Security researchers have discovered by a new campaign by GreyEnergy threat group targeting critical infrastructure in Poland and Ukraine
Security researchers have discovered by a new campaign by GreyEnergy threat group targeting critical infrastructure in Poland and Ukraine. Researchers from ESET published a detailed analysis on the threat group GreyEnergy which has been active over last three years. GreyEnergy is believed to be the successor of APT group BlackEnergy who was behind the cyber attack which caused 230,000 people in Ukraine to be without electricity in December 2015. According to researchers following this cyber attack, the BlackEnergy APT group evolved into subgroups TeleBots and GreyEnergy. "The main goal of the TeleBots group is to perform cybersabotage attacks on Ukraine, which are achieved through a computer network attack (CNA) operations." said in the analysis published by ESET. The TeleBots group is behind notorious NotPetya attack in June 2017 and attack using BadRabbit in October 2017. In this campaign, the main target for the threat group is energy companies in Ukraine and Poland running on SCADA software and servers. GreyEnergy’s malware framework is similar to the BlackEnergy group and there are strong similarities between both malware framework. There are many other links between these two groups such both are modular and both employ a “mini”, or light, backdoor before admin rights are obtained and the full version is deployed. Both have been targeting Ukraine as the primary one and Poland as the secondary target. At least one the victim targeted by GreyEnergy has been targeted by BlackEnergy before. 
All remote C&C servers used by the GreyEnergy malware are active Tor relays which is similar to BlackEnergy. Researchers also believe that the appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy. GreyEnergy uses more modern toolkit which focuses more on stealth and the modules are partially encrypted using AES-256 and some remain as fileless which run only in memory to evade detection. Researchers observed two different infection methods which were spear phishing and compromise of public facing web servers. The attacker were also observed using common external tools such as Mimikatz, PsExec, WinExe, Nmap, and a custom port scanner. “The main reasons for this conclusion are the similar malware design, specific choice of targeted victims, and modus operandi. The transition from BlackEnergy to GreyEnergy happened at the end of 2015 – perhaps because the attackers needed to update their malware toolset when the BlackEnergy framework became the center of attention after it was used in the attack against the Ukrainian power grid that year.” “it is certain that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth.” For more details, you can visit the analysis published by ESET security researchers here. For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin and Twitter.
You may be interested in reading:Critical Flaw in Branch.io Affects Around 685 Million Users