Researchers from ESET yesterday exposed a previously undisclosed threat group that descended from TeleBots, the APT group known for launching the BlackEnergy trojan and NotPetya attacks against Ukraine in recent years.

Dubbed GreyEnergy, the actor is comparable to the BlackEnergy group (which later changed strategies and became known as TeleBots or Sandworm) in that it heavily targets the energy sector and critical infrastructure in Ukraine. But it operates more stealthily, focusing on espionage and reconnaissance operations while using a more modern toolset than its predecessor. It also has a more expansive  reach, notably targeting Poland, as well as showing interest in non-energy business sectors, including transportation.

In a company blog post and a corresponding research report, ESET notes that GreyEnergy malware also has a modular design and command-and-control architecture that is highly similar to the BlackEnergy malware that was prominently used in a December 2015 attack against the Ukrainian energy grid, causing widespread blackouts. In fact, ESET says this was around the time of this historic attack that its researchers first detected the GreyEnergy malware framework as an offshoot of BlackEnergy.

“Although ESET telemetry data shows GreyEnergy malware activity over the last three years, this APT group has not been documented until now,” writes ESET researchers Anton Cherepanov and Robert Lipovsky in the blog post. “This is probably due to the fact that those activities haven’t been destructive in nature… Instead, the threat actors behind GreyEnergy have tried to stay under the radar… quite possibly in preparation of future cybersabotage attacks or laying the groundwork for an operation run by some other APT group.

This “other” APT group could very well be TeleBots, a reputed Russian actor whose m.o. typically involves cyber-based sabotage operations, including past attacks against the Ukrainian financial sector and the notorious 2017 global NotPetya disk wiper attack that was disguised to look like a ransomware incident. Just one week ago, ESET also disclosed evidence linking TeleBots to the Industroyer industrial control systems malware that caused a second major blackout in Ukraine.

ESET believes that the TeleBots group closely collaborates with GreyEnergy. Indeed, further investigation revealed that GreyEnergy in December 2016 deployed a malware program that looks to be an early version of NotPetya. The researchers refer to the strikingly similar code as Moonraker Petya.

Modules for GreyEnergy malware reportedly include ones that create backdoors, extract files, take screenshots, perform keylogging and steal credentials. To help maintain a low profile, these modules are individually selected and pushed out on a case by case basis depending on who the infected victims is — a strategy shared in the past by BlackEnergy.

Despite the group’s interest in critical infrastructure, there are no observed modules that actively target Industrial Control Systems (ICS). “We have, however, observed that the GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers, which tend to be mission-critical systems never meant to go offline except for periodic maintenance,” the blog post states.

Typically, victims are infected in one of two ways — through spear phishing campaigns or via the compromise of public-facing web servers. When victims are infected, the actors often deploy internal command-and-control proxies on their networks, allowing them to secretly redirect internal server requests to external malicious servers.

Victims are initially infected with a first-stage backdoor called GreyEnergy mini or FELIXROOT, which gives the perpetrators the ability to map out the network and steal passwords necessary to obtain the administrative privileges that GreyEnergy requires to operate properly.

This paves the way for the main GreyEnergy payload, which according to ESET is deployed primarily on “servers with high uptime” and “workstations used to control ICS environments.” Depending on the host environment the attackers plan to infect, malware comes either in memory-only mode or a persistence mode that utilizes the ServiceDLL registry key.

One observed GreyEnergy samples was even signed with a valid digital certificate researchers believe was stolen from a Taiwanese manufacturer of ICS equipment – a tactic that ESET said is out of the Stuxnet playbook.

“GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that has been
terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy
toolkit, the ESET blog post concludes. “The transition from BlackEnergy to GreyEnergy happened at the end of 2015 — perhaps because the attackers needed to update their malware toolset when the BlackEnergy framework became the center of attention after it was used in the attack against the Ukrainian power grid that year.”