Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:15 PM
Connect Directly

3 Years After Attacks on Ukraine Power Grid, BlackEnergy Successor Poses Growing Threat

In what could be a precursor to future attacks, GreyEnergy is targeting critical infrastructure organizations in Central and Eastern Europe.

Three years after BlackEnergy's unprecedented cyberattack on Ukraine's power grid caused a massive blackout in Kiev, an offshoot of the group continues to pose a clear and present danger to critical infrastructure organizations in Central and Eastern Europe.

Security vendor ESET has been tracking the subgroup, which it named GreyEnergy, since soon after BlackEnergy and its eponymously named malware dropped out off sight following the December 2015 Ukraine attack. In a report this week, ESET described GreyEnergy as focused on reconnaissance and espionage, possibly in preparation for future attacks.

GreyEnergy is the quieter and therefore likely more dangerous of two subgroups that BlackEnergy evolved into after the Ukraine power grid attack. The other group, TeleBots, is more widely known, especially for launching the NotPetya ransomware attack in June 2017 and for using an updated version of BlackEnergy's KillDisk disk-wiping malware against high-value financial targets in Ukraine in December 2016.

GreyEnergy and TeleBots appear to be working closely together based on malware code similarities and sharing of malware. In December 2016, for instance, well before the NotPetya attacks, GreyEnergy had deployed Moonraker Petya, a more advanced version of the malware in a separate campaign, ESET said.

But while TeleBots has been focused on creating cyber disruption in Ukraine, GreyEnergy has been focused on gathering information from industrial networks belonging to critical infrastructure organizations in Ukraine and other countries. The group has been using an updated BlackEnergy malware toolkit to target organizations in the energy and transportation sectors, as well as other high-value targets, ESET said. The most recent attack that ESET has been able to attribute to GreyEnergy happened this past June.

"We in the research community track the original BlackEnergy as two separate groups, one that focuses on intrusions in Ukraine and another that focuses on ICS targets not limited by geography," says Hardik Modi, senior director at NETSCOUT Threat Intelligence. "The fact that this activity has grown to the point where we're talking about multiple pieces of malware means that this is something high priority, well-funded, and likely to grow." 

GreyEnergy has been distributing its malware in two ways — via spearphishing and by compromising public-facing Web servers. When a Web server is hosted internally and connected to the rest of an organization's network, the attackers have typically used that to try and move laterally on the network and plant backup backdoors so they can reinfect a victim network if their malware is spotted and removed.

Once on a network, GreyEnergy uses different methods to try and turn internal servers into proxy command-and-control servers for redirecting traffic to an external C2 server. According to ESET, it has observed GreyEnergy even build chains of proxy command-and-control servers for redirecting traffic from inside a compromised network to its external servers. The C2 infrastructure itself is similar to the one used by BlackEnergy and TeleBots, which is another indication that the groups are all linked, the security vendor said.

GreyEnergy's malware consists of a lightweight first stage "GreyEnergy Mini" backdoor and a separate main module.

GreyEnergy Mini is designed to capture and exfiltrate as much information as possible about the infected system and to gain an initial foothold on the compromised network. The data that the first-stage payload can collect and send back to the attackers includes computer and username, operating system version, current Window user privileges, proxy setting, list of users, IP addresses, domains, and details on antimalware tools, ESET said.

GreyEnergy's main module can run either in memory only or be deployed in such a manner as to achieve persistence on the infected system. The attackers behind GreyEnergy have been deploying the in-memory-only mode on servers that are unlikely to be rebooted often, such as systems with very high availability requirements. The malware is installed so when the attackers are done, the malicious DLL file that is used to infect the system is securely wiped from disk, and the payload exists only in the memory of the Windows service that is hosting it.

On other systems, attackers have been using a relatively obscure Windows registry key feature to install and disguise the GreyEnergy malware so it is capable of surviving system reboots.  

Like many modern malware tools, GreyEnergy is modular, meaning the attackers can add additional capabilities to it post-installation. The modules that ESET has observed so far include those for collecting system information, event logs, malware hashes, file system operations, screen shots, keystroke logs, saved passwords, and user credentials using the Mimikatz tool.

GreyEnergy also has employed several methods to make its malware hardware to detect, including through encryption and by signing its malware with what appears to be a stolen digital certificate from Advantech, a Chinese manufacturer of industrial equipment and IoT hardware, according to ESET. Like several threat groups these days, GreyEnergy also has been using multiple legitimate tools, such as Mimikatz, PsExec, and Nmap, in its campaigns.

The updates reflect the continued investment that threat actors are putting into evolving BlackEnergy malware, Modi says. "None of the changes are earth-shattering" on their own, he says. "[But] the modular clean deletion, multiprotocol C2 changes to encryption of the configuration and techniques to disguise the DLL are all interesting and suggest hardening for successful evasion and persistence of access during operations."

ESET has published a full list of indicators of compromise for GreyEnergy on GitHub.

Related Content:




Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/24/2018 | 2:56:36 PM
Re: Silver lining to morphing threat actor challenges
Think - bad actors don't even have to breach a system,just provide a bona-fide threat to the system and it is considered breached or in question.  That alone assures their work has the desired effect.   Disrupt an election just by the threat of doing so.  And then done and move on.
User Rank: Ninja
10/18/2018 | 10:12:20 AM
Silver lining to morphing threat actor challenges
Yes, the quieter, more stealthy successor versions of an organization can be more dangerous - but careful reexamination of the originating entity should provide valuable clues, which will help identify and anticipate the new threats.  Digital leopards can change their spots, but not their mitochondrial DNA. 

Just as legitimate businesses will always have vulnerabilities due to continuity, bad actor organizations will drag personnel, structure, style, habits and other legacy elements into their new integuments. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-12
Roundcube Webmail before 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document.
PUBLISHED: 2020-08-12
An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CS...
PUBLISHED: 2020-08-12
SugarCRM before 10.1.0 (Q3 2020) allows XSS.
PUBLISHED: 2020-08-12
SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.
PUBLISHED: 2020-08-12
An information disclosure and remote code execution vulnerability in the slinger web server of the BlackBerry QNX Software Development Platform versions 6.4.0 to 6.6.0 could allow an attacker to potentially read arbitrary files and run arbitrary executables in the context of the web server.