A new APT group dubbed GreyEnergy is now targeting energy companies in Poland and Ukraine, and analysis of the new threat vector revealed that it may be a successor to the BlackEnergy attacks of 2015.

While GreyEnergy has been active for the past three years, according to We Live Security, its lack of destructive behavior helped it evade detection. In fact, the attack uses multiple stealth and obfuscation techniques to prevent security professionals from detecting its presence.

Similarities in framework and function tie this new advanced persistent threat (APT) group to both BlackEnergy and the TeleBots subgroup, which helped develop the NotPetya ransomware. Like BlackEnergy, GreyEnergy targets supervisory control and data acquisition (SCADA) and industrial control system (ICS) workstations. GreyEnergy appeared in the wild when its presumed predecessor disappeared, and both attacks use modular frameworks to deploy mini-backdoors before obtaining full admin rights.

As for its TeleBots connection, GreyEnergy was detected in 2016 using an early version of the NotPetya worm. So far, GreyEnergy has focused on reconnaissance and data espionage, but this could be a precursor to blackout-type attacks conducted by its BlackEnergy birthright.

Breaking Down the APT Group’s Stealthy Tactics

GreyEnergy isn’t looking for attention. Instead, attackers are compromising public-facing web servers and deploying traditional spear phishing techniques to infect corporate systems and quietly get to work.

Both BlackEnergy and GreyEnergy rely on stealth deployments — that is, they only push malware modules to select targets, and only when required. In addition, the malware encrypts some files using Advanced Encryption Standard 256-bit encryption (AES-256) and leaves others running filelessly in memory to frustrate detection efforts.

The APT group is deploying internal command-and-control (C&C) proxies on victim networks to redirect traffic requests from infected hosts. As a result, defenders see devices communicating on internal networks when traffic is actually being rerouted to external servers.

Why You Should Test Your SCADA and ICS Systems

To avoid the threat posed by GreyEnergy and similar ICS-targeting ADP groups, security experts recommend consistently testing ICS and SCADA for vulnerabilities. While many companies are reluctant to risk critical system downtime with this kind of testing, minor outages are preferable to complete system compromise.

Security professionals should also monitor their environments for the indicators of compromise (IoCs) listed on IBM X-Force Exchange.

Source: We Live Security

More from

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read