Backdoor Links 2016 Ukrainian Blackout to Sandworm APT and NotPetya

Analysis of a new backdoor program allowed malware researchers to establish clear links between the cyberattacks that led to power outages in Ukraine in 2015 and 2016 and the NotPetya ransomware outbreak.

The new backdoor is called Exaramel and is used by a Russian APT group known as Sandworm or TeleBots, which has been operating for many years and is known for targeting energy utilities with a malware program called BlackEnergy.

The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) first issued an alert about BlackEnergy in 2014 and in December 2015 the malware was used in an attack against power distribution stations in Ukraine, leading to blackouts that affected more than 200,000 people.

A year later, in December 2016, another cyberattack hit Ukraine’s power grid, leading to new blackouts in Kiev, the country’s capital. That attack didn’t use BlackEnergy but a new malware framework researchers have dubbed Industroyer or Crashoverride.

Sandworm’s attacks over the years have not been limited to energy utilities. The group has targeted high-value targets across many industry sectors, in Ukraine and beyond, including government officials from EU and NATO countries.

The group is also believed to be responsible for NotPetya, the 2017 global ransomware outbreak that started in Ukraine and ended up disrupting the operations of major companies around the world.

Even though some security companies previously found some links between the 2016 Industroyer attack and TeleBots/Sandworm, no hard evidence was ever uncovered, until now.

According to a new report by researchers from ESET, Sandworm’s new Exaramel backdoor was found in April inside the network of a non-industrial organization in Ukraine and bears strong code similarities to Industroyer.

“Our analysis suggests that this TeleBots’ backdoor is an improved version of the main Industroyer backdoor,” the ESET researchers said.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy,” the researchers said. “While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”

ESET found two versions of Exaramel, one for Windows and one for Linux. The Windows version creates a service called “Windows Check AV” and is grouping targets based on the security solutions they use, a behavior that has also been observed in Industroyer.

After it’s installed, the backdoor connects to a command-and-control server and receives commands. It has the ability to launch processes under specific Windows users, to write and exfiltrate files and to execute shell commands and VBS code.

“The code of the command loop and implementations of the first six commands are very similar to those found in a backdoor used in the Industroyer toolset,” the ESET researchers said.

Exaramel is used by attackers to deploy additional tools, including a password-stealing program associated with TeleBots called CredRaptor or PAI and a modified version of Mimikatz, an open source tool for stealing Windows credentials.

The new version of CredRaptor deployed by Exaramel is capable of stealing passwords stored inside browsers, Outlook and many FTP clients.

“This improvement allows attackers to collect webmaster’s credentials for websites and credentials for servers in internal infrastructure,” the researchers said. “Once access to such servers is obtained, attackers could plant additional backdoors there.”

One such backdoors is the Linux version of Exaramel, which is written in the Go programming language and is compiled as a 64-bit ELF binary. Like the Windows version, Linux/Exaramel.A can upload and download files to and from a command-and-control server and can execute shell commands.

Exaramel is evidence that the Sandworm group continues its activities, alongside other Russian APT groups including Fancy Bear (APT28) and Turla, and is improving its toolset despite the attention it received following the high-profile attacks attributed to it.

Lucian Constantin

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Backdoor Links 2016 Ukrainian Blackout to Sandworm APT and NotPetya

Comments are closed.