Back in 2015, BlackEnergy malware made headlines for disrupting the Ukrainian power grid and cutting off electricity at several local utilities. Researchers at ESET have published a recent report which highlights a new virulent malware which exhibits many conceptual similarities to BlackEnergy. The previously-unidentified toolkit has been named GreyEnergy and has been used to attack critical infrastructure organizations located in Eastern and Central Europe.
Evidence is mounting pointing to the possibility that the group behind GreyEnergy has been collaborating with the Telebots group, a gang renowned for cybercrime attacks, such as the targeted attacks against Ukrainian banks. TeleBots is allegedly responsible for the notorious NotPetya attack in 2017, carried out using a sophisticated backdoor and crippled a multitude of commercial networks on a global scale.
According to researchers, GreyEnergy is very similar to BlackEnergy, in terms of design and architecture. Concerning modus operandi, that of the GreyEnergy group differs with that of the TeleBots group. Firstly, GreyEnergy’s interests are industrial networks of critical infrastructure organizations. Secondly, unlike TeleBots, GreyEnergy attacks beyond Ukraine. First spotted back in 2015, the GreyEnergy malware was seen to have targeted an energy company in Poland.
GreyEnergy is a modular malware, so it attacks a system in subtle stages, instead of just in one hit. So far, GreyEnergy has not been found capable of affecting Industrial Control Systems (ICS), but it has disrupted operating processes using a disk-wiping component to cover their tracks. The toolkit drops “GreyEnergy mini”, a lightweight backdoor that doesn’t require administrator privileges. Using spear phishing techniques, with emails filled with malicious links/documents or by compromising internet-exposed servers, GreyEnergy permitted the attackers to survey the target’s networks and access confidential information such as passwords and login credentials.
“One of the most intriguing details discovered during our research is that one of the GreyEnergy samples we found was signed with a valid digital certificate that had likely been stolen from a Taiwanese company that produces ICS equipment. In this respect, the GreyEnergy group have literally followed in Stuxnet’s footsteps,” writes ESET in their report. For those who do not already know, Stuxnet was an extremely dangerous computer worm first uncovered in 2010 which targeted Supervisory Control and Data Acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to Iran’s nuclear program.
ESET’s paper said, “It is certain that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth.”