The advanced persistent threat (APT) group GreyEnergy has been a thorn in the side of the Eastern European industrial sector for many years. Especially for the nations of Ukraine and Poland, GreyEnergy has wreaked havoc on various elements of ICS in such a manner that allowed for stealth attacks. The ability for GreyEnergy to avoid detection is linked to the way they program their malware, and the delivery method is via phishing emails.
These two facts were unknown for quite some time, but thanks to research from Nozomi Networks, the mystery behind GreyEnergy is slowly unraveling. In a blog post on Nozomi’s website, researcher Alessandro Di Pinto outlines how GreyEnergy social engineers their way into ICS networks and also how their malware is able to cause so much damage without detection.
As mentioned before, GreyEnergy phishing emails deliver the malware, specifically phishing emails with documents that contain macros. The documents themselves are written in Ukrainian (and likely other languages), and prompt the user to enable content. Should the user/victim do this, a familiar chain of events occurs, namely the fact that the malicious content is activated and begins infiltrating the network.
What sets the GreyEnergy attacks apart from other phishing schemes, according to Di Pinto, is the brilliant way that their malware is coded. He explains this point as follows:
Having completed my analysis, it’s evident that the GreyEnergy packer does a great job of slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were wisely selected. For example, the threat actor chose to implement custom algorithms that are not too difficult to defeat, but they are hard enough to protect the malicious payload. Additionally, the broad use of anti-forensic techniques, such as the wiping of in-memory strings, underline the attacker’s attempt to stay stealthy and have the infection go unnoticed.
The detailed report is worth a read, especially for those involved in ICS security. With how heavily Ukraine has been impacted by the GreyEnergy attacks, security experts in that nation should make this research a top priority reading.