GreyEnergy: Hackers targeting companies in Ukraine

A hacking group believed to be linked to Russia called GreyEnergy has been targeting energy and critical infrastructure companies in Ukraine. Security researchers at ESET said the group has been active over the past three years is believed to be linked to BlackEnergy – the group that caused serious damage to Ukraine’s critical infrastructure in 2015.

Background

Cyberattacks targeting critical infrastructure, including electricity, nuclear energy, gas and water, have been steadily increasing in frequency and sophistication around the world over the past few years.

In December 2015, a first-of-its-kind cyberattack targeting Ukraine’s power grid left around 225,000 people in Western Ukraine without electricity for hours. Nearly a year later, a second attack struck Ukraine in mid-December that targeted the Pivichna substation near Kiev, resulting in another hour-long blackout. Security researchers attributed the attacks on Ukraine’s power grid to a Russian-linked advanced persistent threat (APT) group named BlackEnergy.

In June 2017, the NotPetya cyberattack crippled organizations in Ukraine and other countries including critical infrastructure providers along with companies like pharmaceutical giant Merck and shipping firm Maersk. The attacks were attributed to a threat group named Sandworm.

Security experts believe Ukraine to be the testing ground for such cyberattacks as the country increasingly turns to the West – a move that is incompatible with Russian interests. The US, UK and Ukraine blamed Russia for these damaging cyberattacks. However, Moscow has denied any involvement in them. 

In early October, Britain's National Cyber Security Centre (NCSC) identified a dozen different aliases of Russian hacker groups linked to the Russian intelligence agency GRU. These names include APT28, Fancy Bear, BlackEnergy actors and Sandworm among others.

Analysis

Researchers at ESET said hackers with alleged ties to Russia has been systematically targeting critical infrastructure in Ukraine. The threat group dubbed GreyEnergy is believed to be related to the attack outfits BlackEnergy and Telebots – also known as Sandworm.

GreyEnergy has been active for the past three years and has launched malware attacks against energy companies and other high-value targets in Ukraine and Poland. Researchers said GreyEnergy operators have been “strategically targeting ICS control workstations running SCADA software and servers, which tend to be mission-critical systems never meant to go offline except for periodic maintenance.”

According to ESET, GreyEnergy’s malware framework shares multiple similarities to BlackEnergy such as their module construction, use of remote command and control structures, and functionality for espionage and reconnaissance purposes. GreyEnergy’s malware, as compared to BlackEnergy, is “a more modern toolkit with an even greater focus on stealth.” 

"[T]he threat actors behind GreyEnergy have tried to stay under the radar, focusing on espionage and reconnaissance, quite possibly in preparation of future cybersabotage attacks or laying the groundwork for an operation run by some other APT group,” ESET researchers said. "To cover their tracks, typically, GreyEnergy’s operators securely wipe the malware components from the victims’ hard drives."

ESET also noted that the “appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy.” 

According to ESET, GreyEnergy generally infects computer systems via spear-phishing attacks – sending emails that contain malicious links or attachments – or by compromising public-facing servers. Once the hackers gain access to the targeted network, they begin harvesting sensitive information such as passwords, login credentials or file extractions.

The group also used a “NotPetya-like worm” named “Moonraker Petya” in December 2016 that was a tame precursor to the destructive NotPetya worm in June 2017, researchers said.

Although ESET hasn’t attributed to a particular group or state, the UK, US and Ukraine along with other cybersecurity firms have tied the attacks on Ukraine’s power grid to Russian hacking groups.

“GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that has been terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy toolkit,” researchers said. “The transition from BlackEnergy to GreyEnergy happened at the end of 2015 – perhaps because the attackers needed to update their malware toolset when the BlackEnergy framework became the center of attention after it was used in the attack against the Ukrainian power grid that year.”

Assessment

Our assessment is that the new ESET report illustrates the continued expansion of espionage and cyberattacks targeting critical infrastructure in Ukraine and other countries. Although the security firm did not specifically link Russia to GreyEnergy, their evidence of its links to BlackEnergy and Telebots highlights the close interconnectivity of these groups. We also believe that the pattern of cyberattacks targeting Ukraine could be a foreshadowing of more sophisticated attacks on other countries in the fifth domain of warfare - cyberspace.

Read more:

• UK accuses GRU of ‘reckless cyberattacks’
• US sanctions Russia for cyber attacks
• Democracy under (cyber) attack