After BlackEnergy, critical infrastructure around the world is among key targets of the new malware called GreyEnergy.
In its recent research, ESET has revealed details of a new group of cybercriminals dubbed as GreyEnergy, which seems to be the replacement of BlackEnergy APT group. The BlackEnergy group’s last activity was observed in December 2015 when nearly 230,000 people had to deal with a prolonged blackout due to a cyber attack on Ukrainian power grids.
Since 2016, ESET researchers have noticed, GreyEnergy has been attacking energy firms and other valuable targets in Poland and Ukraine since 2016. It seems as if the targets are critical infrastructure in Ukraine. Researchers also believe that the group is closely linked to the BlackEnergy group and attackers may be looking to launch cyber espionage attacks in the near future.
Furthermore, ESET researchers have evidence that GreyEnergy is linked to the group behind the highly destructive malware NotPetya, Telebots. Telebots is believed to have the backing of the GRU, Russian military intelligence service. Previously, researchers linked Telebots to another malware campaign Industroyer, which caused another blackout in Ukraine in 2016.
It is worth noting that ESET hasn’t really associated GreyEnergy to any specific state of the group, but has only suspected it to have links with different attacks on Ukrainian power grids in the past. They have declared GreyEnergy as one of the most “dangerous APT groups” that’s been attacking Ukraine for the last three years.
It is identified that GreyEnergy’s primary focus is on targeted attacks and stealth campaigns while the attackers utilize all possible sources to evade detection. Evidently, the key targets are the energy companies specifically those where industrial control system workstations run on SCADA software.
The reason ESET research believe that GreyEnergy is tied to BlackEnergy is that both are modular and employ a mini backdoor prior to obtaining admin rights after which a full backdoor is rolled out. Another similarity is that both the groups’ malware use remote command and control servers through active Tor relays. It is an operational security technique that the group uses to operate covertly.
Moreover, both the campaigns target the energy and critical infrastructure in Ukraine. One of the victims of BlackEnergy has also been targeted by GreyEnergy. BlackEnergy has remained inactive from the same time since GreyEnergy has been active, which further substantiates the fact that both groups are linked.
There are also signs that GreyEnergy is an evolved form of BlackEnergy, considering its ultra-modern toolkit that focuses more on stealth and the AES-256 encrypted fileless modules are pushed only when it is most necessary. These modules run in the memory to hinder the analysis and detection process.
GreyEnergy attacks through spear-phishing emails where users are lured into activating infected macros, and another method is by compromising public web servers. Vulnerable servers are used to obtain entry into networks and then gradually move across the network to attack targeted systems. Moreover, the group uses publically available tools such as WinExe, Nmap, Mimikatz, and PsExec to carry out its malicious activities while remaining under the radar at the same time.
ESET warns that the group is active and quite possibly it is preparing another wave of attack or maybe another APT group is being established to carry out more advanced operations. For an organization to avoid getting attacked by GreyEnergy, here’s what ESET researcher Robert Lipovský recommends.
“Use multi-layered security solutions, including Endpoint Detection and Response, 2FA, backups, updated and patched software, and educate employees to not to fall prey to spear-phishing attacks.”