ESET researchers reveal a successor to the feared BlackEnergy APT group - in the footsteps of a feared threat actor, with a new arsenal of tools
New research from ESET has uncovered details of a successor to the BlackEnergy APT group. Named GreyEnergy by the company, this threat actor focuses on espionage and reconnaissance, quite possibly in preparation for future cyber sabotage attacks.
“We have seen GreyEnergy involved in attacks at energy companies and other high-value targets in Ukraine and Poland over the past three years,” says Anton Cherepanov, ESET Senior Security Researcher who led the research.
The 2015 attack on Ukrainian energy infrastructure was the most recent known operation where the BlackEnergy toolset was used. Subsequently, ESET researchers documented a new APT subgroup, TeleBots.
TeleBots are most notable for the global outbreak of NotPetya, the disk-wiping malware that disrupted global business operations in 2017 and caused damages in the sum of billions of US dollars. TeleBots are also connected to Industroyer, the most powerful modern malware targeting industrial control systems and the culprit behind the second electrical blackout in Ukraine’s capital, Kiev, in 2016.
“GreyEnergy surfaced along with TeleBots, but unlike its better-known cousin, GreyEnergy’s activities are not limited to Ukraine and so far, haven’t been damaging. Clearly, they want to fly under the radar,” comments Anton Cherepanov.
GreyEnergy malware is closely related to both BlackEnergy and TeleBots malware. It is modular in construction, so its functionality is dependent on the particular combination of modules its operator uploads to the victim’s systems.
The modules described in the analysis were used for espionage and reconnaissance purposes and include: backdoor, file extraction, taking screenshots, keylogging, password and credential stealing.
“We have not observed any modules that specifically target Industrial Control Systems software or devices. We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers,” explains Anton Cherepanov.
Moreno Carullo, co-founder and CTO of Nozomi Networks, stated that the discovery of GreyEnergy was inevitable as we are seeing a trend in ICS cyber security where this, and other malwares do exist, and they are threatening our world’s most critical infrastructures.
"With continuous visibility, advanced ICS security and constant education, industrial facilities worldwide can leverage their skills and tools to ensure they aren’t at risk to be hit next at a time where industrial controls and critical infrastructure are priority cybersecurity targets," adds Moreno Carullo.