Evidence shows that three of the most destructive incidents seen in modern cyber-history are the work of one Advance Persistent Threat (APT).
The NotPetya ransomware that crippled organizations last year turns out to have links to the Industroyer backdoor, which targets industrial control systems (ICS) and took down the Ukrainian power grid in Kiev in 2016.
The samed grouped, TeleBots (a.k.a. Sandworm) appears to be behind NotPetya, the 2015 BlackEnergy attack that also caused blackouts in Ukraine, and the Industroyer campaign a year later.
NotPetya was initially believed to be another global ransomware attack similar to WannaCry. While the malware had a ransomware, NotPetya can’t decrypt victims’ disk, even if a payment is made.
According to ESET analysts Anton Cherepanov and Robert Lipovsky, the BlackEnergy malware responsible for the 2015 Ukraine blackout contains the same KillDisk encryption component seen in the NotPetya malware, which is a hallmark of the TeleBots group.
Meanwhile, Industroyer (a.k.a. Crash Override) is the code used in attacks against the Ukrainian power grid in Dec. 2016. That attack and the 2015 BlackEnergy offensive targeted the same Ukrainian networks (and together, the 2015 and 2016 incidents are considered the only successful hacks of an energy grid to date); however, no hard evidence has been seen to tie the two to the same APT until ESET researchers this year uncovered strong code similarities, tying them both to TeleBots through an analysis of a recent backdoor.
In fact, TeleBots’ latest malware, dubbed Win32/Exaramel, shows it to be an improved version of the Industroyer backdoor. It was detected at an organization in Ukraine. It copies files, automatically compresses and encrypts them and sends them off to the command-and-control server.
The backdoor starts a Windows service named “wsmprovav,” with the description “Windows Check AV”.
“As can be seen from the first line of the configuration, the attackers are grouping their targets based on the security solutions in use,” ESET researchers said in a posting last week. “Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.”
Both malware families also use a report file for storing the resulting output of executed shell commands and launched processes.
“In case of the Win32/Industroyer backdoor, the report file is stored in a temporary folder under a random filename,” the team explained. “In the case of the Win32/Exaramel backdoor, the report file is named report.txt and its storage path is defined in the backdoor’s configuration file.”
Meanwhile, the main difference between the backdoor from the Industroyer toolset and the new TeleBots backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format.
“The ESET report is significant because it ties a single group of GRU threat actors to several major cyberattacks, including the first Ukrainian grid attack in 2015 (BlackEnergy), the second grid attack in 2016 (Industroyer), and NotPetya which disabled production facilities worldwide in 2017 and has been called the most devastating cyberattack in history,” he said via email.