Researchers discovered a new threat group — GreyEnergy — which has been active for the past three years and now claim it is the successor to BlackEnergy, but experts don’t necessarily agree.
Anton Cherepanov and Robert Lipovsky, senior malware researchers at ESET, said the evidence they gathered points to GreyEnergy being the successor to the BlackEnergy threat group, which attacked the Ukraine power grid in December 2015. The researchers wrote in a blog post that they first detected activity by GreyEnergy around the same time as that attack and that group has attacked “energy companies and other high-value targets in Ukraine and Poland” over the past three years.
Cherepanov and Lipovsky said the GreyEnergy group hasn’t been documented until now because its activity has been more “under the radar, focusing on espionage and reconnaissance, quite possibly in preparation of future cybersabotage attacks or laying the groundwork for an operation run by some other APT group.”
“GreyEnergy’s malware framework bears many similarities to BlackEnergy. […] It is similarly modular in construction, so its functionality is dependent on the particular combination of modules its operator uploads to each of the targeted victim systems. The modules that we have observed were used for espionage and reconnaissance purposes (i.e. backdoor, file extraction, taking screenshots, keylogging, password and credential stealing, etc.),” the researchers wrote in a blog post. “We have not observed any modules that specifically target industrial control systems (ICS). We have, however, observed that the GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers, which tend to be mission-critical systems never meant to go offline except for periodic maintenance.”
Cherepanov and Lipovsky said the similarities between GreyEnergy and BlackEnergy — overlap in malware frameworks and code, overlap in targets and regions of activity, the timing of GreyEnergy beginning activity and both groups using active Tor relays for command and control servers — all indicate that GreyEnergy is the successor to BlackEnergy.
However, although experts praised the research by ESET, not all agreed that the evidence supported the connection between the groups or any conclusions that GreyEnergy is specifically targeting ICS infrastructure. Robert Lee, founder and CEO of Dragos Inc., noted on Twitter that the GreyEnergy “tool is a general backdoor and doesn’t contain ICS capabilities but neither did BlackEnergy3.”
“I think it’s premature to make assessments on adversary intent, with only three identified victims the focus may be larger than ICS and assessing how the adversary might use the access would be low confidence at best,” Lee wrote on Twitter. “Energy company and transportation company security personnel should look at the threat behaviors in the ESET report and look for those behaviors in their ICS networks. An indicator sweep is ok but would give false confidence if nothing was found. […] It’s a general purpose backdoor though so don’t freak out about the malware and miss the point about the threat.”
Jake Williams, founder and president of Rendition Infosec, based in Augusta, Ga., said there wasn’t enough data in the report to support the claim that GreyEnergy is the successor to BlackEnergy.
For the record, it very well could be that GreyEnergy is a successor to BlackEnergy. The code overlap is not really compelling because lots of BE code has been leaked repeatedly. The report is good, but we should caution ICS operators not to jump to conclusions. 5/5
— Jake Williams (@MalwareJake)
October 17, 2018
Williams noted in that Twitter thread that the start of GreyEnergy activity should not be considered a strong indicator to be interpreted as the end of BlackEnergy, and warned against describing the group as being dedicated to targeting ICS, because “ICS networks are cyber key terrain for nation state hackers and it looks like GreyEnergy is a nation state tool.”
Cherepanov and Lipovsky said they agreed with these assessments and that “they only confirm our publications.”
“We clearly state that GreyEnergy does not have ICS-specific modules like Industroyer did. It also does not have shared code with BlackEnergy — all of the links between GreyEnergy, BlackEnergy, Industroyer, and TeleBots are outlined in our whitepaper and blog posts,” the researchers said via email. “All of our published conclusions were done with high confidence based on the presented facts and further evidence we have at our disposal.”
Based Blockchain Network