GreyEnergy Spy APT Mounts Sophisticated Effort Against Critical Infrastructure
Threat Post & Journal of CyberPolicy, October 19, 2018, with comments by Ray DeMeo;
Most people in the cybersecurity space remember BlackEnergy, the advanced persistent threat (APT) responsible for attacking and shutting down electrical grids in Ukraine in December three years ago. Now BlackEnergy has an architecturally similar and more modern successor, GreyEnergy, that’s emerged this past week. While it’s showing similarities to its predecessor, so far, it has a different focus. Rather than shutting electrical grids down, GreyEnergy has cyber-espionage as its main objective.
BlackEnergy’s bad actors, known as Sandworm, evolved into another group now known as the TeleBots. The TeleBots have been linked to the NotPetya attacks last June, as well as another attack on Ukrainian power infrastructure using Industroyer malware in 2016. TeleBots is responsible for additional attacks in Ukraine as well over the last 3 years impacting the financial and supply chain industries.
That history sets the backdrop for GreyEnergy, which is carrying forward its own reasoning and rationale. While it also uses malware for its offensive strikes against energy companies (and other high-stakes targets) in Ukraine and elsewhere, its focus is on espionage and reconnaissance. The malware carries out stealthy acts such as backdooring, taking screenshots, extracting files, keylogging, and stealing passwords and credentials.
The targets seem to be specifically focused on ICS workstations running ICS/SCADA software. While this group has been active for a few years, they haven’t been well tracked until recently because their actions were not aggressive. But these could be small steps leading up to more dangerous and sabotaging attacks on utilities or industrial control systems (ICS) where the damage could be significant.
GreyEnergy malware, like BlackEnergy and Industroyer, uses remote C2 (command and control) servers for covert communication. And as GrayEnergy has emerged, BlackEnergy has disappeared. At least one of the victims is the same. Both have hit the hardest in Ukraine, followed by Poland. Probably not a coincidence.
Ray DeMeo, co-founder and COO at Virsec, told Threatpost, “It should be no surprise that threats like BlackEnergy are morphing into new variants. There is a large arsenal of advanced hacking tools, many developed by the NSA, now readily available. These are difficult to detect because they manipulate legitimate application processes in runtime memory, and create new variants further evades signature-based detection. More disturbing is that many of these attacks are targeted at disrupting critical infrastructure. Many of these ICS/SCADA systems have outdated security, designed for isolation, which is increasingly disappearing as IT and operational technology systems connect and converge.”
Read full GreyEnergy Malware article