BlackEnergy Successor Hits Energy Companies Since 2015

For the past three years, a stealthy cyberespionage group has been targeting energy companies, primarily from Poland and Ukraine, using a new malware framework dubbed GreyEnergy.

GreyEnergy is a modular malware platform which, according to researchers from antivirus vendor ESET, bears striking similarities to and might be the successor of BlackEnergy, the threat that left around 230,000 people in Ukraine without electricity in December 2015.

After the 2015 Ukrainian power blackout, BlackEnergy, which had been used since at least 2014, dropped off the map. At around the same time, the ESET researchers started seeing attacks with the new GreyEnergy platform, first against an energy company in Poland.

More attacks followed since then, focusing primarily on energy firms in Ukraine and Poland, but also on organizations from the transportation sector and other high-value targets. At least one of the recent GreyEnergy victims had also been targeted with BlackEnergy in the past.

“There are strong architectural similarities between the malware frameworks,” the ESET researchers said in a new report Wednesday that documents GreyEnergy for the first time. “Both are modular, and both employ a ‘mini,’ or light, backdoor deployed before admin rights are obtained and the full version is deployed.”

Researchers have previously tied BlackEnergy, NotPetya and Industroyer, the malware involved in another blackout in Ukraine in December 2016, to a Russian APT group known as Sandworm or TeleBots.

There is no direct link between GreyEnergy and TeleBots, but there is circumstantial evidence suggesting the group behind GreyEnergy is at the very least collaborating and sharing code with TeleBots. In fact, the ESET researchers have seen the GreyEnergy group deploy a worm in December 2016 that’s very similar to and might be an early version of NotPetya, the destructive worm that wreaked havoc through the networks of large global companies in June 2017.

Like BlackEnergy, GreyEnergy allows attackers to enable specific functionality for each victim by deploying different modules . The modules observed so far have only been used for reconnaissance, providing features like backdoor access, file extraction, taking screenshots, keylogging and credential stealing.

While none of the modules seen so far can interact with industrial control systems directly, the GreyEnergy group seems to have a preference for infecting control workstations running SCADA software and servers. These computers can then be used to interact with ICS equipment.

“The threat actors behind GreyEnergy have tried to stay under the radar, focusing on espionage and reconnaissance, quite possibly in preparation of future cybersabotage attacks or laying the groundwork for an operation run by some other APT group,” the ESET researchers said.

GreyEnergy is distributed in two ways: through spear-phishing emails or by compromising publicly facing web servers and then moving laterally through internal networks.

Once inside a network, attackers set up proxies on some of the compromised workstations or servers in order to redirect traffic from other infected systems deeper inside the network to a remote command-and-control server on the Tor network. The same technique was used by Stuxnet to extract data from critical systems that were isolated from the internet.

Also like Stuxnet, some of the GreyEnergy samples were digitally signed with a legitimate certificate issued to a hardware manufacturer. In this case, the digital certificate belonged to Advantech, a Taiwanese manufacturer of industrial and IoT hardware, and was most likely stolen by attackers.

In addition to the GreyEnergy malware framework, the group also uses free and open-source tools to achieve its goals, such as Mimikatz, PsExec, WinExe and Nmap. This technique is known as “living off the land” and has become very common with APT groups because it makes attribution and detection much harder.

“It is certain that the threat actors responsible for GreyEnergy are extremely dangerous in their persistence and stealth,” ESET said in a detailed research paper also released Wednesday. “ESET encourages individuals, businesses and institutions to have the most up-to-date endpoint security protection to stay safe from this threat.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin