October 23, 2018 By Douglas Bonderud 2 min read

A new APT group dubbed GreyEnergy is now targeting energy companies in Poland and Ukraine, and analysis of the new threat vector revealed that it may be a successor to the BlackEnergy attacks of 2015.

While GreyEnergy has been active for the past three years, according to We Live Security, its lack of destructive behavior helped it evade detection. In fact, the attack uses multiple stealth and obfuscation techniques to prevent security professionals from detecting its presence.

Similarities in framework and function tie this new advanced persistent threat (APT) group to both BlackEnergy and the TeleBots subgroup, which helped develop the NotPetya ransomware. Like BlackEnergy, GreyEnergy targets supervisory control and data acquisition (SCADA) and industrial control system (ICS) workstations. GreyEnergy appeared in the wild when its presumed predecessor disappeared, and both attacks use modular frameworks to deploy mini-backdoors before obtaining full admin rights.

As for its TeleBots connection, GreyEnergy was detected in 2016 using an early version of the NotPetya worm. So far, GreyEnergy has focused on reconnaissance and data espionage, but this could be a precursor to blackout-type attacks conducted by its BlackEnergy birthright.

Breaking Down the APT Group’s Stealthy Tactics

GreyEnergy isn’t looking for attention. Instead, attackers are compromising public-facing web servers and deploying traditional spear phishing techniques to infect corporate systems and quietly get to work.

Both BlackEnergy and GreyEnergy rely on stealth deployments — that is, they only push malware modules to select targets, and only when required. In addition, the malware encrypts some files using Advanced Encryption Standard 256-bit encryption (AES-256) and leaves others running filelessly in memory to frustrate detection efforts.

The APT group is deploying internal command-and-control (C&C) proxies on victim networks to redirect traffic requests from infected hosts. As a result, defenders see devices communicating on internal networks when traffic is actually being rerouted to external servers.

Why You Should Test Your SCADA and ICS Systems

To avoid the threat posed by GreyEnergy and similar ICS-targeting ADP groups, security experts recommend consistently testing ICS and SCADA for vulnerabilities. While many companies are reluctant to risk critical system downtime with this kind of testing, minor outages are preferable to complete system compromise.

Security professionals should also monitor their environments for the indicators of compromise (IoCs) listed on IBM X-Force Exchange.

Source: We Live Security

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today