Image credit: Getty Images/iStockphoto -weerapatkiatdumrong

Kaspersky Lab experts have identified a link between cyber attacks by two infamous cybercriminals – GreyEnergy (who is apparently the successor to the BlackEnergy group) and Sofacy, which focus on cyberbullying. Both used the same servers at the same time, but each with a different purpose.

BlackEnergy and Sofacy hackers are among the most wanted actors in the modern global cyber-crime scene. In the past, they have been involved in activities that have had far-reaching consequences on the infrastructure of some countries. The BlackEnergy group was one of the most famous cyber-attacks in history – its attacks targeted the Ukrainian power plant in 2015, causing power outages. The second group, Sofacy, has been very confused by its attacks on the US and European governmental organizations, which have not escaped national security and intelligence agencies. Rather, they have speculated in professional cyber-security circles that there is a link between the two groups, but so far there has been no evidence. Now it turns out that GreyEnergy (the successor of the BlackEnergy Group) uses malware that is very similar to the Sofacy tool for attacks on predominantly Ukrainian industrial companies and critical infrastructure components.

ICS CERT’s special team, as stated in the article, focuses on the research and elimination of threats to industrial systems, has found two servers hosted in Ukraine and Sweden, both used at the same time in June 2018. The GreyEnergy Group used servers in its phishing campaign to saving a malicious file. This has been downloaded by users after they opened a text document that was attached to a phishing e-mail. At the same time, Sofacy used this server as a C & C center (command and control) for its own malware. Because both groups have taken advantage of servers for a relatively short period of time, it is likely that they share the infrastructure. This is confirmed by the fact that both groups focused on the same company with spear-phishing emails within a week. In addition, they also used a similar phishing emails from the Kazakhstan Energy Ministry.

“The finding of shared infrastructure by the BlackEnergy and Sofacy groups points to a stronger link between the two actors. It gives us a deeper insight into the activities of these Russian speaking groups, what are their capabilities, potential goals and sacrifices, “

says Mária Garnaeva, a security expert from Kaspersky Lab.

In order for companies not to be victims of such attacks, Kaspersky Lab experts recommend that:

  • Examine employees in cyber security. In particular, focus on dealing with suspicious emails that come from unknown senders and contain links or attachments.
  • Introduce cyber-awareness programs that will be entertaining for employees and virtually verify their knowledge and skills.
  • Automate the implementation of operating system, application, software, and security solutions updates that are part of both IT and OT infrastructure.
  • Use a special security solution that includes behavioral anti-phishing technology and technology to protect against targeted attacks. These include, for example, Kaspersky Threat Management and Defense, which also detects advanced threats and network anomalies.