As critical infrastructure attacks become a more prominent threat, a mysterious new collective emerges.
Researchers at cybersecurity firm ESET have uncovered details of a successor to the notorious BlackEnergy APT (advanced persistent threat) group. Dubbing the new collective GreyEnergy, ESET said the new threat actor focuses on espionage and reconnaissance, possibly in preparation for future sabotage attacks.
BlackEnergy had been active in Ukraine for a number of years, rising to prominence in December 2015, when the group caused a blackout that left 230,000 people without electricity in the country. Around this time, ESET researchers also began detecting the new GreyEnergy malware framework.
This framework has been used to attack energy companies and other high-value targets in Ukraine and Poland for the past three years. Its appearance also coincided with the apparent disappearance of BlackEnergy. The VPNFilter malware from earlier in 2018 had some shared code with versions of BlackEnergy frameworks.
ESET also documented a new APT subgroup, dubbed TeleBots, which was most notable for the global NotPetya malware outbreak that disrupted global business operations in 2017. Researchers confirmed that TeleBots is also linked to Industroyer, the culprit behind the second blackout in the Ukrainian capital of Kiev in 2016.
At least one of the victims targeted by GreyEnergy had been targeted by BlackEnergy in the past, and both subgroups share an interest in the energy sector and critical infrastructure.
Flying under the radar
“GreyEnergy surfaced along with TeleBots but, unlike its better-known cousin, GreyEnergy’s activities are not limited to Ukraine and so far haven’t been damaging. Clearly, they want to fly under the radar,” said senior ESET researcher Anton Cherepanov. He noted that although GreyEnergy has been active for some time, the APT group has not been documented until now, likely due to the fact that the known activities up until this point have not been destructive.
Unlike the numerous TeleBots ransomware campaigns, the BlackEnergy-enabled power grid attack and the blackout caused by Industroyer, GreyEnergy is trying to remain low-key. Researchers believe this may be to lay groundwork for an operation or prepare for future critical infrastructure attacks.
In December 2016, researchers noticed an instance of GreyEnergy deploying an early version of the TeleBots NotPetya worm – about half a year before it was altered, improved and deployed in the most damaging ransomware outbreak in history.
There is significant code reuse between this ransomware component and the GreyEnergy core module. This early version is called Moonraker Petya, based on the malware writers’ choice of filename – most likely a reference to the James Bond film. This earlier version did not feature the devastating EternalBlue spreading mechanism that made NotPetya so powerful.
According to ESET analysis, GreyEnergy malware is closely related to both BlackEnergy and TeleBots malware. It is modular in construction, so its functionality is dependent on the particular combination of modules its operator uploads to the victims’ systems.
The modules described in ESET’s analysis were used for espionage and reconnaissance purposes, and include: backdoor, file extraction, obtaining screenshots, keylogging, and password and credential stealing.
“We have not observed any modules that specifically target industrial control systems (ICS) software or devices. We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers,” Cherapanov said. These tend to be mission-critical systems, which are never meant to go offline except for periodic maintenance.
ESET researchers wrote that the GreyEnergy toolkit is more modern compared to BlackEnergy, with a larger emphasis on stealth. “One basic stealth technique – employed by both families – is to push only selected modules to selected targets, and only when needed.
“On top of that, some GreyEnergy modules are partially encrypted using AES-256 and some remain fileless – running only in memory – with the intention of hindering analysis and detection.” GreyEnergy operators also wipe the malware components from the victims’ hard drives to cover their tracks.
With GreyEnergy, ESET researchers observed two distinct infection vectors: traditional spear-phishing and the compromise of public-facing web servers. The attackers typically deploy internal command and control proxies within the victims’ networks. Such proxies redirect requests from infected nodes inside the network to an external server on the internet. This is another stealth tactic, as it is less suspicious to a defender to see that multiple computers are ‘talking’ to an internal server, rather than a remote one.
As attacks on critical infrastructure continue to grow as a threat, it may be worth keeping an eye on GreyEnergy.