A software toolkit used in an expansive cyberattack that affected hundreds of organizations across Eastern Europe Tuesday has been linked to a hacking group known as BlackEnergy APT or Telebots, security researchers tell CyberScoop.
This threat actor was also responsible for a similar attack dubbed “NotPetya” which largely affected Ukraine and was designed to wipe data from computers rather than collect ransoms when it was executed in June.
Experts say BlackEnergy APT acts in the interests of the Kremlin. In the past, the group has repeatedly attacked Ukrainian organizations, including the country’s critical infrastructure sector.
The latest variant of ransomware flooding across Europe is named “BadRabbit.” It requires that victims infected with the malware send bitcoin to an anonymous digital wallet in order to unlock their systems — until payment is received, affected computers remain largely unusable.
“It appears that the two [ransomware] attacks are connected,” said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab. “According to our analysis, this toolkit has been used only by the ExPetr/NotPetya guys.”
BadRabbit’s spread disrupted hundreds of companies because the attack encrypted data on computers, thereby locking out users from normal operations. It propagated using a well-known data exfiltration tool and through old vulnerabilities in Microsoft’s SMB process.
Most of the machines affected by this incident are based in Russia and Ukraine, according to separate research conducted by cybersecurity firms ESET, Kaspersky Lab and IB Group. Victims of BadRabbit include the Kiev metro, Ukraine’s Ministry of Infrastructure and Odessa International Airport, as well as a number of state and media organizations in Russia.
While early indications suggest that BlackEnergy APT infected a series of Russian news websites to cause them to dispense BadRabbit ransomware to unknowing visitors, a full investigation and further analysis is ongoing.
It’s possible, for example, that a subsegment of all organizations affected by the ransomware were in fact infected differently than through a strategic website compromise, explained Robert Lipvosky, a senior security researcher with ESET, and that they received unique payloads.
“There may be a secondary attack vector,” Raiu agreed.
Evidence uncovered by both Moscow-based Kaspersky Lab and U.S. firm FireEye suggests the attackers had planned the BadRabbit attack for months. According to a statement provided by FireEye, the attackers may have begun preparing for the operation at least as early as February 2017. Kaspersky separately found that a large list of websites were hacked and injected with BlackEnergy APT’s hacking toolkit since July.
IB Group, ESET and U.S. cybersecurity company CrowdStrike similarly found that the hackers behind NotPetya are connected to BadRabbit.
In a blog post written by researchers with IB Group, the company noted that “during analysis, it became clear that Bad Rabbit is a modified version of NotPetya, with changes to the encryption algorithm … these similarities suggest a link between Bad Rabbit and BlackEnergy campaigns.”
BadRabbit was built with computer code that was first used in NotPetya, according to Jay Rosenberg, a senior security researcher with Israeli security firm Intezer Labs. There’s additional overlap between the two viruses because they were shared through the same website in at least one case.
The primary differences between the two viruses, according to experts, is that BadRabbit was configured without a destructive function and will display a unique message that requires victims to visit a Tor hidden service website where they can pay a ransom of .5 bitcoin to regain access.
BadRabbit, unlike NotPetya, also did not incorporate EternalBlue, a leaked NSA exploit published by a mysterious group known as The Shadow Brokers, which allowed for viruses to propagate through SMB.