Attacks/Breaches

10/17/2018
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

3 Years After Attacks on Ukraine Power Grid, BlackEnergy Successor Poses Growing Threat

In what could be a precursor to future attacks, GreyEnergy is targeting critical infrastructure organizations in Central and Eastern Europe.

Three years after BlackEnergy's unprecedented cyberattack on Ukraine's power grid caused a massive blackout in Kiev, an offshoot of the group continues to pose a clear and present danger to critical infrastructure organizations in Central and Eastern Europe.

Security vendor ESET has been tracking the subgroup, which it named GreyEnergy, since soon after BlackEnergy and its eponymously named malware dropped out off sight following the December 2015 Ukraine attack. In a report this week, ESET described GreyEnergy as focused on reconnaissance and espionage, possibly in preparation for future attacks.

GreyEnergy is the quieter and therefore likely more dangerous of two subgroups that BlackEnergy evolved into after the Ukraine power grid attack. The other group, TeleBots, is more widely known, especially for launching the NotPetya ransomware attack in June 2017 and for using an updated version of BlackEnergy's KillDisk disk-wiping malware against high-value financial targets in Ukraine in December 2016.

GreyEnergy and TeleBots appear to be working closely together based on malware code similarities and sharing of malware. In December 2016, for instance, well before the NotPetya attacks, GreyEnergy had deployed Moonraker Petya, a more advanced version of the malware in a separate campaign, ESET said.

But while TeleBots has been focused on creating cyber disruption in Ukraine, GreyEnergy has been focused on gathering information from industrial networks belonging to critical infrastructure organizations in Ukraine and other countries. The group has been using an updated BlackEnergy malware toolkit to target organizations in the energy and transportation sectors, as well as other high-value targets, ESET said. The most recent attack that ESET has been able to attribute to GreyEnergy happened this past June.

"We in the research community track the original BlackEnergy as two separate groups, one that focuses on intrusions in Ukraine and another that focuses on ICS targets not limited by geography," says Hardik Modi, senior director at NETSCOUT Threat Intelligence. "The fact that this activity has grown to the point where we're talking about multiple pieces of malware means that this is something high priority, well-funded, and likely to grow." 

GreyEnergy has been distributing its malware in two ways — via spearphishing and by compromising public-facing Web servers. When a Web server is hosted internally and connected to the rest of an organization's network, the attackers have typically used that to try and move laterally on the network and plant backup backdoors so they can reinfect a victim network if their malware is spotted and removed.

Once on a network, GreyEnergy uses different methods to try and turn internal servers into proxy command-and-control servers for redirecting traffic to an external C2 server. According to ESET, it has observed GreyEnergy even build chains of proxy command-and-control servers for redirecting traffic from inside a compromised network to its external servers. The C2 infrastructure itself is similar to the one used by BlackEnergy and TeleBots, which is another indication that the groups are all linked, the security vendor said.

GreyEnergy's malware consists of a lightweight first stage "GreyEnergy Mini" backdoor and a separate main module.

GreyEnergy Mini is designed to capture and exfiltrate as much information as possible about the infected system and to gain an initial foothold on the compromised network. The data that the first-stage payload can collect and send back to the attackers includes computer and username, operating system version, current Window user privileges, proxy setting, list of users, IP addresses, domains, and details on antimalware tools, ESET said.

GreyEnergy's main module can run either in memory only or be deployed in such a manner as to achieve persistence on the infected system. The attackers behind GreyEnergy have been deploying the in-memory-only mode on servers that are unlikely to be rebooted often, such as systems with very high availability requirements. The malware is installed so when the attackers are done, the malicious DLL file that is used to infect the system is securely wiped from disk, and the payload exists only in the memory of the Windows service that is hosting it.

On other systems, attackers have been using a relatively obscure Windows registry key feature to install and disguise the GreyEnergy malware so it is capable of surviving system reboots.  

Like many modern malware tools, GreyEnergy is modular, meaning the attackers can add additional capabilities to it post-installation. The modules that ESET has observed so far include those for collecting system information, event logs, malware hashes, file system operations, screen shots, keystroke logs, saved passwords, and user credentials using the Mimikatz tool.

GreyEnergy also has employed several methods to make its malware hardware to detect, including through encryption and by signing its malware with what appears to be a stolen digital certificate from Advantech, a Chinese manufacturer of industrial equipment and IoT hardware, according to ESET. Like several threat groups these days, GreyEnergy also has been using multiple legitimate tools, such as Mimikatz, PsExec, and Nmap, in its campaigns.

The updates reflect the continued investment that threat actors are putting into evolving BlackEnergy malware, Modi says. "None of the changes are earth-shattering" on their own, he says. "[But] the modular clean deletion, multiprotocol C2 changes to encryption of the configuration and techniques to disguise the DLL are all interesting and suggest hardening for successful evasion and persistence of access during operations."

ESET has published a full list of indicators of compromise for GreyEnergy on GitHub.

Related Content:

 

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/24/2018 | 2:56:36 PM
Re: Silver lining to morphing threat actor challenges
Think - bad actors don't even have to breach a system,just provide a bona-fide threat to the system and it is considered breached or in question.  That alone assures their work has the desired effect.   Disrupt an election just by the threat of doing so.  And then done and move on.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
10/18/2018 | 10:12:20 AM
Silver lining to morphing threat actor challenges
Yes, the quieter, more stealthy successor versions of an organization can be more dangerous - but careful reexamination of the originating entity should provide valuable clues, which will help identify and anticipate the new threats.  Digital leopards can change their spots, but not their mitochondrial DNA. 

Just as legitimate businesses will always have vulnerabilities due to continuity, bad actor organizations will drag personnel, structure, style, habits and other legacy elements into their new integuments. 
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.
CVE-2018-15805
PUBLISHED: 2018-12-10
Accusoft PrizmDoc HTML5 Document Viewer before 13.5 contains an XML external entity (XXE) vulnerability, allowing an attacker to read arbitrary files or cause a denial of service (resource consumption).
CVE-2018-16635
PUBLISHED: 2018-12-10
Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php.