This post was updated on August 5, 2019.
Recently there has been public disclosure of a new advanced persistent threat (APT) targeting the energy sector by ESET, a provider of IT security software and services. Naming both the APT group and the malware GreyEnergy, ESET believes the malware is the successor to BlackEnergy, which brought down the power system for over 200,000 Ukrainians in Dec 2015.
Because of the significance of the malware – it is related to one of only a handful of successful attacks against industrial control systems – the Nozomi Networks Security Research team has begun an evaluation of it. Described below is what is known about the malware to date.
GreyEnergy is a Sophisticated ICS Advanced Persistent Threat
GreyEnergy is an Advanced Persistent Threat (APT) that has been actively targeting critical infrastructure for the past three years. As reported, it has been deployed against targets located in Ukraine and Poland, but it could focus on targets in other countries in the future.
The Nozomi Networks Security Team has collected the main components involved in GreyEnergy incidents to date, and here is what is known about the malware:
- An attack begins in one of two ways. The first, is an email phishing campaign that sends Microsoft Word documents containing malicious code to people in the targeted organization. The second, is direct attacks on public-facing web-servers of the targeted organization.
- After infection, it uses a modular architecture that starts with a basic backdoor, “GreyEnergy mini”, that executes without administrative privileges.
- It increases its own capabilities by retrieving new modules remotely.
- Every module manages very specific tasks, such as collecting information about the system, or grabbing screenshots, or harvesting pressed keystrokes, or interacting with the filesystem, and so on.
- The advantage of this architecture is that the threat actor can add new capabilities via the backdoor, depending on the compromised environment.
- GreyEnergy also creates a peer-to-peer network between the infected systems so that only a single node contacts the Command & Control remote server for updates. This is a stealthy tactic as, with only one node contacting an external url instead of many, suspicions might not be raised.
To date, the GreyEnergy APT appears to have been used for espionage campaigns only, as it does not include any module capable of impacting industrial control systems.
However, it could evolve to include modules capable of damaging critical infrastructure systems. Furthermore, it could potentially target additional critical sectors, like the financial, government or media sectors in the future.
Protecting Your ICS from GreyEnergy
While GreyEnergy is not known to include an ICS attack module right now, it could have one in the future. And, you don’t want it to be collecting information about your network and systems for espionage, or any other reasons.
However, as several components of the GreyEnergy APT are now publicly available and detectable by security products, we can assume that the threat actors will be changing it. Likely a new version is currently under development, or even ready to be used.
If you are a Nozomi Networks customer, you have received new checks for GreyEnergy that were automatically pushed to Guardian. Thus, you will be alerted if GreyEnergy is present and can remediate. We will be releasing more details shortly.
In addition, our anomaly-based detection system is able to identify new unknown samples of the same APT family by monitoring for suspicious packets transmitted over the network. If such samples are found, you will be alerted and can take appropriate actions.
Our overall recommendations to keep your systems safe are:
- Train employees about the dangers of email phishing campaigns, including how to recognize malicious emails and attachments. Emphasize the importance of reporting every suspicious document to the security department.
- Keep all the exposed servers up-to-date with the latest security patches.
And, most importantly, critical infrastructure networks should always be monitored with dedicated cyber security systems to proactively detect any threats present in the network.
Update February 2019
Since the publication of this blog I conducted a research project into one of the infection methods of GreyEnergy. I investigated the phishing email that sends a malicious Microsoft Word document (maldoc) to targeted organizations.
The Research Paper below explains my reverse engineering of this aspect of malware campaign, and describes the anti-analysis techniques used by GreyEnergy to conceal its true functionality.
Also linked to below are:
- Two subsequent blog articles on this topic
- GreyEnergy analysis tools that I developed to facilitate further analysis of this malware
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor Comprehensive Reverse Engineering Analysis
Read this paper to learn:
- The high-level flow of the GreyEnergy phishing campaign
- How the malware disguises itself and its functionality
- How each stage of the malware works:
- Stage 0 – Malicious Word Document
- Stage 1 – Packer
- Stage 2 – Dropper
- About two new tools for further GreyEnergy analysis