GreyEnergy Spy APT Mounts Sophisticated Effort Against Critical Infrastructure

A new APT group, dubbed GreyEnergy by researchers, has emerged as a successor to the infamous BlackEnergy APT group, which was behind the electric grid cyberattack and resulting power outage in the Ukraine in December 2015. However, GreyEnergy’s focus and targeting revolve around cyber-espionage.

According to researchers at ESET, the BlackEnergy threat actors (also known as Sandworm) have morphed into a new group called TeleBots – which was recently linked to the NotPetya attacks last June and also a second attack on the Ukrainian power infrastructure using the Industroyer/CrashOverride malware, in 2016. TeleBots has carried out financial and supply-chain attacks in the Ukraine for the past three years, using a range of sophisticated custom malware.

Now, GreyEnergy has come to light, ESET said, as a subgroup operating in parallel to the main TeleBots gang, but with somewhat different motivations and targeting. It has been using its own malware framework to launch offensives on energy companies and other high-value targets in Ukraine and Poland for the past three years. However, unlike the wiper activity seen with TeleBots, GreyEnergy has an under-the-radar focus on espionage and reconnaissance. The activity is potentially a prelude to a much more destructive attack on utilities or industrial control systems (ICS), researchers said.

Its malware modules perform tasks like backdooring, file extraction, taking screenshots, keylogging, password and credential stealing; and, ESET has observed the GreyEnergy operators strategically targeting ICS workstations running SCADA software and servers.

“Although ESET telemetry data shows GreyEnergy malware activity over the last three years, this APT group has not been documented until now,” explained ESET researchers Anton Cherepanov and Robert Lipovsky, in a posting on the group on Wednesday. “This is probably due to the fact that those activities haven’t been destructive in nature…[GreyEnergy’s activities are] quite possibly in preparation of future cyber-sabotage attacks or laying the groundwork for an operation run by some other APT group.”

ESET has linked GreyEnergy and BlackEnergy together thanks to strong architectural similarities in their malware, the analysts added. Notably, both groups use the stealth technique of pushing only selected modules to selected targets, and only when needed.

“It is similarly modular in construction, so its functionality is dependent on the particular combination of modules its operator uploads to each of the targeted victim systems,” they explained. They added, “Both employ a ‘mini,’ or light, backdoor deployed before admin rights are obtained and the full version is deployed.” However, GreyEnergy’s code is more modern, they added.

Also, as with BlackEnergy and Industroyer, remote command-and-control (C2) servers used by the GreyEnergy malware are active Tor relays for covert communication.

On the circumstantial evidence front, it should be noted that the appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy; and, at least one of the victims targeted by GreyEnergy had been targeted by BlackEnergy in the past. Both focus primarily in the Ukraine, with Poland ranking second.

Also, importantly, in December 2016, ESET noticed an instance of GreyEnergy deploying an early version of the TeleBots’ NotPetya worm, “half a year before it was altered, improved and deployed in the most damaging ransomware outbreak in history,” the researchers said.

“There is significant code reuse between this ransomware component and the GreyEnergy core module,” they added. “We call this early version ‘Moonraker Petya,’ based on the malware writers’ choice of filename – most likely a reference to the James Bond movie. It didn’t feature the infamous EternalBlue spreading mechanism, as it had not been leaked at that time.”

In all, the emergence of GreyEnergy shows an APT malware arsenal that appears to be prodigious, ever-evolving – and sophisticated.

“It should be no surprise that threats like BlackEnergy are morphing into new variants,” Ray DeMeo, co-founder and COO at Virsec, told Threatpost. “There is a large arsenal of advanced hacking tools, many developed by the NSA, now readily available. These are difficult to detect because they manipulate legitimate application processes in runtime memory, and create new variants further evades signature-based detection. More disturbing is that many of these attacks are targeted at disrupting critical infrastructure. Many of these ICS/SCADA systems have outdated security, designed for isolation, which is increasingly disappearing as IT and operational technology systems connect and converge.”

In addition to the custom code, the GreyEnergy operators also employ common external tools in their arsenal, such as Mimikatz, PsExec, WinExe, Nmap and a custom port scanner, ESET found.

“Sandworm (also known as Voodoo Bear) and their specific interest in ICS was long known to us in the research community,” said NETSCOUT’s Hardik Modi, senior director of threat intelligence, via email. “The operations described in the report details the evolution of that group. While they famously used a 0-day in previous operations, this report demonstrates that well understood intrusion tactics such as malicious macros in Word documents, webserver exploitation, propagation via known tools and command-and-control via TOR continue to be effective means of compromising an enterprise. When it comes to ICS organizations, we must get better at keeping these systems secure and isolated, not just for continuity of services, but because actual human lives are at stake when systems cease to function properly.”