GreyEnergy industrial attacks found to begin with phishing emails

The advanced persistent threat (APT) group GreyEnergy has been a thorn in the side of the Eastern European industrial sector for many years. Especially for the nations of Ukraine and Poland, GreyEnergy has wreaked havoc on various elements of ICS in such a manner that allowed for stealth attacks. The ability for GreyEnergy to avoid detection is linked to the way they program their malware, and the delivery method is via phishing emails.

These two facts were unknown for quite some time, but thanks to research from Nozomi Networks, the mystery behind GreyEnergy is slowly unraveling. In a blog post on Nozomi’s website, researcher Alessandro Di Pinto outlines how GreyEnergy social engineers their way into ICS networks and also how their malware is able to cause so much damage without detection.

As mentioned before, GreyEnergy phishing emails deliver the malware, specifically phishing emails with documents that contain macros. The documents themselves are written in Ukrainian (and likely other languages), and prompt the user to enable content. Should the user/victim do this, a familiar chain of events occurs, namely the fact that the malicious content is activated and begins infiltrating the network.

What sets the GreyEnergy attacks apart from other phishing schemes, according to Di Pinto, is the brilliant way that their malware is coded. He explains this point as follows:

Having completed my analysis, it’s evident that the GreyEnergy packer does a great job of slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were wisely selected. For example, the threat actor chose to implement custom algorithms that are not too difficult to defeat, but they are hard enough to protect the malicious payload. Additionally, the broad use of anti-forensic techniques, such as the wiping of in-memory strings, underline the attacker’s attempt to stay stealthy and have the infection go unnoticed.

The detailed report is worth a read, especially for those involved in ICS security. With how heavily Ukraine has been impacted by the GreyEnergy attacks, security experts in that nation should make this research a top priority reading.

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Exchange Server log files growth and inadequate disk space allocation

When it comes to Exchange, if you build it, it will grow. Exchange Server log file growth can fill up…

2 hours ago

Hold the phone! Voice communication is becoming cool again

Business telephone conversations have largely been supplanted by email. But voice communication is far from dead — and it may…

5 hours ago

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

3 days ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

3 days ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

3 days ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

4 days ago