Security company Eset has published research into a hitherto hidden hacker group, which it describes as Greyenergy. This group would mainly focus on Ukraine and be interested in the energy sector, possibly in preparation for an attack.

In a blog post and an accompanying whitepaper ESET writes that it has indications that GreyEnergy is one of the successors of BlackEnergy, a group that would have been active for the last time in 2015. That group was associated with the then attack on the power supply in Ukraine, where hundreds of thousands of people were without electricity. After that attack the group would have split in two. One of those groups denotes ESET with the name TeleBots, although it was also named Sandworm . The second, new group is GreyEnergy and, according to ESET, the two groups work closely together. The difference is that GreyEnergy focuses more on espionage and exploration, while TeleBots would be responsible for attacks such as NotPetya , BadRabbit and Industroyer .

ESET noticed GreyEnergy in 2015 when the group had an energy company in Poland. However, the group would mainly focus on Ukraine, particularly on energy companies, the transport sector and other ‘high-value targets’. The group may have the task of carrying out preparatory work for upcoming attacks, according to the Slovak security company. GreyEnergy uses phishing, whereby a Word document with malware is sent to targets. A second way to enter organizations is to penetrate a web server and then make an attempt to continue to enter the internal network from there.

In the case of phishing, the Word document contains a macro with which a small backdoor is called, called GreyEnergy Mini. An external image will also be downloaded, with which the attackers can see whether the document has been opened. The backdoor then retrieves as much information as possible about the system from the target and sends it via http or https to the command and control server of the GreyEnergy group. Then the actual ‘flagship’ malware is obtained, which has a modular structure. This allows the attackers to bring in the module that is most suitable for achieving a specific goal.

GreyEnergy modules
The modules and their function
ESET notes that one of the samples collected from this malware used a stolen certificate from the Taiwanese company Advantech, which builds industrial equipment. GreyEnergy would follow in the footsteps of Stuxnet . The malware would also contain measures to complicate analysis.

The security company does not offer attribution in its analysis, so it does not make a statement about which country might be hidden behind GreyEnergy. BlackEnergy or Sandworm has been associated in the past with Russia, including Germany . The British government , among others, assigned Sandworm to the Russian military intelligence service GROe. Recently, ESET published research in which the link was made between Industroyer and NotPetya.

GreyEnergy methods
Schematic representation of GreyEnergy methods