'

Security researchers find solid evidence linking Industroyer to NotPetya

A web of code reuse and shared infrastructure links together a slew of famous cyber-attacks.

Malware analysts from Slovak cyber-security firm ESET have found substantial evidence that links cyber-attacks performed against Ukraine's power grid to the same group behind the NotPetya ransomware outbreak of June 2017.

The link is not a direct one, but through a third malware strain that was spotted in an unrelated hacking operation in April this year.

Researchers say this malware --the Exaramel backdoor-- was deployed from the server infrastructure of Telebots, the name of the group from whose infrastructure the NotPetya ransomware also originated.

But in a report released today after months of analysis, ESET says the Exaramel backdoor "is an improved version" of the backdoor component that was part of Industroyer, a malware strain that targets industrial control systems (ICS) and which was used to cause power outages in Ukraine in December 2016.

Such links have been speculated on but never proven with solid facts. But thanks to the new Exaramel discovery, such connections are now possible, ESET said.

Below is an image showing what ESET researchers were able to attribute to the TeleBots group, which they believe is an evolution of the BlackEnergy group which similarly attacked Ukraine's power grid a year before Industroyer, in December 2015.

code-connections.png
ESET

Taking into account a multi-sourced report from July 2017 that linked NotPetya with the BlackEnergy attacks, one could confidently say the same threat actor is behind all the attacks listed in the image above.

ESET's discovery comes at the right time to bring factual and technical proof to recent allegations made by Western governments.

In February this year, all Five Eyes governments accused Russia of orchestrating the NotPetya ransomware outbreak.

Earlier this month, UK and Australia have issued statements accusing Russia's Main Intelligence Directorate (GRU), the military intelligence agency of Russia's armed forces, of a multitude of cyber-attacks.

Those statements said Russia's GRU was behind a series of cyber-espionage groups and hacking operations. Among the names listed in the report were Sandworm and BlackEnergy, two names that have been used as alternatives for TeleBots in numerous reports from the private cyber-security industry.

When the first reports were published about Industroyer ICS malware in June 2017, ESET researchers speaking to this reporter, specifically stayed away from speculation and making a formal attribution to a specific country.

They didn't make a formal attribution of TeleBots as a Russian state-hacking operation in today's report either, but they don't have to, as official government statements have already done that.

Their research now backs up some of the thing's we've been reading in government reports and hearing from government spokespersons --that Russia created custom-made malware to target Ukraine's power grid in 2015 and 2016, and later deployed the NotPetya ransomware against Ukrainian companies as part of the hostilities between the two countries after Russia's annexation of Crimea and Russia's backing of pro-Russian rebels in Ukraine's western regions.

Speaking at a press conference attended by a ZDNet reporter earlier this year, one of the ESET malware analysts who analyzed Industroyer called it the only malware in existence which has been "specifically designed to attack the power grid" and "the most sophisticated, the biggest threat to industrial control systems since Stuxnet."

The original 2017 reports on Industroyer's capabilities are available from ESET and Dragos [Industroyer is referred to as CrashOverride]. ESET's latest research on the Exaramel backdoor that ties Industroyer to NotPetya and the TeleBots group is available here.

RELATED COVERAGE: