE2 and BE3) into a stealthy, modular implant used for cyber-espionage and sabotage by the Russian threat actor Sandworm (GRU Unit 74455). On 23 December 2015 attackers wielding BlackEnergy 3 and the destructive KillDisk component caused a blackout that cut electricity for approximately 230,000 customers in western Ukraine, the first publicly confirmed cyber-induced power outage. Operators delivered weaponized Office documents with malicious macros via spear-phishing, then pivoted to SCADA workstations. BlackEnergy is also linked to attacks on Ukrainian media, government, and rail in 2014-2016 and is documented in ICS-CERT alert IR-ALERT-H-16-056-01.
● Examples
- 01
23 December 2015 Ukrainian power-grid blackout affecting around 230,000 customers.
- 02
Weaponized Excel attachments delivering BlackEnergy 3 to Ukrainian utilities in 2015.
● Frequently asked questions
What is BlackEnergy?
A modular malware family used by the Russian Sandworm group for espionage and destructive attacks, including the December 2015 Ukrainian power-grid blackout. It belongs to the Malware category of cybersecurity.
What does BlackEnergy mean?
A modular malware family used by the Russian Sandworm group for espionage and destructive attacks, including the December 2015 Ukrainian power-grid blackout.
How does BlackEnergy work?
BlackEnergy started in 2007 as a commodity DDoS toolkit but evolved through versions 2 and 3 (BE2 and BE3) into a stealthy, modular implant used for cyber-espionage and sabotage by the Russian threat actor Sandworm (GRU Unit 74455). On 23 December 2015 attackers wielding BlackEnergy 3 and the destructive KillDisk component caused a blackout that cut electricity for approximately 230,000 customers in western Ukraine, the first publicly confirmed cyber-induced power outage. Operators delivered weaponized Office documents with malicious macros via spear-phishing, then pivoted to SCADA workstations. BlackEnergy is also linked to attacks on Ukrainian media, government, and rail in 2014-2016 and is documented in ICS-CERT alert IR-ALERT-H-16-056-01.
How do you defend against BlackEnergy?
Defences for BlackEnergy typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BlackEnergy?
Common alternative names include: BE2, BE3, BlackEnergy3.
● Related terms
- malware№ 966
Sandworm Team
Russian GRU Unit 74455 (APT44), responsible for NotPetya, Ukrainian power-grid attacks, and the Olympic Destroyer campaign against the 2018 PyeongChang Games.
- attacks№ 1073
Spear Phishing
A targeted phishing attack tailored to a specific individual or organization using personal or professional details collected in advance.