Sofacy and GreyEnergy link 'confirmed' by use of same servers for phishing and CnC

News by Tom Reeve

The link between Sofacy and GreyEnergy, two Russian APTs with a particular shared interest in the Ukraine, appears to have been confirmed by Kaspersky Lab research.

Kaspersky Labs says it has discovered that two prominent APTs – GreyEnergy and Zebrocy/Sofacy – are sharing the same infrastructure, indicating that the two groups may be closely linked.

Both groups appear to have been using the same servers at the same time but for different purposes and confirms previous suspicions about links between the two groups, the company said.

GreyEnergy is thought to be a successor to BlackEnergy because of similar methods of operation, targets and ‘architectural similarities’, Kaspersky Lab said. BlackEnergy is blamed for power outages in Ukraine after a series of attacks against the energy sector in 2015.

Sofacy is a cyber-espionage group which is connected to attacks against European and US government bodies including intelligence agencies, and Zebrocy is considered to be a subset of Sofacy based on the use of a specific malware package designed for exploiting infected machines.

The evidence for a link hinges on the discovery that both groups were using the same servers in Ukraine and Sweden in June 2018. GreyEnergy used them to store malicious downloads as part of a phishing campaign and Zebrocy used them for command and control for its malware operations.

While this might be considered a coincidence, Kaspersky said that further evidence linking the two groups includes their targeting the same company within a week of each other using similar bait, a purported email from the Ministry of Energy of the Republic of Kazakhstan. The GreyEnergy sample was sent to the company around 21 June and the Zebrocy document to the same company was sent around 28 June.

"The compromised infrastructure which is shared by these two threat actors potentially points to the fact that the pair not only have the Russian language in common, but that they also cooperate with each other. This also suggests their joint capabilities and creates a better picture of their plausible goals and potential targets. Today’s findings provide the public with further important knowledge about GreyEnergy and Sofacy. The more the industry knows about their tactics, techniques and procedures, the better the security experts can work to protect their customers from sophisticated attacks," said David Emm, principal security researcher at Kaspersky Lab.

Kaspersky identified Zebrocy C2 servers in July including 193.23.181[.]151 which were being used to download malware components. Meanwhile, FireEye also reported in July that it had identified the Felixroot backdoor being distributed as part of a phishing campaign that used information on an environmental protection seminar as a lure. It identified the same IP address as the server being used to download the second-stage payload in that attack.

Another server being used by both Zebrocy and GreyEnergy was 185.217.0[.]124, Kaspersky said, and it also used similar lures.

"The links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis," the report concluded.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews