Three years after BlackEnergy's unprecedented cyberattack on Ukraine's power grid caused a massive blackout in Kiev, an offshoot of the group continues to pose a clear and present danger to critical infrastructure organizations in Central and Eastern Europe.
Security vendor ESET has been tracking the subgroup, which it named GreyEnergy, since soon after BlackEnergy and its eponymously named malware dropped out off sight following the December 2015 Ukraine attack. In a report this week, ESET described GreyEnergy as focused on reconnaissance and espionage, possibly in preparation for future attacks.
GreyEnergy is the quieter and therefore likely more dangerous of two subgroups that BlackEnergy evolved into after the Ukraine power grid attack. The other group, TeleBots, is more widely known, especially for launching the NotPetya ransomware attack in June 2017 and for using an updated version of BlackEnergy's KillDisk disk-wiping malware against high-value financial targets in Ukraine in December 2016.
GreyEnergy and TeleBots appear to be working closely together based on malware code similarities and sharing of malware. In December 2016, for instance, well before the NotPetya attacks, GreyEnergy had deployed Moonraker Petya, a more advanced version of the malware in a separate campaign, ESET said.
But while TeleBots has been focused on creating cyber disruption in Ukraine, GreyEnergy has been focused on gathering information from industrial networks belonging to critical infrastructure organizations in Ukraine and other countries. The group has been using an updated BlackEnergy malware toolkit to target organizations in the energy and transportation sectors, as well as other high-value targets, ESET said. The most recent attack that ESET has been able to attribute to GreyEnergy happened this past June.
"We in the research community track the original BlackEnergy as two separate groups, one that focuses on intrusions in Ukraine and another that focuses on ICS targets not limited by geography," says Hardik Modi, senior director at NETSCOUT Threat Intelligence. "The fact that this activity has grown to the point where we're talking about multiple pieces of malware means that this is something high priority, well-funded, and likely to grow."
GreyEnergy has been distributing its malware in two ways — via spearphishing and by compromising public-facing Web servers. When a Web server is hosted internally and connected to the rest of an organization's network, the attackers have typically used that to try and move laterally on the network and plant backup backdoors so they can reinfect a victim network if their malware is spotted and removed.
Once on a network, GreyEnergy uses different methods to try and turn internal servers into proxy command-and-control servers for redirecting traffic to an external C2 server. According to ESET, it has observed GreyEnergy even build chains of proxy command-and-control servers for redirecting traffic from inside a compromised network to its external servers. The C2 infrastructure itself is similar to the one used by BlackEnergy and TeleBots, which is another indication that the groups are all linked, the security vendor said.
GreyEnergy's malware consists of a lightweight first stage "GreyEnergy Mini" backdoor and a separate main module.
GreyEnergy Mini is designed to capture and exfiltrate as much information as possible about the infected system and to gain an initial foothold on the compromised network. The data that the first-stage payload can collect and send back to the attackers includes computer and username, operating system version, current Window user privileges, proxy setting, list of users, IP addresses, domains, and details on antimalware tools, ESET said.
GreyEnergy's main module can run either in memory only or be deployed in such a manner as to achieve persistence on the infected system. The attackers behind GreyEnergy have been deploying the in-memory-only mode on servers that are unlikely to be rebooted often, such as systems with very high availability requirements. The malware is installed so when the attackers are done, the malicious DLL file that is used to infect the system is securely wiped from disk, and the payload exists only in the memory of the Windows service that is hosting it.
On other systems, attackers have been using a relatively obscure Windows registry key feature to install and disguise the GreyEnergy malware so it is capable of surviving system reboots.
Like many modern malware tools, GreyEnergy is modular, meaning the attackers can add additional capabilities to it post-installation. The modules that ESET has observed so far include those for collecting system information, event logs, malware hashes, file system operations, screen shots, keystroke logs, saved passwords, and user credentials using the Mimikatz tool.
GreyEnergy also has employed several methods to make its malware hardware to detect, including through encryption and by signing its malware with what appears to be a stolen digital certificate from Advantech, a Chinese manufacturer of industrial equipment and IoT hardware, according to ESET. Like several threat groups these days, GreyEnergy also has been using multiple legitimate tools, such as Mimikatz, PsExec, and Nmap, in its campaigns.
The updates reflect the continued investment that threat actors are putting into evolving BlackEnergy malware, Modi says. "None of the changes are earth-shattering" on their own, he says. "[But] the modular clean deletion, multiprotocol C2 changes to encryption of the configuration and techniques to disguise the DLL are all interesting and suggest hardening for successful evasion and persistence of access during operations."
ESET has published a full list of indicators of compromise for GreyEnergy on GitHub.
- Ukraine Railway, Mining Company Attacked With BlackEnergy
- Dept. of Energy to Test Electrical Grid Against Cyberattacks
- 8 Nation-State Hacking Groups to Watch in 2018
- 70% of Energy Firms Worry About Physical Damage from Cyberattack
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.