A gang of suspected Russian linked hackers recently hit three critical infrastructure companies in Poland and Ukraine using malware thought to be the successor to the BlackEnergy trojan that cut electricity to 250,000 people there three years ago.
These latest attacks are particularly foreboding, not only for the high value targets infected but also because the hackers appear to have used more advanced technology than tools deployed in the notable cyberattacks on the Ukrainian financial sector, the supply-chain blitz against Ukraine and the NotPetya ransomware outbreak.
Moreover, the bad actors might next be setting up future attacks on industrial control systems (ICS).
From BlackEnergy to GreyEnergy
After the 2015 Ukraine blackout, the group seemed to have stopped actively using BlackEnergy, a security research firm said, superseded by a next generation variant dubbed GreyEnergy. “The appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy,” wrote Anton Cherepanov and Robert Lipovsky, ESET senior malware researchers, in a blog post.
Compared to BlackEnergy, GreyEnergy is a more “modern toolkit with an even greater focus on stealth,” according to the Slovakia-based ESET, which has tracked the malware since 2015 and is now documenting its use. “At least one of the victims targeted by GreyEnergy had been targeted by BlackEnergy in the past. Both subgroups share an interest in the energy sector and critical infrastructure. Both have had victims primarily in Ukraine, with Poland ranking second. There are strong architectural similarities between the malware frameworks,” the analysts said.
The researchers did not identify the three companies addled by malware attacks in Poland and Ukraine nor did it point out the attacker(s). “We’re typically not directly involved in the investigation and identification of the individuals writing the malware and/or deploying it, and the interpersonal relations between them,” they wrote.
Kremlin spokesman Dmitry Peskov denied Russian involvement in the attacks. “These are just more accusations,” he told Reuters. “We are tired of denying them, because no one is listening.”
Prior to the new attacks, the cyber gangsters behind GreyEnergy haven’t sought the limelight, preferring espionage and reconnaissance modules such as backdoor, file extraction, taking screenshots, keylogging, password and credential stealing, the ESET researchers said.
It’s possible the GreyEnergy group (or groups) may be eyeing critical infrastructure targets, specifically ICS, although direct indicators haven’t surfaced. “We have, however, observed that the GreyEnergy operators have been strategically targeting ICS control workstations running SCADA (Supervisory control and data acquisition) software and servers, which tend to be mission-critical systems never meant to go offline except for periodic maintenance,” security analysts said.