Earlier we
wrote about a series of cyber attacks on industrial facilities in Ukraine using the BlackEnergy trojan. One of the most famous victims of the Trojan was the energy company "Prykarpattyaoblenergo", which supplied electricity to Ivano-Frankivsk region in western Ukraine. Another famous victim of BlackEnergy was the computer network of the Borispol airport, on one of whose computers a Trojan was also detected. This was
announced by the speaker of the presidential administration of Ukraine on the ATO issues Andrey Lysenko.

The ministry also indicated that Kyivoblenergo, Chernivtsoblenergo, Khmelnitskoblenergo and Kharkivoblenergo were subjected to cyber attacks. The Ukrainian security company CyS Centrum, which was also investigating these cyber attacks, in its
research named the airport Borispol mentioned as victims, as well as the company Ukraine International Airlines, on whose computers the BlackEnergy driver was detected.
')

Fig. An example of a phishing email that was used in a malicious campaign (CyS Centrum data).

Fig. The appearance of the document bait (data CyS Centrum).
The CERT-UA Computer Emergency Response Center of Ukraine has
published a list of IoC indicators, which can be used to establish the fact of BlackEnergy’s compromise. The following IP addresses are listed there.
146.0.74.7
148.251.82.21
188.40.8.72
31.210.111.154
41.77.136.250
5.9.32.230
88.198.25.92
41.77.136.250
Also there is an example of checking log files.

Fig. An example of checking the system for infection BlackEnergy (data CyS Centrum).