Hackers with alleged ties to Russia have infected three companies in Eastern Europe with sophisticated malware attacks, a cybersecurity firm revealed on Wednesday.
Researchers at ESET say they have uncovered a new cyber espionage group named GreyEnergy, which allegedly infected three unidentified energy and transport companies in Ukraine and Poland. The firm warns that this activity could be an early indicator that the hacking group is preparing to launch more damaging attacks in the future.
GreyEnergy, according to ESET, is the successor to another advanced persistent threat (APT) group known as BlackEnergy, which it says caused serious damage to Ukraine's critical infrastructure in 2015.
Although ESET, a Slovakia-based firm, does not attribute GreyEnergy's activities to any nation-state, the United Kingdom and other cyber firms like FireEye and iSight have tied the attacks on Ukraine's power grid to Russian hacking groups.
Britain's National Cyber Security Centre (NCSC) earlier this month released a dozen different aliases for a Russian intelligence hacking group it linked to aggressive cyber operations against Ukraine. Those names include Fancy Bear, Sandworm and BlackEnergy. Russia has denied any involvement in the attacks against its Western neighbor.
The NCSC attribution comes as the U.K. ramps up pressure against Russia for carrying out a nerve agent attack against Sergei Skripal and his daughter in Salisbury.
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens," U.K. foreign secretary Jeremy Hunt said in a statement earlier this month.
“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”
ESET first detected GreyEnergy activity in 2015 when BlackEnergy caused the first-ever cyberattack blackout in Ukraine by targeting its energy grid, noting that it has exhibited a "more modern toolkit with an even greater focus on stealth" than BlackEnergy.
"Around the time of that breakthrough incident, when around 230,000 people were left without electricity, we started detecting another malware framework and named it GreyEnergy," the firm wrote in a blog post. "It has since been used to attack energy companies and other high-value targets in Ukraine and Poland for the past three years."
ESET said, despite initially detecting activity from GreyEnergy in 2015, the cyber group has largely evaded detection, in part because it hasn't launched any destructive attacks.
"[T]he threat actors behind GreyEnergy have tried to stay under the radar, focusing on espionage and reconnaissance, quite possibly in preparation of future cybersabotage attacks or laying the groundwork for an operation run by some other APT group," the blog reads.
"To cover their tracks, typically, GreyEnergy’s operators securely wipe the malware components from the victims’ hard drives."
GreyEnergy infests computer systems by spear-phishing attacks — sending emails containing malicious links or attachments — or by compromising public-facing servers on the internet. Once they gain access to the target's network, the hackers begin gathering sensitive information like passwords, login credentials or file extractions, according to ESET.
The firm noticed similarities in the GreyEnergy and BlackEnergy's coding like "strong architectural similarities between the malware frameworks," their use of remote command and control structures, as well as a shared victim that both groups targeted. ESET also notes that the "appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy."
While ESET has not observed any modules that are specifically going after Industrial Control Systems (ICS) like BlackEnergy did, they have noticed that GreyEnergy hackers are targeting ICS control workstations that are running supervisory control and data acquisition (SCADA) software.
Ukraine has also blamed Moscow for targeting the nation with damaging cyberattacks.