ESET research reveals a successor to the
infamous BlackEnergy APT group targeting critical infrastructure, quite
possibly in preparation for damaging attacks
Recent ESET research has uncovered details of
the successor of the BlackEnergy APT group, whose main toolset was last seen in
December 2015 during the first-ever blackout caused by a cyberattack. Around
the time of that breakthrough incident, when around 230,000 people were left
without electricity, we started detecting another malware framework and named
it GreyEnergy. It has since been used to attack energy companies and other
high-value targets in Ukraine and Poland for the past three years.
It is important to note that when we describe
‘APT groups’, we’re making connections based on technical indicators such as
code similarities, shared C&C infrastructure, malware execution chains, and
so on. We’re typically not directly involved in the investigation and
identification of the individuals writing the malware and/or deploying it, and
the interpersonal relations between them. Furthermore, the term ‘APT group’ is
very loosely defined, and often used merely to cluster the abovementioned
malware indicators. This is also one of the reasons why we refrain from
speculation with regard to attributing attacks to nation states and such.
We have already extensively documented the
threat actors’ transition towards TeleBots in cyberattacks on high-value targets in the Ukrainian financial sector,
the supply-chain attacks against Ukraine and in an analysis of TeleBots’ cunning backdoor. All from the
group most notable for the NotPetya ransomware outbreak. At the same time, we
have also been keeping a close eye on GreyEnergy – a subgroup operating in
parallel, but with somewhat different motivations and targeting.
Although ESET telemetry data shows GreyEnergy
malware activity over the last three years, this APT group has not been
documented until now. This is probably due to the fact that those activities
haven’t been destructive in nature, unlike the numerous TeleBots ransomware
campaigns (not only NotPetya), the BlackEnergy-enabled power grid attack, and the Industroyer-caused blackout – which we have linked to these groups for the first time
last week. Instead, the threat actors behind GreyEnergy have tried to stay
under the radar, focusing on espionage and reconnaissance, quite possibly in
preparation of future cybersabotage attacks or laying the groundwork for an
operation run by some other APT group.
GreyEnergy’s malware framework bears many
similarities to BlackEnergy, as outlined below. It is similarly modular in
construction, so its functionality is dependent on the particular combination
of modules its operator uploads to each of the targeted victim systems. The
modules that we have observed were used for espionage and reconnaissance
purposes (i.e. backdoor, file extraction, taking screenshots, keylogging,
password and credential stealing, etc.). We have not observed any modules that
specifically target Industrial Control Systems (ICS). We have, however,
observed that the GreyEnergy operators have been strategically targeting ICS
control workstations running SCADA software and servers, which tend to be
mission-critical systems never meant to go offline except for periodic
maintenance.