Friday 12 July 2024

Eset uncovers new espionage cyber threat

DUBAI, October 18, 2018

Eset, a top IT security software company, has uncovered a new cyber threat focuses on espionage and reconnaissance, quite possibly in preparation for future cybersabotage attacks.

Named GreyEnergy by Eset, this threat actor is a successor to the BlackEnergy APT group, a company statement said.

BlackEnergy has been terrorizing Ukraine for years and rose to prominence in December 2015 when they caused a blackout that left 230 thousand people without electricity in the first-ever blackout caused by a cyberattack. Around the time of that breakthrough incident, Eset researchers started detecting another malware framework and named it GreyEnergy.

“We have seen GreyEnergy involved in attacks at energy companies and other high-value targets in Ukraine and Poland over the past three years,” said Anton Cherepanov, Eset senior security researcher who led the research.

The 2015 attack on Ukrainian energy infrastructure was the most recent known operation where the BlackEnergy toolset was used. Subsequently, Eset researchers documented a new APT subgroup, TeleBots.

TeleBots are most notable for the global outbreak of NotPetya, the disk-wiping malware that disrupted global business operations in 2017 and caused damages in the sum of billions of US dollars. As Eset researchers recently confirmed, TeleBots are also connected to Industroyer, the most powerful modern malware targeting industrial control systems and the culprit behind the second electrical blackout in Ukraine’s capital, Kiev, in 2016.

“GreyEnergy surfaced along with TeleBots, but unlike its better-known cousin, GreyEnergy’s activities are not limited to Ukraine and so far, haven’t been damaging. Clearly, they want to fly under the radar,” said Cherepanov.

According to Eset’s thorough analysis, GreyEnergy malware is closely related to both BlackEnergy and TeleBots malware. It is modular in construction, so its functionality is dependent on the particular combination of modules its operator uploads to the victim’s systems.

The modules described in Eset’s analysis were used for espionage and reconnaissance purposes and include: backdoor, file extraction, taking screenshots, keylogging, password and credential stealing, etc.

“We have not observed any modules that specifically target Industrial Control Systems software or devices. We have, however, observed that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers,” explained Cherepanov.

Eset’s disclosure and analysis of GreyEnergy is important for a successful defence against this particular threat actor as well as for better understanding the tactics, tools and procedures of the most advanced APT groups. – TradeArabia News Service

Tags: ESET | espionage |

More Energy, Oil & Gas Stories

calendarCalendar of Events