GreyEnergy: New malware campaign targets critical infrastructure companies

Security researchers warn of cyber-espionage activity by group which has links to some of the most destructive cyber attacks of recent times.
Written by Danny Palmer, Senior Writer

The hacking group which took down Ukrainian power grids is systematically targeting critical infrastructure in Ukraine and beyond in what security researchers believe could be cyber espionage and reconnaissance ahead of future attacks.

Dubbed GreyEnergy by researchers at ESET, the group is believed to have been active over the last three years and to be linked to BlackEnergy, the attack group whose actions left 230,000 people in Ukraine without electricity in December 2015.

According to analysis by ESET, GreyEnergy is also related to Telebots -- the group behind NotPetya, a destructive attack that a number of Western government security agencies have attributed to Russia's military intelligence service, the GRU.

Researchers have previously linked Telebots to Industroyer, a malware campaign which caused a second power outage in Ukraine in 2016.

However, ESET hasn't attributed GreyEnergy to a particular group or state, only noting the links behind the various attacks by what the full research paper describes "as one of the most dangerous APT groups that has been terrorising Ukraine for the past several years".

SEE: What is cyberwar? Everything you need to know about the frightening future of digital conflict

Unlike these highly destructive and visible campaigns, GreyEnergy is very keen for its activity to stay under the radar with attacks focusing on stealth and a select group of targets, with efforts by the attackers to cover their tracks.

The main targets for this campaign are energy companies in Ukraine and Poland, with industrial control system workstations running SCADA software.

Researchers believe GreyEnergy to be a successor to BlackEnergy for a number of reasons, not least because of strong architectural similarities between the frameworks of the two forms of malware. Both GreyEnergy and BlackEnergy are modular and both employ a mini backdoor before admin rights are obtained and the full backdoor is rolled out.

There are also similarities in how the two forms of malware use remote command and control servers via the medium of active Tor relays -- researchers suggest that this is an operational security technique used by the group in order to ensure covert activity.

A third link is that the targets of the two campaigns are very similar -- all operate in the energy and critical infrastructure sectors and both families of malware have been spotted on systems in Ukraine and at least one victim of GreyEnergy had previously been targeted by BlackEnergy.

Researchers also note that the appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy, potentially indicating that the same group is likely to be behind both attacks.

GreyEnergy also shows signs of being an evolution of BlackEnergy, with ESET describing it as a "more modern" toolkit with a greater focus on stealth, with modules only pushed to the targets when deemed absolutely necessary.

On top of that, some GreyEnergy modules are partially encrypted using AES-256 and some remain fileless, only running in the memory, with the intention of hindering analysis and detection.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

Two means of infection have been seen in the wild -- spear-phishing emails that lure users into enabling malicious macros and the compromise of public-facing web servers. Attackers use these vulnerable servers to gain entry to networks then move laterally across the network to relevant systems.

The hacking group also employs publically available tools -- such as Mimikatz, PsExec, WinExe, Nmap -- to help conduct malicious activity across target networks, while also remaining under the radar. While researchers don't link the attacks to a particular operator, it's been known for nation-state linked hackers to conduct campaigns using these openly available kits.

"It is certain that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth," said the research paper on the malware -- and it's warned that the group is still active and that it's possibly in preparation for future sabotage attacks or laying the groundwork for an operation run by some other APT group.

However, there are a number of things an organisation can do to help avoid falling victim to the campaign.

"Use multi-layered security solutions, including Endpoint Detection and Response, 2FA, backups, updated and patched software, and educate employees to not to fall prey to spear-phishing attacks," said ESET researcher Robert Lipovský.


Editorial standards