The hacking group which took down Ukrainian power grids is systematically targeting critical infrastructure in Ukraine and beyond in what security researchers believe could be cyber espionage and reconnaissance ahead of future attacks.
Security
Dubbed GreyEnergy by researchers at ESET, the group is believed to have been active over the last three years and to be linked to BlackEnergy, the attack group whose actions left 230,000 people in Ukraine without electricity in December 2015.
According to analysis by ESET, GreyEnergy is also related to Telebots -- the group behind NotPetya, a destructive attack that a number of Western government security agencies have attributed to Russia's military intelligence service, the GRU.
Researchers have previously linked Telebots to Industroyer, a malware campaign which caused a second power outage in Ukraine in 2016.
However, ESET hasn't attributed GreyEnergy to a particular group or state, only noting the links behind the various attacks by what the full research paper describes "as one of the most dangerous APT groups that has been terrorising Ukraine for the past several years".
SEE: What is cyberwar? Everything you need to know about the frightening future of digital conflict
Unlike these highly destructive and visible campaigns, GreyEnergy is very keen for its activity to stay under the radar with attacks focusing on stealth and a select group of targets, with efforts by the attackers to cover their tracks.
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)
Two means of infection have been seen in the wild -- spear-phishing emails that lure users into enabling malicious macros and the compromise of public-facing web servers. Attackers use these vulnerable servers to gain entry to networks then move laterally across the network to relevant systems.
The hacking group also employs publically available tools -- such as Mimikatz, PsExec, WinExe, Nmap -- to help conduct malicious activity across target networks, while also remaining under the radar. While researchers don't link the attacks to a particular operator, it's been known for nation-state linked hackers to conduct campaigns using these openly available kits.
"It is certain that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth," said the research paper on the malware -- and it's warned that the group is still active and that it's possibly in preparation for future sabotage attacks or laying the groundwork for an operation run by some other APT group.
However, there are a number of things an organisation can do to help avoid falling victim to the campaign.
"Use multi-layered security solutions, including Endpoint Detection and Response, 2FA, backups, updated and patched software, and educate employees to not to fall prey to spear-phishing attacks," said ESET researcher Robert Lipovský.
READ MORE ON CYBER SECURITY
- Hackers are attacking power companies, stealing critical data: Here's how they are doing it
- Can Russian hackers be stopped? Here's why it might take 20 years TechRepublic
- Free, easy to use, and available to anyone: The powerful malware hiding in plain sight on the open web
- Ukraine fears a coordinated hacking attack from Russia CNET
- Industroyer: An in-depth look at the culprit behind Ukraine's power grid blackout