GreyEnergy group targeting critical infrastructure, possibly in preparation for damaging attacks

Next story

ESET has uncovered details of a successor to the BlackEnergy APT group. Named GreyEnergy by ESET, this threat actor focuses on espionage and reconnaissance, quite possibly in preparation for future cyber-sabotage attacks.

BlackEnergy has been terrorizing Ukraine for years and rose to prominence in December 2015 when they caused a blackout that left 230,000 people without electricity - the first-ever blackout caused by a cyberattack. Around the time of that incident, ESET researchers began detecting another malware framework named GreyEnergy.

“We have seen GreyEnergy involved in attacks at energy companies and other high-value targets in Ukraine and Poland over the past three years,” says Anton Cherepanov, a senior security researcher at ESET who led the research.

The 2015 attack on Ukrainian energy infrastructure was the most recent known operation where the BlackEnergy toolset was used. Subsequently, ESET researchers documented a new APT subgroup, TeleBots.

TeleBots are most notable for the global outbreak of NotPetya, the disk-wiping malware that disrupted global business operations in 2017 and caused billions of dollar in damages. As ESET researchers recently confirmed, TeleBots are also connected to Industroyer, the most powerful modern malware targeting industrial control systems and the culprit behind a second electrical blackout in Ukraine’s capital, Kiev, in 2016. 

“GreyEnergy surfaced along with TeleBots, but unlike its better-known cousin, GreyEnergy’s activities are not limited to Ukraine and so far, haven’t been damaging,” says Cherepanov. “Clearly, they want to fly under the radar.”

According to ESET’s thorough analysis, GreyEnergy malware is closely related to both BlackEnergy and TeleBots malware. It is modular in construction, so its functionality is dependent on the particular combination of modules its operator uploads to the victim’s systems.

The modules described in ESET’s analysis were used for espionage and reconnaissance purposes and include: backdoor, file extraction, taking screenshots, keylogging, password and credential stealing, etc.

“We have not observed any modules that specifically target Industrial Control Systems software or devices,” explains Anton Cherepanov. “We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers.”

ESET’s disclosure and analysis of GreyEnergy is important for a successful defense against this particular threat actor as well as for better understanding the tactics, tools and procedures of the most advanced APT groups.

More details can be found in the WeLiveSecurity.com blog post and the white paper.

Note for editors: When ESET Research describes cyberattacks and tracks cybercriminal groups, it is drawing connections based on technical indicators such as code similarities, shared Command & Control infrastructure, malware execution chains and other evidence. Since ESET is not involved in on-the-ground law-enforcement or intelligence investigations, we are not speculating on any potential nation-state attribution for these attacks.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedInFacebook and Twitter.

###

 

Media Contact:

Anna Keeve

ESET North America

Anna.Keeve@eset.com

619.405.5175

 

MENUCLOSE
ESET Smart Security Premium box

Ultimate
protection

ESET Smart Security Premium

Advanced
protection

ESET Internet Security

Essential
protection

ESET NOD32 Antivirus

Small and Home  office protection

Easy-to-use device security with advanced privacy features

ESET Mobile Security for Android

Keep your Android device safe. Wherever you go

ESET Parental Control for Android

Protect your children online with confidence

ESET Smart TV Security box

ESET Smart TV Security

Internet of Things security starts with your TV

Renew my license

Renew, upgrade or add devices to your license

Existing
 customer?

Manage your license, update date and more

Download

Install your protection or try ESET free for 30 days

Download

Install your business protection or request a free trail

Why ESET?

Superior technology

Learn more about our unified cybersecurity platform

Industry recognition

ESET cybersecurity solutions are recognized and industry-wide.

Corporate blog

Cybersecurity news from ESET's award-winning researches.

Customer zone

Existing
customer?

Manage your license, update billing information and more

Live chat

Need help purchasing, renewing a license or have product questions?

Business sales

for business customers

For business sales call:

1-844-824-3738

MONDAY - FRIDAY, 6AM - 5PM PT