The investigation of the network of hackers generally associated with the seminal 2015 cyberattack on the Ukrainian power grid continues. A researcher has reverse-engineered malware used by a subgroup of those attackers and found “massive amounts of junk code” meant to throw analysts off the trace.
“The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed,” Alessandro Di Pinto, a researcher at industrial cybersecurity company Nozomi Networks, wrote in a paper published Tuesday.
The malware Di Pinto analyzed is the handiwork of GreyEnergy, a likely derivative of the hacking group known as BlackEnergy, which Western governments have attributed to Russian military intelligence. (Both the groups and the malware they deployed have been referred to as BlackEnergy and GreyEnergy.)
BlackEnergy was behind the first known cyberattack to cause a blackout when 225,000 people lost power in Ukraine in 2015. After Slovak cybersecurity company ESET unmasked GreyEnergy last October, Di Pinto rolled up his sleeves and started analyzing one of the group’s phishing lures.
The email examined by Di Pinto had a malicious Microsoft Word document that planted a backdoor, or remote-access portal, on a victim’s network. After opening the Word document and clicking “enable content,” malicious code is downloaded remotely, according to Di Pinto. The download was a “packer” – or a bundle of program-running files used by the hackers to hide their malware.
While Di Pinto said GreyEnergy was clever in the tactics and tools it employed, the infection vector — a phishing email — is anything but complicated.
“Based on how well the malware disguises itself once it infects a system, the best way for industrial organizations to protect themselves from the GreyEnergy APT is to train employees on the dangers of email phishing campaigns, including how to recognize malicious emails and attachments,” Di Pinto wrote.
Analysts have yet to identify iterations of GreyEnergy that specifically target industrial control systems (ICS). However, Di Pinto notes that hackers scoping industrial organizations often breach IT systems to do reconnaissance on the ICS.
“GreyEnergy has the potential to impact critical sectors beyond industrial infrastructure, such as the financial services sector, making understanding it important,” he wrote.
His work shows that while attackers can be very persistent, so, too, are the analysts tracking them.