BlackEnergy APT Group Becomes GreyEnergy

What Is It?

Researchers at ESET have released a report into activity they have been tracking by an APT (Advanced Persistent Threat) group they have named GreyEnergy. Their research has linked GreyEnergy to previous activities of one of the most dangerous APT groups, whose potential threat is particularly targeted at the Ukraine and the energy sector.

Links have been made to the BlackEnergy APT group, which attacked three Ukrainian energy companies around December 25, 2015, resulting in power outages for nearly 250,000 consumers. GreyEnergy has also been linked with the Telebots group, a group that has been held responsible for the Industroyer industrial control systems (ICS) malware attacks. That attack made headlines when it caused a power outage that affected 20% of the Ukrainian capital of Kiev in mid-December 2016.

The Telebots group is also responsible for the highly destructive NotPetya attacks, which began in Ukraine and spread worldwide in June 2017, with a White House assessment estimating the total cost of damages in excess of US$10 billion. In February 2018, all member states of the Five Eyes intelligence alliance (the U.S., UK, Australia, Canada and New Zealand) issued statements attributing NotPetya to the Russian government.

Unlike previous destructive attacks, the focus of GreyEnergy, at least to date, is reconnaissance, espionage and remaining hidden on infected systems. As is common with current malware, the GreyEnergy malware is modular, allowing the authors to add specific functionality by releasing additional modules. To date, researchers have not observed any modules with functionality to impact ICS components, though they did see a disk-wiper used on one occasion. GreyEnergy malware has been detected in energy sector organizations in both Poland and Ukraine.

After the initial breach, achieved either by spear phishing or compromising internet facing web servers, the initial malware installed, what ESET refers to as “GreyEnergy mini,” a small backdoor that doesn’t require administrative privileges. The attackers then perform reconnaissance to determine the network topology and obtain credentials, using common tools Nmap and Mimikatz. At this point, they install the main GreyEnergy malware, usually to servers which are always running or workstations connected to the ICS infrastructure.

There are two interesting aspects of the GreyEnergy malware. The first is the use of a digital certificate from Taiwanese company Advantech, a manufacturer of industrial control and internet of things hardware. It is believed this certificate was stolen from the company. Additionally, rather than each infected system communicating directly with command and control (C2) servers, the attackers place additional software on some infected servers so they act as proxies for C2 traffic. This way, rather than many systems communicating with an address on the internet and potentially raising suspicion, only one system is communicating externally.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. Researchers have observed two attack vectors related to GreyEnergy, spear phishing and breaching internet facing web servers.

When/How Did BluVector Detect It?

Publicly available samples of GreyEnergy malware listed in the report were tested and BluVector’s patented Machine Learning Engine (MLE) detected them. Regression testing has shown the samples would have been detected an average of 24 months prior to their release, despite some samples having been deployed since 2015.

All Threat Reports