GreyEnergy malware has ‘massive amounts of junk code’ meant to confuse researchers

Attackers are persistent, but so are reverse engineers.
Entso breach
Multiple ENTSO-E members in Europe said they were investigating the incident. (Getty images)

The investigation of the network of hackers generally associated with the seminal 2015 cyberattack on the Ukrainian power grid continues. A researcher has reverse-engineered malware used by a subgroup of those attackers and found “massive amounts of junk code” meant to throw analysts off the trace.

“The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed,” Alessandro Di Pinto, a researcher at industrial cybersecurity company Nozomi Networks, wrote in a paper published Tuesday.

The malware Di Pinto analyzed is the handiwork of GreyEnergy, a likely derivative of the hacking group known as BlackEnergy, which Western governments have attributed to Russian military intelligence. (Both the groups and the malware they deployed have been referred to as BlackEnergy and GreyEnergy.)

BlackEnergy was behind the first known cyberattack to cause a blackout when 225,000 people lost power in Ukraine in 2015. After Slovak cybersecurity company ESET unmasked GreyEnergy last October, Di Pinto rolled up his sleeves and started analyzing one of the group’s phishing lures.


The email examined by Di Pinto had a malicious Microsoft Word document that planted a backdoor, or remote-access portal, on a victim’s network. After opening the Word document and clicking “enable content,” malicious code is downloaded remotely, according to Di Pinto. The download was a “packer” – or a bundle of program-running files used by the hackers to hide their malware.

While Di Pinto said GreyEnergy was clever in the tactics and tools it employed, the infection vector — a phishing email — is anything but complicated.

“Based on how well the malware disguises itself once it infects a system, the best way for industrial organizations to protect themselves from the GreyEnergy APT is to train employees on the dangers of email phishing campaigns, including how to recognize malicious emails and attachments,” Di Pinto wrote.

Analysts have yet to identify iterations of GreyEnergy that specifically target industrial control systems (ICS). However, Di Pinto notes that hackers scoping industrial organizations often breach IT systems to do reconnaissance on the ICS.

“GreyEnergy has the potential to impact critical sectors beyond industrial infrastructure, such as the financial services sector, making understanding it important,” he wrote.


His work shows that while attackers can be very persistent, so, too, are the analysts tracking them.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts