GreyEnergy, a subgroup of the advanced persistent threat (APT) group known as BlackEnergy, has been attacking the energy sector for the past three years, according to ESET.
Back in December of 2015, when approximately 230,000 people suffered a blackout after the APT group BlackEnergy attacked a power grid in Ukraine, researchers at ESET reportedly detected another malware framework, which they dubbed GreyEnergy.
Since then, the group has been attacking energy companies and other high-value targets in Ukraine and Poland. Unlike other attacks on power grids, the attacks of GreyEnergy have not resulted in mass destruction, which ESET said might be one reason why the APT has not been documented until now.
The stealthy attackers have remained undetected while focusing on espionage and reconnaissance, which ESET presumed is an indication that the group is either preparing for future cyber-sabotage attacks or laying the groundwork for an operation run by some other APT group.
ESET researchers have observed the behavior of the malware framework being used for espionage and reconnaissance purposes and have noted that GreyEnergy is strikingly similar to BlackEnergy in the construction of its malware framework, which means that a particular combination of modules is necessary for it to upload to each of the targeted victim systems.
Additionally, the fact that GreyEnergy emerged in the wild at the same time BlackEnergy disappeared leads researchers to believe that there is a link between the APTs. Both target the energy sector, and the two share at least one victim.
“It should be no surprise that threats like BlackEnergy are morphing into new variants,” said Ray DeMeo, co-founder and chief operating officer at Virsec. “There is a large arsenal of advanced hacking tools, many developed by the NSA, now readily available.
“These are difficult to detect because they manipulate legitimate application processes in run-time memory and create new variants, which further evades signature-based detection. More disturbing is that many of these attacks are targeted at disrupting critical infrastructure. Many of these ICS/SCADA systems have outdated security, designed for isolation, which is increasingly disappearing as IT and OT systems connect and converge.”