{
	"id": "2e68aec1-2f66-449d-bba8-14354ed4f8c1",
	"created_at": "2026-04-06T01:32:37.609217Z",
	"updated_at": "2026-04-10T13:11:41.361262Z",
	"deleted_at": null,
	"sha1_hash": "6282fa3f5bc421fc9d265ab9b69ad34fcdd471e2",
	"title": "BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88743,
	"plain_text": "BlackEnergy by the SSHBearDoor: attacks against Ukrainian\r\nnews media and electric industry\r\nBy Anton Cherepanov\r\nArchived: 2026-04-06 01:17:44 UTC\r\nCybercrime\r\nThe cybercriminal group behind BlackEnergy, the malware family that has been around since 2007 and has made\r\na comeback in 2014, was also active in the year 2015.\r\n03 Jan 2016  •  , 6 min. read\r\nUpdate: In case you want to have a more simplified version of this article, please check out BlackEnergy trojan\r\nstrikes again: Attacks Ukrainian electric power industry.\r\nThe cybercriminal group behind BlackEnergy, the malware family that has been around since 2007 and has made\r\na comeback in 2014 (see our previous blog posts on Back in BlackEnergy *: 2014 Targeted Attacks in Ukraine\r\nand Poland and BlackEnergy PowerPoint Campaigns, as well as our Virus Bulletin talk on the subject), was also\r\nactive in the year 2015.\r\nESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive\r\nKillDisk component in attacks against Ukrainian news media companies and against the electrical power industry.\r\nIn this blog, we provide details on the BlackEnergy samples ESET has detected in 2015, as well as the KillDisk\r\ncomponents used in the attacks. Furthermore, we examine a previously unknown SSH backdoor that was also\r\nused as another channel of accessing the infected systems, in addition to BlackEnergy.\r\nWe continue to monitor the BlackEnergy malware operations for future developments. For any inquiries or to\r\nmake sample submissions related to the subject, contact us at: threatintel@eset.com\r\nBlackEnergy evolution in 2015\r\nOnce activated, variants of BlackEnergy Lite allow a malware operator to check specific criteria in order to assess\r\nwhether the infected computer truly belongs to the intended target. If that is the case, the dropper of a regular\r\nBlackEnergy variant is pushed to the system. The exact mechanism of infection by BlackEnergy is described in\r\nour Virus Bulletin presentation and this whitepaper by F-Secure.\r\nThe BlackEnergy malware stores XML configuration data embedded in the binary of DLL payload.\r\nhttps://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/\r\nPage 1 of 6\n\nFigure 1 – The BlackEnergy configuration example used in 2015\r\nApart from a list of C\u0026C servers, the BlackEnergy config contains a value called build_id. This value is a unique\r\ntext string used to identify individual infections or infection attempts by the BlackEnergy malware operators. The\r\ncombinations of letters and numbers used can sometimes reveal information about the campaign and targets.\r\nHere is the list of Build ID values that we identified in 2015:\r\n2015en\r\nkhm10\r\nkhelm\r\n2015telsmi\r\n2015ts\r\n2015stb\r\nkiev_o\r\nbrd2015\r\n11131526kbp\r\n02260517ee\r\n03150618aaa\r\n11131526trk\r\nWe can speculate that some of them have a special meaning. For example 2015telsmi could contain the Russian\r\nacronym SMI - Sredstva Massovoj Informacii, 2015en could mean Energy, and there’s also the obvious “Kiev”.\r\nKillDisk component\r\nIn 2014 some variants of the BlackEnergy trojan contained a plugin designed for the destruction of the infected\r\nsystem, named dstr.\r\nIn 2015 the BlackEnergy group started to use a new destructive BlackEnergy component detected by ESET\r\nproducts as Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD trojan variants.\r\nThe main purpose of this component is to do damage to data stored on the computer: it overwrites documents with\r\nrandom data and makes the OS unbootable.\r\nhttps://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/\r\nPage 2 of 6\n\nThe first known case where the KillDisk component of BlackEnergy was used was documented by CERT-UA in\r\nNovember 2015. In that instance, a number of news media companies were attacked at the time of the 2015\r\nUkrainian local elections. The report claims that a large number of video materials and various documents were\r\ndestroyed as a result of the attack.\r\nIt should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on\r\ndestroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and\r\ndelete. The complete list contains more than 4000 file extensions.\r\nFigure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB\r\nThe KillDisk component used in attacks against energy companies in Ukraine was slightly different. Our analysis\r\nof the samples shows that the main changes made in the newest version are:\r\nNow it accepts a command line argument, to set a specific time delay when the destructive payload should\r\nactivate.\r\nIt also deletes Windows Event Logs : Application, Security, Setup, System.\r\nIt is less focused on deleting documents. Only 35 file extensions are targeted.\r\nFigure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component\r\nAs well as being able to delete system files to make the system unbootable – functionality typical for such\r\ndestructive trojans – the KillDisk variant detected in the electricity distribution companies also appears to contain\r\nsome additional functionality specifically intended to sabotage industrial systems.\r\nOnce activated, this variant of the KillDisk component looks for and terminates two non-standard processes with\r\nthe following names:\r\nkomut.exe\r\nsec_service.exe\r\nWe didn’t manage to find any information regarding the name of the first process (komut.exe).\r\nThe second process name may belong to software called ASEM Ubiquity, a software platform that is often used in\r\nIndustrial control systems (ICS), or to ELTIMA Serial to Ethernet Connector. In case the process is found, the\r\nmalware does not just terminate it, but also overwrites the executable file with random data.\r\nhttps://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/\r\nPage 3 of 6\n\nBackdoored SSH server\r\nIn addition to the malware families already mentioned, we have discovered an interesting sample used by the\r\nBlackEnergy group. During our investigation of one of the compromised servers we found an application that, at\r\nfirst glance, appeared to be a legitimate SSH server called Dropbear SSH.\r\nIn the order to run the SSH server, the attackers created a VBS file with the following content:\r\nSet WshShell = CreateObject(\"WScript.Shell\")\r\nWshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"\r\nWshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, false\r\nAs is evident here, the SSH server will accept connections on port number 6789. By running SSH on the server in\r\na compromised network, attackers can come back to the network whenever they want.\r\nHowever, for some reason this was not enough for them. After detailed analysis we discovered that the binary of\r\nthe SSH server actually contains a backdoor.\r\nFigure 4 – Backdoored authentication function in SSH server\r\nAs you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password\r\npassDs5Bu9Te7 was entered. The same situation applies to authentication by key pair - the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used.\r\nFigure 5 – The embedded RSA public key in SSH server\r\nESET security solutions detect this threat as Win32/SSHBearDoor.A trojan.\r\nhttps://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/\r\nPage 4 of 6\n\nIndicators of Compromise (IoC)\r\nIP addresses of BlackEnergy C2-servers:\r\n5.149.254.114\r\n5.9.32.230\r\n31.210.111.154\r\n88.198.25.92\r\n146.0.74.7\r\n188.40.8.72\r\nXLS document with malicious macro SHA-1:\r\nAA67CA4FB712374F5301D1D2BAB0AC66107A4DF1\r\nBlackEnergy Lite dropper SHA-1:\r\n4C424D5C8CFEDF8D2164B9F833F7C631F94C5A4C\r\nBlackEnergy Big dropper SHA-1:\r\n896FCACFF6310BBE5335677E99E4C3D370F73D96\r\nBlackEnergy drivers SHA-1:\r\n069163E1FB606C6178E23066E0AC7B7F0E18506B\r\n0B4BE96ADA3B54453BD37130087618EA90168D72\r\n1A716BF5532C13FA0DC407D00ACDC4A457FA87CD\r\n1A86F7EF10849DA7D36CA27D0C9B1D686768E177\r\n1CBE4E22B034EE8EA8567E3F8EB9426B30D4AFFE\r\n20901CC767055F29CA3B676550164A66F85E2A42\r\n2C1260FD5CEAEF3B5CB11D702EDC4CDD1610C2ED\r\n2D805BCA41AA0EB1FC7EC3BD944EFD7DBA686AE1\r\n4BC2BBD1809C8B66EECD7C28AC319B948577DE7B\r\n502BD7662A553397BBDCFA27B585D740A20C49FC\r\n672F5F332A6303080D807200A7F258C8155C54AF\r\n84248BC0AC1F2F42A41CFFFA70B21B347DDC70E9\r\nA427B264C1BD2712D1178912753BAC051A7A2F6C\r\nA9ACA6F541555619159640D3EBC570CDCDCE0A0D\r\nB05E577E002C510E7AB11B996A1CD8FE8FDADA0C\r\nBD87CF5B66E36506F1D6774FD40C2C92A196E278\r\nBE319672A87D0DD1F055AD1221B6FFD8C226A6E2\r\nC7E919622D6D8EA2491ED392A0F8457E4483EAE9\r\nCD07036416B3A344A34F4571CE6A1DF3CBB5783F\r\nD91E6BB091551E773B3933BE5985F91711D6AC3B\r\nE1C2B28E6A35AEADB508C60A9D09AB7B1041AFB8\r\nE40F0D402FDCBA6DD7467C1366D040B02A44628C\r\nE5A2204F085C07250DA07D71CB4E48769328D7DC\r\nhttps://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/\r\nPage 5 of 6\n\nKillDisk-components SHA-1:\r\n16F44FAC7E8BC94ECCD7AD9692E6665EF540EEC4\r\n8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569\r\n6D6BA221DA5B1AE1E910BBEAA07BD44AFF26A7C0\r\nF3E41EB94C4D72A98CD743BBB02D248F510AD925\r\nVBS/Agent.AD trojan SHA-1:\r\n72D0B326410E1D0705281FDE83CB7C33C67BC8CA\r\nWin32/SSHBearDoor.A trojan SHA-1:\r\n166D71C63D0EB609C4F77499112965DB7D9A51BB\r\nSource: https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/\r\nhttps://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
	],
	"report_names": [
		"blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry"
	],
	"threat_actors": [
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439157,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6282fa3f5bc421fc9d265ab9b69ad34fcdd471e2.pdf",
		"text": "https://archive.orkl.eu/6282fa3f5bc421fc9d265ab9b69ad34fcdd471e2.txt",
		"img": "https://archive.orkl.eu/6282fa3f5bc421fc9d265ab9b69ad34fcdd471e2.jpg"
	}
}