GreyEnergy industrial attacks found to begin with phishing emails

The advanced persistent threat (APT) group GreyEnergy has been a thorn in the side of the Eastern European industrial sector for many years. Especially for the nations of Ukraine and Poland, GreyEnergy has wreaked havoc on various elements of ICS in such a manner that allowed for stealth attacks. The ability for GreyEnergy to avoid detection is linked to the way they program their malware, and the delivery method is via phishing emails.

These two facts were unknown for quite some time, but thanks to research from Nozomi Networks, the mystery behind GreyEnergy is slowly unraveling. In a blog post on Nozomi’s website, researcher Alessandro Di Pinto outlines how GreyEnergy social engineers their way into ICS networks and also how their malware is able to cause so much damage without detection.

As mentioned before, GreyEnergy phishing emails deliver the malware, specifically phishing emails with documents that contain macros. The documents themselves are written in Ukrainian (and likely other languages), and prompt the user to enable content. Should the user/victim do this, a familiar chain of events occurs, namely the fact that the malicious content is activated and begins infiltrating the network.

What sets the GreyEnergy attacks apart from other phishing schemes, according to Di Pinto, is the brilliant way that their malware is coded. He explains this point as follows:

Having completed my analysis, it’s evident that the GreyEnergy packer does a great job of slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were wisely selected. For example, the threat actor chose to implement custom algorithms that are not too difficult to defeat, but they are hard enough to protect the malicious payload. Additionally, the broad use of anti-forensic techniques, such as the wiping of in-memory strings, underline the attacker’s attempt to stay stealthy and have the infection go unnoticed.

The detailed report is worth a read, especially for those involved in ICS security. With how heavily Ukraine has been impacted by the GreyEnergy attacks, security experts in that nation should make this research a top priority reading.

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

2 hours ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

19 hours ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

23 hours ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

1 day ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

2 days ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

2 days ago