BlackEnergy successor targets critical infrastructure

The hacker toolkit that crippled the electrical grid in the Ukraine in 2015 has a virulent successor that is busy stalking critical infrastructure industrial control systems, according to new research.

malware detection (Alexander Yakimov/Shutterstock.com)
 

The infamous BlackEnergy toolkit that crippled the electrical grid in the Ukraine in 2015 has a virulent successor that is busy stalking critical infrastructure industrial control systems, according to new research by cybersecurity firm ESET.

The new toolkit, which ESET calls "GreyEnergy," is wielded by the advanced persistent threat  (APT) group of the same name. Both are linked to the "Telebots" group responsible for the NotPetya malware that crippled hundreds of commercial networks around the globe in 2017. Intelligence officials in the U.S. and elsewhere attributed that attack to the Russian military.

ESET didn't name GreyEnergy's country of origin but said it is most likely an upgrade to the 2015 BlackEnergy, using a similar design that targets industrial control systems and similar operating methods. The upgrade was probably to cover the tracks left by the BlackEnergy attack, according to ESET analysis.

For the last three years, ESET researchers said, GreyEnergy has intentionally stayed under the radar "focusing on espionage and reconnaissance, quite possibly in preparation of future cybersabotage attacks or laying the groundwork for an operation run by some other APT group."

While the Telebots group remains primarily focused on industrial and financial networks in Ukraine, GreyEnergy, like BlackEnergy, has pushed out beyond those borders to probe critical infrastructure in other countries. ESET said that in late 2015, it spotted GreyEnergy malware targeting an energy company in Poland. It didn't identify the company.

GreyEnergy uses phishing email or holes in public-facing websites running on servers connected to an internal network to get around security, according to ESET.

One of GreyEnergy's more disturbing details uncovered in malware samples was a signed valid digital certificate "that had likely been stolen from a Taiwanese company that produces ICS equipment," ESET said. That exploit was used by the Stuxnet worm that crippled the Iranian nuclear program's ICS in 2010.

"It is certain that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth,"  ESET's paper said.