Ukraine Russia
Ukrainian servicemen ride on a military truck near the eastern Ukrainian town of Pervomaysk Reuters

A Russian cybercrime gang called Quedagh is behind a persistent cyber-attack against the Ukrainian government that harvested sensitive information.

BlackEnergy is a well-known cybercrime toolkit that has been in use since 2007, but this summer, as tensions rose between Russia and Ukraine, a new version of the malware was detected being used by a mysterious group of hackers targeting Ukrainian government officials to harvest information.

BlackEnergy was also used previously in 2008 attacks against the Georgian government during their conflict with Russia. The hackers targeted government infrastructure in Dnipropetrovsk, a city in the southeast of Ukraine as well as the Ukrainian Railway, creating proxy servers at those locations to divert traffic.

Finnish security company F-Secure spotted the evolved malware and tracked its use to a single group of hackers who they have dubbed Quedagh - the name of an Indian merchant ship that was captured by Scottish privateer William Kidd at the end of the 17th century.

The Quedagh gang have been in operation since 2010, according to F-Secure.

"Based on the set proxy servers for the different samples, we concluded that the gang is targeting Ukrainian government organisations," F-Secure's report says.

While F-Secure was unable to ascertain how the malware was spread, another security firm ESET said that it was spread using phishing emails that contained attachments related to legitimate articles about Russia, but which in fact contained the BlackEnergy malware.

"Idiots, privateers or intelligence services"

While there is no clear evidence who these hackers are, F-Secure's Sean Sullivan told IBTimes UK that those behind it could be "varying degrees of useful idiots, privateers or maybe it really is an intelligence service [using BlackEnergy] for plausible deniability."

Intelligence services would be able to hide behind the fact that BlackEnergy is a widespread cybercrime tool used by hackers around the globe, though principally those based in Russia.

Sullivan believes that the people behind the Black Energy attacks could simply be patriots trying to do something for their country.

He points to a previous distributed denial of service attacks against the Estonian government a few years ago that were credited to the Kremlin but Sullivan says there is evidence that it was more of a "flash-mob" style attack by numerous patriotic hackers.

The use of cyber-tools or weapons, such as Black Energy, for political ends is a trend that we are only going to see more and more of. One sample of Black Energy, which has been uploaded from Brussels, suggesting it is being used to target the diplomats who are involved in negotiations with Russia and Ukraine.

"Any time we have a politic crisis, there are going to be hackers out there to infiltrate the diplomats, having the people on the ground," Sullivan believes.

Looking at the wider picture, cyber-tools, like Duke, or criminal gangs, including Energetic Bear, have recently been shown to be taking part in industrial espionage on a larger scale.