Experts at cybersecurity firm Kaspersky Lab (Kaspersky) revealed that two threat actors who, apparently speak Russian, used the same servers at the same time. GreyEnergy, which according to Kaspersky is believed to be a successor of Black Energy, and Sofacy cyberespionage group are sharing servers for different purposes.
The two hacking groups’ works “often led to devastating national level consequences,” according to the cybersecurity firm.
BlackEnergy is said to be responsible for the “most notorious cyberattack in history with its actions against Ukrainian energy facilities in 2015 that led to a massive power outage. Sofacy launched multiple attacks against US (United States) and European governmental organizations and also with national security and intelligence agencies.
While there have been talks linking the two groups, there’s still no hard evidence to prove it until now. “GreyEnergy was found to be using malware to attack industrial and critical infrastructure targets mainly in Ukraine and demonstrated some strong architectural similarities with BlackEnergy,” Kaspersky explained in a media release.
Compromised infrastructure
Kaspersky Lab’s ICS CERT department, responsible for industrial systems threats research and elimination, found two servers hosted in Ukraine and Sweden, which were used by both threat actors at the same time in June 2018. GreyEnergy group used servers in their phishing campaign to store a malicious file. Users downloaded the file as they opened a text document attached to a phishing e-mail. At the same time, Sofacy used the server as a command and control center for their own malware.
“The compromised infrastructure found to be shared by these two threat actors potentially points to the fact that the pair not only have the Russian language in common but that they also cooperate with each other,” said Maria Garnaeva, Security Researcher at Kaspersky Lab ICS CERT. “It also provides an idea of their joint capabilities and creates a better picture of their plausible goals and potential targets.”
Kaspersky believes that by sharing servers, the two might also be sharing the same infrastructure. But the sharing is caring mantra that they might be sharing didn’t stop there. Kaspersky said the two threat actors were observed: “to target one company a week after each other with spear phishing emails.”
But the strongest proof that they are linked is when Kaspersky realized that both groups used similar phishing documents under the guise of e-mails from the Ministry of Energy of the Republic of Kazakhstan.
“These findings add another important piece into public knowledge about GreyEnergy and Sofacy,” Garnaeva said. “The more the industry knows about their tactics, techniques, and procedures, the better security experts can do their job in protecting customers from sophisticated attacks.”
Kaspersky advised organizations to put precautionary measures in place to protect themselves from similar attacks.
- Provide dedicated cybersecurity training for employees, educate them to always check the link address and the sender’s email before clicking anything.
- Introduce security awareness initiatives, including gamified training with skills assessments and reinforcement through the repetition of simulated phishing attacks.
- Automate operating systems, application software and security solutions updates on systems that are part of the IT, as well as enterprise’s industrial, network.
- Deploy a dedicated protection solution, empowered with behavioral-based anti-phishing technologies, as well as anti-targeted attack technologies and threat intelligence.