Possibly the most powerful attack group operating in the wild, GreyEnergy, has been identified as the successor of BlackEnergy, the group responsible for the first power blackout caused by a cyber-attack - in Ukraine in December 2015.
ESET researchers have identified the group operating in stealth mode, conducting similar reconnaissance and malware installation activities on critical infrastructure to that which BlackEnergy carried out before unleashing its attack.
However, GreyEnergy also uses "a new arsenal of tools...We have seen GreyEnergy involved in attacks at energy companies and other high-value targets in Ukraine and Poland over the past three years," says Anton Cherepanov, ESET senior security researcher who led the research.
Speaking at a presentation in Bratislava today, ESET researcher Robert Lipovsky added, "Their actions resemble the activity of BlackEnergy group prior to its destructive attack and so this is not the last time we'll hear of this group."
Lipovsky explained how the connection was made between the groups. Following the 2015 Ukraine blackout the BlackEnergy toolset was found by ESET researchers to be used by a subsequently documented new APT subgroup, TeleBots.
TeleBots distributed the global outbreak of NotPetya disk-wiping malware that disrupted global business operations in 2017 and caused some US$10 billion of damage. As ESET researchers recently confirmed, TeleBots is also connected to Industroyer, described as the most powerful modern malware targeting industrial control systems and the culprit behind the second electrical blackout in Ukraine’s capital, Kyiv, in 2016.
The appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy. At first GreyEnergy was acting in parallel with Telebots. "GreyEnergy surfaced along with TeleBots, but unlike its better-known cousin, GreyEnergy’s activities are not limited to Ukraine and so far, haven’t been damaging. Clearly, they want to fly under the radar," comments Anton Cherepanov.
The first company hit by GreyEnergy was a Polish energy company, but the attacker’s main focus is Ukraine. Other similarities suggested a link. Mostly its victims are in the energy sector, though only a handful have been detected. According to ESET’s thorough analysis, GreyEnergy malware is closely related to both BlackEnergy and TeleBots malware.
It is modular in construction, so its functionality is dependent on the particular combination of modules its operator uploads to the victim’s systems. These modules include: backdoors, file extraction, taking screenshots, keylogging, password and credential stealing, etc.
The attackers typically deploy internal C&C proxies within victims’ networks, another stealth tactic, as it is less suspicious to a defender to see that multiple computers "talking" to an internal server, rather than a remote one.
Some of the GreyEnergy samples were signed with a likely stolen certificate from Advantech, a Taiwanese manufacturer. Common external tools such as Mimikatz, PsExec, WinExe, Nmap and a custom port scanner were also used.
Like BlackEnergy, GreyEnergy only pushes selected modules to selected targets when needed. Some modules are partially encrypted using AES-256 and some remain fileless – running only in memory to hinder analysis and detection, and it securely wipes the malware components from the victims’ hard drives.
"We have not observed any modules that specifically target Industrial Control Systems software or devices. We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers," explains Anton Cherepanov.
The conclusion is that this activity is the precursor to an actual attack.
In an email to SC Media UK, Moreno Carullo, co-founder and CTO of Nozomi Networks commented that the development was inevitable, saying: "We are seeing a trend in ICS cyber-security where this, and other malwares do exist, and they are threatening our world’s most critical infrastructures....GreyEnergy is an important tool in the arsenal of some of the most dangerous APT groups that have been terrorising Ukraine for the past several years.
"Each new malware our industry discovers is proving to be more and more advanced, like how this GreyEnergy malware extends its capabilities by receiving the module remotely. With these malwares, cyber-criminals are using two main attack vectors: compromising public-facing web services and spear-phishing - both methods that can be easily thwarted with the right ICS security solution and the necessary training for employees.
"With continuous visibility, advanced ICS security and constant education, industrial facilities worldwide can leverage their skills and tools to ensure they aren’t at risk to be hit next at a time where industrial controls and critical infrastructure are priority cyber-security targets."