Kyiv power grid attack attributed to TeleBots through Industroyer link

News by Tom Reeve

Improved version of Industroyer malware emerges and leads ESET Research to attribute malware to the TeleBots threat group.

Kiev (pic: Artemka/Wikimedia)

Kyiv, victim of a power network attack in 2016 (pic: Artemka/Wikimedia)

The infamous cyber-criminal group TeleBots has been linked to malware Industroyer – responsible for the 2016 Kyiv power outage – for the first time.

Industroyer is a powerful malware which targets industrial control systems and is blamed for the attack on the Ukrainian power grid which led to a one-hour long blackout in Kyiv in 2016. It is the first known malware package to specifically target electricity grids.

TeleBots has also been linked to the disk-wiping malware NotPetya and BlackEnergy which was responsible for another Ukrainian blackout in 2015.

ESET Research is confident of the link between TeleBots and Industroyer following the discovery of new TeleBots activity.

"Speculation about the connection between Industroyer and TeleBots emerged shortly after Industroyer hit Ukraine’s power grid," said ESET security researcher Anton Cherepanov who led both the Industroyer and NotPetya investigations. "However, no supporting evidence was publicly recognised – until now."

ESET is making the connection between TeleBots and Industroyer based on the discovery in April of new activity from the TeleBots group – an attempt to deploy a new backdoor which ESET has dubbed Exaramel. Analysis shows that it’s an improved version of the Industroyer backdoor.

ESET said this indicates a link between Industroyer and TeleBots. "While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely," said senior malware researcher Anton Cherepanov in a company blog.

The attribution of Industroyer to TeleBots is based on technical indicators such as code similarities, shared command and control infrastructure, malware execution chains and other factors.

Exaramel is equipped with a suite of malicious tools which have been seen in other TeleBot products including an improved CredRaptor password-stealer tool.

Interestingly, the group seem to have taken a particular interest in ESET and use hardcoded domains for C&C which are designed to look like ESET domains – eg, esetsmart[.]org and um10eset[.]net. ESET has not observed TeleBots trying to mimic other security company domains.

According to ESET analysis from 2017, Industroyer was significantly more sophisticated than BlackEnergy due to its ability to directly control switches and circuit breakers in market-leading industrial control systems.

* This article has been edited to use the Ukrainian spelling of Kyiv (rather than Kiev which is the transliteration of the Russian spelling).

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews