GreyEnergy Malware Succeeds BlackEnergy

Recently, there have been reports by the security specialists and researchers at ESET about a new wave of malware attacks targeting important infrastructure mainly in Ukraine, but also in other countries (such as Poland) as well. The cyber-criminal organization responsible for the attacks is now known as GreyEnergy and there are strong implications and evidence that it is related to BlackEnergy – another infamous hacker group responsible for similar infrastructure attacks in Ukraine near the end of 2015.

ESET also reports that GreyEnergy might be linked to Telebots – another criminal hacker organization most famously (or should we say infamously) known for the NotPetya malware that used to target government security agencies in a number of Western countries. In turn, Telebots are said to be relate to the Industroyer malware campaign which was also centered in Ukraine and also targeted critical power grids. The main difference between GreyEnergy and the other cyber-attack campaigns is that the people behind the former seem to be very determined to stay under the radar, only targeting a small number of specific targets (mainly industrial control workstations in Ukraine and Poland that use the SCADA software) and trying to stay hidden.

Who are the people behind GreyEnergy?

Currently there is no concrete information about whether or not the hackers behind GreyEnergy are indeed behind any of the other aforementioned malware campaigns. Still, the most plausible version is that GreyEnergy is the successor of the BlackEnergy organization. Here are some of the many similarities between the two malware campaigns that the researchers at ESET have pointed out:

  • First and foremost, both of the malware forms use similar architecture and both of them are modular, first employing a mini-backdoor in order to gain Admin privileges and then going for the full backdoor.
  • The second similarity is that, in both malware campaigns, a Tor relay network to operate from remote servers so as to cover the tracks of the whole operation and keep the location of the original server unknown.
  • Another piece of evidence that points towards GreyEnergy being the successor of Black Energy is the fact that BlackEnergy attacks seem to have died off around the time GreyEnergy emerged.
  • Another similarity between the two cyber-attack groups is that both of them seem to have the same type of targets – infrastructure companies based in Eastern Europe countries such as Ukraine and Poland. It is even confirmed that at least one target of GreyEnergy had previously been attacked by BlackEnergy.

There’s even more evidence reported by ESET that the two malware campaigns might be conducted by the same people but we are not going to list all the similarities.

Infection methods

Currently, GreyEnergy has been said to employ two main methods of infecting its targets – phishing e-mails and tools such as PsExec, WinExe and Mimikatz, which are publicly available. Researchers advice the companies to employ multi-layered security/defense such as Endpoint Detection and Response, to keep their security software updated and to also keep full backups of all their data. It is also important for the employees to have sufficient computing and software security literacy as this is oftentimes one of the main exploitable “vulnerabilities” in the networks of a lot of companies.


Leave a Comment