[MALWARE] GreyEnergy: the new malware that targets the energy sector

Critical infrastructures are threatened by the new malware: GreyEnergy. The anti-virus software developer ESET revealed that a new group of hackers called GreyEnergy could have succeeded the BlackEnergy APT group. ESET researchers have noticed that since 2015, the GreyEnergy group has been targeting energy companies and so-called “critical” sites in Poland and Ukraine.

According to these researchers, the group would therefore be linked to BlackEnergy and GreyEnergy hackers could very soon carry out cyber-spy attacks. The GreyEnergy group mainly conducts targeted attacks and stealth campaigns and uses all possible sources to avoid detection. Its targets are none other than companies in the energy sector, particularly those where industrial control systems workstations operate with SCADA software. The reasons for a possible affiliation between BE and GE are that both groups are modular and use a mini back door before obtaining administrative rights. In addition, both groups’ malware uses remote command and control servers via active Tor relays. The targets are similar and mainly affect the energy sectors in Ukraine. Finally, when BE remained inactive, GE was active.

Other signs testify to the concordance of the two groups, such as the very modern toolbox, which relies on stealth with modules without AES-256 encrypted files only pushed if necessary. These modules only run in memory to hinder the analysis and detection process. GE proceeds as BE by harpooning emails and uses methods to compromise public servers. Server vulnerability is used to access networks and attack systems. Finally, the group uses accessible tools such as WinExe, Nmap, Mimikatz and PsExec to carry out its malicious activities while remaining under radar.

The energy sector is one of the most targeted of the cybercriminals who see these sites as a means of putting pressure on a government. An attack on an industrial site (power plant or petrochemical centre) could prove fatal for a population, both humanely and economically. The last attack in Ukraine on a power plant in 2016 caused a major power outage in western Ukraine at the end of December by a trojan. Part of the country and the population had been forced to live without electricity in the middle of winter. More recently, the NotPetya attack had affected Ukrainian industrial sites, paralysing the activity of a large part of Ukraine.