Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/17/2018
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

3 Years After Attacks on Ukraine Power Grid, BlackEnergy Successor Poses Growing Threat

In what could be a precursor to future attacks, GreyEnergy is targeting critical infrastructure organizations in Central and Eastern Europe.

Three years after BlackEnergy's unprecedented cyberattack on Ukraine's power grid caused a massive blackout in Kiev, an offshoot of the group continues to pose a clear and present danger to critical infrastructure organizations in Central and Eastern Europe.

Security vendor ESET has been tracking the subgroup, which it named GreyEnergy, since soon after BlackEnergy and its eponymously named malware dropped out off sight following the December 2015 Ukraine attack. In a report this week, ESET described GreyEnergy as focused on reconnaissance and espionage, possibly in preparation for future attacks.

GreyEnergy is the quieter and therefore likely more dangerous of two subgroups that BlackEnergy evolved into after the Ukraine power grid attack. The other group, TeleBots, is more widely known, especially for launching the NotPetya ransomware attack in June 2017 and for using an updated version of BlackEnergy's KillDisk disk-wiping malware against high-value financial targets in Ukraine in December 2016.

GreyEnergy and TeleBots appear to be working closely together based on malware code similarities and sharing of malware. In December 2016, for instance, well before the NotPetya attacks, GreyEnergy had deployed Moonraker Petya, a more advanced version of the malware in a separate campaign, ESET said.

But while TeleBots has been focused on creating cyber disruption in Ukraine, GreyEnergy has been focused on gathering information from industrial networks belonging to critical infrastructure organizations in Ukraine and other countries. The group has been using an updated BlackEnergy malware toolkit to target organizations in the energy and transportation sectors, as well as other high-value targets, ESET said. The most recent attack that ESET has been able to attribute to GreyEnergy happened this past June.

"We in the research community track the original BlackEnergy as two separate groups, one that focuses on intrusions in Ukraine and another that focuses on ICS targets not limited by geography," says Hardik Modi, senior director at NETSCOUT Threat Intelligence. "The fact that this activity has grown to the point where we're talking about multiple pieces of malware means that this is something high priority, well-funded, and likely to grow." 

GreyEnergy has been distributing its malware in two ways — via spearphishing and by compromising public-facing Web servers. When a Web server is hosted internally and connected to the rest of an organization's network, the attackers have typically used that to try and move laterally on the network and plant backup backdoors so they can reinfect a victim network if their malware is spotted and removed.

Once on a network, GreyEnergy uses different methods to try and turn internal servers into proxy command-and-control servers for redirecting traffic to an external C2 server. According to ESET, it has observed GreyEnergy even build chains of proxy command-and-control servers for redirecting traffic from inside a compromised network to its external servers. The C2 infrastructure itself is similar to the one used by BlackEnergy and TeleBots, which is another indication that the groups are all linked, the security vendor said.

GreyEnergy's malware consists of a lightweight first stage "GreyEnergy Mini" backdoor and a separate main module.

GreyEnergy Mini is designed to capture and exfiltrate as much information as possible about the infected system and to gain an initial foothold on the compromised network. The data that the first-stage payload can collect and send back to the attackers includes computer and username, operating system version, current Window user privileges, proxy setting, list of users, IP addresses, domains, and details on antimalware tools, ESET said.

GreyEnergy's main module can run either in memory only or be deployed in such a manner as to achieve persistence on the infected system. The attackers behind GreyEnergy have been deploying the in-memory-only mode on servers that are unlikely to be rebooted often, such as systems with very high availability requirements. The malware is installed so when the attackers are done, the malicious DLL file that is used to infect the system is securely wiped from disk, and the payload exists only in the memory of the Windows service that is hosting it.

On other systems, attackers have been using a relatively obscure Windows registry key feature to install and disguise the GreyEnergy malware so it is capable of surviving system reboots.  

Like many modern malware tools, GreyEnergy is modular, meaning the attackers can add additional capabilities to it post-installation. The modules that ESET has observed so far include those for collecting system information, event logs, malware hashes, file system operations, screen shots, keystroke logs, saved passwords, and user credentials using the Mimikatz tool.

GreyEnergy also has employed several methods to make its malware hardware to detect, including through encryption and by signing its malware with what appears to be a stolen digital certificate from Advantech, a Chinese manufacturer of industrial equipment and IoT hardware, according to ESET. Like several threat groups these days, GreyEnergy also has been using multiple legitimate tools, such as Mimikatz, PsExec, and Nmap, in its campaigns.

The updates reflect the continued investment that threat actors are putting into evolving BlackEnergy malware, Modi says. "None of the changes are earth-shattering" on their own, he says. "[But] the modular clean deletion, multiprotocol C2 changes to encryption of the configuration and techniques to disguise the DLL are all interesting and suggest hardening for successful evasion and persistence of access during operations."

ESET has published a full list of indicators of compromise for GreyEnergy on GitHub.

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/24/2018 | 2:56:36 PM
Re: Silver lining to morphing threat actor challenges
Think - bad actors don't even have to breach a system,just provide a bona-fide threat to the system and it is considered breached or in question.  That alone assures their work has the desired effect.   Disrupt an election just by the threat of doing so.  And then done and move on.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
10/18/2018 | 10:12:20 AM
Silver lining to morphing threat actor challenges
Yes, the quieter, more stealthy successor versions of an organization can be more dangerous - but careful reexamination of the originating entity should provide valuable clues, which will help identify and anticipate the new threats.  Digital leopards can change their spots, but not their mitochondrial DNA. 

Just as legitimate businesses will always have vulnerabilities due to continuity, bad actor organizations will drag personnel, structure, style, habits and other legacy elements into their new integuments. 
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12957
PUBLISHED: 2019-06-25
In Xpdf 4.01.01, a buffer over-read could be triggered in FoFiType1C::convertToType1 in fofi/FoFiType1C.cc when the index number is larger than the charset array bounds. It can, for example, be triggered by sending a crafted PDF document to the pdftops tool. It allows an attacker to use a crafted pd...
CVE-2019-12958
PUBLISHED: 2019-06-25
In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in FoFiType1C::convertToType0 in fofi/FoFiType1C.cc when it is trying to access the second privateDicts array element, because the privateDicts array has only one element allocated.
CVE-2019-12951
PUBLISHED: 2019-06-24
An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.
CVE-2019-10689
PUBLISHED: 2019-06-24
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in leakage of sensitive information.
CVE-2019-12346
PUBLISHED: 2019-06-24
In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post.