Pierluigi Paganini January 24, 2019

Security experts from Kaspersky Lab’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) linked the GreyEnergy malware with and the Zebrocy backdoor.

Security researchers from Kaspersky Lab’s ICS CERT have discovered a link between GreyEnergy malware with and the Zebrocy tool.

The activity of the GreyEnergy APT group emerged in concurrence with BlackEnergy operations, experts consider the formed a successor of the latter group.

GreyEnergy has been active at least since 2015, it conducted reconnaissance and cyber espionage activities in Ukraine and Poland, it focused its activities on energy and transportation industries, and other high-value targets.

“Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East, Europe and Asia and the targets’ profiles are mostly government-related.” reads the analysis published by Kaspersky.

“Both sets of activity used the same servers at the same time and targeted the same organization”

The GreyEnergy APT group leverages the GreyEnergy malware, a malicious code that implements a modular architecture to extend its capabilities by adding the appropriate modules. Experts pointed out that even if the malware hasn’t modules specifically designed to target ICS, the group has been targeting industrial workstations and SCADA systems.

The Zebrocy malware was used by Russia-linked APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM), that operates under the Russian military agency GRU.

Experts at Kaspersky Lab have discovered that GreyEnergy and Zebrocy were using the same command and control (C&C) infrastructure, both used the same IP addresses associated with servers in Ukraine and Sweden.

The two malware were used simultaneously in June 2018 and both have been used in attacks aimed at a number of industrial companies in Kazakhstan. One of the attacks was carried out in June 2018.

The spear-phishing messages that were used in the attacks that involved both malware used similar documents that purported to come from Kazakhstan’s Ministry of Energy.

“Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis,” concludes Kaspersky.

The discovery made by Kaspersky is very important and shows the alleged evolution of the threats.

Sharing information about these APT groups and their TTPs could help organizations in detecting the malicious activities associated with the threat actors.

Pierluigi Paganini

(SecurityAffairs – hacking, BlackEnergy)

[adrotate banner=”5″] [adrotate banner=”13″]