Multiple groups of suspected Russian hackers have a relationship with one another that includes sharing malicious software code and hacking techniques, according to new research.
The Moscow-based security vendor Kaspersky Lab on Thursday released findings tying the espionage group GreyEnergy with Zebrocy. Zebrocy is the name researchers have given to a group affiliated with suspected Russian military hackers known as Sofacy (or Fancy Bear, or APT 28), the alleged perpetrator in the hacking the Democratic National Committee in 2016.
Both groups used the same command-and-control servers — the infrastructure that allows hackers to maintain communications with compromised machines — to simultaneously to target the same organization, according to Kaspersky. They also sent similar phishing emails disguised as messages from the Ministry of the Republic of Kazakhstan within one week.
Our research confirms #GreyEnergy and #Zebrocy shared the C2 server infrastructure and both targeted the same organization almost at the same time. It confirms the existence of a relationship between these threat actors: https://t.co/hy5FHCftqm pic.twitter.com/8VR8ToBce9
— Eugene Kaspersky (@e_kaspersky) January 24, 2019
Only broad details about both groups are publicly known. While U.S. officials regularly allege that Kaspersky Lab products could be a conduit for Russian espionage — something the company vigorously denies — the company continues to do highly respected research on suspected Russia-based threats.
GreyEnergy descends from BlackEnergy, a hacking campaign best known for a December 2015 cyberattack against a Ukrainian power facility that resulted in electrical outages for some 230,000 people.
That attack was a “brilliant” example of a well-coordinated reconnaissance effort, followed by different phases of the operation that involved other teams, researchers told Wired in 2016. Cybercriminals may have first infiltrated the power plant’s networks, then provided that access to nation-state hackers to deliver the final assault, according to Wired.
Similarly, GreyEnergy has focused its espionage efforts on energy companies in Ukraine and Poland, the security company ESET said in October.
“GreyEnergy is an important part of the arsenal of one of the most dangerous [advanced persistent threat] groups that has been terrorizing Ukraine for the past several years,” researchers said. “[W]e consider it to be the success of the BlackEnergy toolkit.”
Now, GreyEnergy appears to be joining forces with a contingent of the Sofacy group. At least one alleged member of the Sofacy group, Lt. Cap. Nikolay Yuryevich Kozacheck, was indicted last year by Robert Mueller’s grand jury. Kozachek allegedly “used a variety of monikers” when he “developed, customized, and monitored X-Agent malware used to hack the DCCC and DNC networks.”