A hacking group, believed to be connected to Telebots—the group behind NotPetya—has created custom tools to attack Ukraine’s power grid.
The details: A nation-state level hacker group dubbed by researchers as “GreyEnergy” attacked Ukraine’s power grid, targeting energy companies with, “industrial control system workstations running SCADA software.” GreyEnergy is believed to be linked to the group “BlackEnergy” which attacked Ukraine’s grid in 2015 and left 230,000 people without power.
Why it matters: Researchers at ESET believe that GreyEnergy is linked to various hacker groups, including Telebots, which unleashed a malware campaign that caused another power outage in Ukraine in 2016. Telebots was behind NotPetya, a massive malware campaign which hit targets in Ukraine, Russia, Denmark, the United Kingdom and United States with ransomware in 2017.
GreyEnergy has also purportedly struck at targets in Poland.
Researchers believe that the GreyEnergy hack in Ukraine is prelude to something larger, serving as a reconnaissance ahead of future attacks.
Like many nation-state level hacker groups, GreyEnergy has evolved to build its own custom tooling to help avoid detection. GreyEnergy modules, “are partially encrypted using AES-256 and some remain fileless, only running in the memory, with the intention of hindering analysis and detection,” according to researchers. The group also uses public domain hacking tools such as PsExev and Mimikatz to help reduce visibility into its signature hacking techniques.
The hacker perspective:
Randori DevOps Security Engineer and researcher Fran Donoso says,
"GrayEnergy and Telebots are some of the most prolific nation-state like attackers that most people haven't heard of. Based on ESET's research, it appears that after the press that BlackEnergy received, the attack group rewrote some of their custom attack tooling, systems, and updated their tradecraft. However—like with most investments that organizations make—completely rewriting of all this custom tooling is an expensive and time consuming operation. Instead, they rewrote parts of their modular tooling while keeping the core of the systems intact. This makes it easier for security companies and researchers to attribute the new attacks to the old "BlackEnergy" attack group, but likely changes enough of the code and architecture to avoid immediate detection by security solutions.
Telebots have been responsible for some of the most costly attacks in recent memory, specifically with them being likely responsible for NotPetya and other supply-chain style attacks. Telebots and GrayEnergy have targeted the critical infrastructure of Ukraine, including energy grids, financial organizations, and more broad attacks like targetting all Ukrainian businesses that use the "M.E Doc" tax tool.
GrayEnergy/Telebots have also shown that they can incorporate open source or common "pentesting" tools such as MimiKatz and PSExec. Using such tooling during operations ensures more 'valuable' custom tooling is not used unless it’s necessary. Why expose your expensive custom toolkits when off the shelf pentest tools will do? Generic tooling also has the added benefit of making attribution potentially more difficult."