Greyenergy: The Latest Advanced Persistent Threat to ICS Security

Luca Barba | October 23, 2018
Last week, researchers from ESET, the firm that first attributed the 2015 Ukraine attack to BlackEnergy, released a report analyzing an Advanced Persistent Threat (APT) group called GreyEnergy which they consider the successor of BlackEnergy. These researchers’ analysis of the previously undocumented malware shows it has been used in targeted attacks against energy companies and other critical infrastructure organizations in Central and Eastern Europe.
Courtesy: ESET
This Advanced Persistent Threat group has not been documented until now. The adversaries behind GreyEnergy have hidden their activity, focusing on reconnaissance, possibly in preparation for future cyber security attacks or laying the groundwork for an operation run by another group.
GreyEnergy is a Sophisticated Cyber Security Threat
GreyEnergy uses two main infection vectors. One is compromising public-facing web servers connected to an internal network and the other is spear phishing emails with malicious attachments. Once initial network mapping has been accomplished, the attackers then deploy the main malware and, often, several internal C&C proxies within the victims’ networks to redirect requests from infected nodes inside the network to an external C&C server on the internet.
GreyEnergy utilizes more modern techniques than its predecessor, BlackEnergy. The malware has been built as a modular framework that can adjust to different target infrastructures. Each module, including the main GreyEnergy module, accepts text commands with various parameters. The authors have created several attack modules almost completely devoted to reconnaissance and information collection.
Module name |
Purpose |
remoteprocessexec |
Injects a PE binary into a remote process |
info |
Collects information about system, event logs, SHA-256 of malware |
file |
File system operations |
sshot |
Grabs screenshots |
keylogger |
Harvests pressed key strokes |
passwords |
Collects saved passwords from various applications |
mimikatz |
Mimikatz software used to collect Windows credentials |
plink |
Plink software used to create SSH tunnels |
3proxy |
3proxy software used to create proxies |
Courtesy: ESET
Because of its modular structure, it has many pieces of code that it could execute. It finds the most optimal piece of code to use and then executes that specific module on specific targets. It has the same modular format as BlackEnergy, but the difference is that it systematically and methodically determines the best module for the job. AES-256 encryption has been identified in the code to hide from common static detection methods.
While some of the attacks utilize files to compromise and infect a host, most of the attacks are fileless, running only in memory. The fileless attack has been used in the wild to evade static analysis of files stored on hard disk. Valid signed digital certificates were also identified in several samples that were likely stolen from a Taiwanese company that produces ICS & IOT equipment. This ensures that the malware has the best chance of survival to complete its goal.
At this stage, GreyEnergy does not usually incorporate any module capable of affecting industrial control systems (ICS). However, the operators of this malware have, on at least one occasion, deployed a disk-wiping component to disrupt operating processes in the affected organization and cover their tracks, and it would be rather simple for skilled attackers to expand the current code base and develop such a module.
It has also been observed that the GreyEnergy operators are regularly targeting ICS control workstations running SCADA software and servers.
So, What Does This Mean for Your ICS Security Efforts?
This malware was clearly created by a sophisticated Advanced Persistent Threat group, and the cyber attacks that took place in Eastern Europe demonstrate that, despite the attribution debate, the threat is real. Its advanced stealth characteristics mean that the malware could be repacked or modified by different actors and used against other organizations. However, as the malware does not seem to contain any exploitation of previously known or unknown vulnerabilities to propagate, attackers will need to find a way into an organization’s infrastructure to deploy and run the malicious code.
Asset owners should not underestimate the risk of being attacked, and the use of behavioral analysis techniques and network monitoring solutions can help your malware detection efforts, identifying the early stages of an attack.
Effective GreyEnergy Malware Detection with SilentDefense
As suggested by the report, the use of behavioral analysis techniques is crucial to identify precursor and attack activity and effectively mitigate any potential damage. In the case of GreyEnergy, SilentDefense’s malware detection can identify several malicious activities and speed up incident response.
Here is a basic mapping between SilentDefense’s features and how they can help protect ICS networks from GreyEnergy:
SilentDefense Capability |
What It Does |
How It Helps with GreyEnergy |
Network Map |
Provides quick visualization of the network infrastructure and points to external IP addresses in a graphical way. |
It is an effective tool for checking cross network flows and would detect if the malware attempts to connect to the Internet and contact a C&C server and/or if it installs a backdoor to perform communications with the C&C server. |
Automated Network Analysis & Whitelisting |
Detects previously unseen communications using automated network whitelisting engines. |
The malware can install multiple internal C&C proxies to make it difficult to track the origin and destination of the external communication. |
Industrial Threat Library |
Features a specific check to detect communications between the industrial network and known IP addresses, such as C&C servers. |
Context is everything for analysis and response. The ITL provides context to external communications to quickly recognize advanced threats. |
Threat Intelligence Ingestion (New in 3.13 update) |
SilentDefense™ 3.13 supports centralized updates and distribution of selected threat intel and Indicators of Compromise (IoCs) in Structured Threat Information eXpression (STIX) format. |
These continuous updates of the SilentDefense intelligence base provide quick and effective detection capability. SecurityMatters’ ICS specialists have already developed a threat package for GreyEnergy. |
Forensic Time Machine (New in 3.13 update) |
After digestion of new intelligence, SilentDefense can search its network logs to determine if these new IOCs were seen on the ICS network scan over the past 3 months. |
This feature allows customers to rapidly and automatically conduct threat analysis and implement continuous security policy improvement. |
SilentDefense’s behavioral analysis engines automatically create an inventory of active network assets and cross-network flows, detect exploitation attempts and cyber attacks, and identify existing and emerging security threats in the network. This, combined with the new 3.13 advanced threat detection capabilities, makes it the ideal tool to improve an ICS asset owner’s cyber security posture.
SilentDefense Forensic Time Machine Capability
Our innovative team of ICS security specialists has prepared a demo specifically on GreyEnergy using actual traffic and is ready to share it with you.
Toll-Free (US): 1-866-377-8771
Tel (Intl): +1-408-213-3191
Support: +1-708-237-6591
Headquarters
190 W Tasman Dr.
San Jose, CA, USA 95134