GreyEnergy: the latest cyber threat to critical infrastructure
December 10, 2018
Alessandro Di Pinto, Nozomi Networks Security Researcher, discusses the recently discovered piece of malware, GreyEnergy, targeting critical infrastructure.
In December 2015, 230,000 people in Ukraine were suddenly plunged into darkness after a cyberattack took out part of the country’s power grid. The incident was considered to be the world’s first cyberattack on critical infrastructure and researchers discovered the attackers used phishing as a means to gain initial entry into systems. The attack made headlines across the world and it was attributed to the advanced persistent threat (APT) group BlackEnergy
Fast forward almost five years and it appears the BlackEnergy attackers have made a reappearance, but under a different name.
In October this year, researchers from Slovakia-based cybersecurity firm ESET announced their discovery of a new piece of malware targeting critical infrastructure. Naming both the APT group and the malware GreyEnergy, ESET said it believes the threat is the successor to BlackEnergy and that it has been actively targeting critical infrastructure in Ukraine and Poland for the past three years.
Following its discovery, researchers have been analysing the GreyEnergy malware to help understand how the attackers gained entry to systems and how they managed to stay under the radar for such a long period of time. The findings from the study revealed that while the attackers did once again rely on phishing to gain initial access, once inside systems the malware’s code is anything but common – it is well written and smartly put together and designed to defeat detection by cybersecurity products.
The GreyEnergy attack starts when someone receives a malicious Word Document in their email inbox. The document is written in Ukrainian and at first glance, it looks very suspicious. Not only are images present, but a security warning would be clearly shown at the top of the user’s page related to the presence of macros.
However, even despite the image looking suspicious, curious users appear to have been duped into clicking on the enable content button, which would have downloaded the GreyEnergy malware on to their system.
Once the attackers gained an initial foothold into the organisation, the analysis revealed both the tools and the tactics employed were wisely selected to help avoid detection and stay under the radar.
For example, the threat actor chose to implement custom algorithms that are not too difficult to defeat, but they are hard enough to protect the malicious payload. Additionally, the broad use of anti-forensic techniques, such as the wiping of in-memory strings, underline the attacker’s attempt to stay stealthy and have the infection go unnoticed
In addition, researchers were also able to uncover that the dropper, which is a very small piece of code whose purpose is to drop the malware inside the victim’s system, also has the ability to survive a system reboot, making the threat persistent and difficult to remove once infected.
The analysis into GreyEnergy reveals that attackers have cleverly coupled together certain tools and tactics to help avoid detection from security tools and stay under the radar.
As several components of the GreyEnergy APT are now publicly available and detectable by security products, it is safe to assume that the threat actors will be changing it. It’s likely a new version is currently under development, or even ready to be used.
However, the good news is that with the initial attack starting with phishing, companies should be able to prevent infections from the current version of GreyEnergy, and future versions, by practising good security hygiene. Recommendations include:
Train employees about the dangers of email phishing campaigns, including how to recognize malicious emails and attachments. Emphasize the importance of reporting every suspicious document to the security department.
Keep all the exposed servers up-to-date with the latest security patches.
And, most importantly, critical infrastructure networks should always be monitored with dedicated cyber security systems to proactively detect any threats present in the network.
GreyEnergy highlights that attackers are once again relying on phishing as a means to target critical infrastructure. It is therefore extremely important that staff within critical infrastructure organisations are taught to recognise phishing emails and not to click on links or open attachments from unknown sources.
Today’s determined attackers are showing no signs of slowing down, so teaching staff to ‘think before they click’ is key to defending against these types of attacks.