‘Hacker group that has been hidden until now focuses on Ukraine’s energy sector’

Security firm ESET has published research into a hitherto hidden hacker group, which it refers to as GreyEnergy. This group is said to focus primarily on Ukraine and are interested in the energy sector, possibly in preparation for an attack.

In a blog post and accompanying white paper, ESET writes that it has indications that GreyEnergy is one of the successors to BlackEnergy, a group that was last active in 2015. That group was associated with the then-performed attack on the power supply in Ukraine, which left hundreds of thousands of people without power. After that attack, the group would have split in two. One of those groups refers to ESET as TeleBots, although it was also referred to as Sandworm. The second, new group is GreyEnergy and according to ESET, the two groups work closely together. The difference is that GreyEnergy focuses more on espionage and exploration, while TeleBots are said to be responsible for attacks like NotPetya, BadRabbit and Industroyer.

ESET noticed GreyEnergy in 2015 when the group had its sights on an energy company in Poland. However, the group is said to target Ukraine primarily, particularly energy companies, the transportation sector and other “high-value targets.” The group may be tasked with carrying out preparatory work for upcoming attacks, the Slovakian security firm said. GreyEnergy uses phishing, where a Word document containing malware is sent to targets. A second way to enter organizations is to penetrate a web server and then attempt to enter the internal network from there.

In the case of phishing, the Word document contains a macro that pulls in a small backdoor called GreyEnergy Mini. It also downloads an external image, which allows the attackers to see if the document has been opened. The backdoor then retrieves as much information as possible about the target’s system and sends it via http or https to the command and control server of the GreyEnergy group. Then the actual ‘flagship’ malware is downloaded, which has a modular structure. This way the attackers can get the module that is most suitable for achieving a certain goal.

The modules and their function

ESET notes that one of the collected samples of this malware used a stolen certificate from Taiwanese company Advantech, which builds industrial equipment. With this, GreyEnergy would follow in the footsteps of Stuxnet. The malware would also contain measures to make analysis more difficult.

The security company offers no attribution in its analysis, so it does not make a statement about which country may be hidden behind GreyEnergy. BlackEnergy of Sandworm has been associated with Russia in the past, including through Germany. The British government attributed Sandworm to the Russian military intelligence service GRU, among others. Recently, ESET published research linking Industroyer to NotPetya.

Schematic representation of GreyEnergy methods