Delaware, USA – October 18, 2018 — GreyEnergy APT group conducts cyber espionage and reconnaissance operations, preparing the ground for further destructive attacks. Researchers from ESET believe that the group appeared as a result of the separation of BlackEnergy into two groups with different tasks: GreyEnergy and Telebots. The APT group uses own malware framework, which is similar in functionality and structure to BlackEnergy malware, to infect industrial control system workstations running SCADA software and servers. One of the discovered samples was signed with a digital certificate stolen from a Taiwanese company specializing in industrial equipment. The GreyEnergy malware framework is modular; in each operation, after infection, it loads only modules needed to complete the task, so researchers are still waiting for surprises. Detected samples allow adversaries to spy on users and steal their data, as well as give full access to the infected system. In at least one of the operations, the disk-wiping module was used to hide the traces of the group’s activities.
For initial infection, attackers use two vectors: highly targeted phishing emails and compromise of web resources of an attacked organization – if the web server is connected to the organization’s network, adversaries move laterally to other systems. It is also worth noting that they deploy internal C&C proxies to reduce the amount of suspicious traffic and remain undetected. To uncover attacks on your web servers, you can use Web Application Security Framework from Threat Detection Marketplace: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight