Government

Researchers link tools used in NotPetya and Ukraine grid hacks

New research provides evidence that a group with Russian military ties was involved with the NotPetya and BlackEnergy incidents in Ukraine.

By Sean Lyngaas

October 11, 2018

Multiple ENTSO-E members in Europe said they were investigating the incident. (Getty images)

New research provides evidence linking some of the most impactful cybersecurity incidents on record – the 2015 and 2016 attacks on the Ukrainian power grid and the 2017 NotPetya malware outbreak – to the same set of hackers that Western governments have linked to the Russian government.

Researchers from cybersecurity company ESET say they have laid out the first concrete, public evidence of those ties, citing a pattern of “backdoors” — or tools for remote access — used by the hackers.

In April, ESET researchers found that the group, which they dub TeleBots, was trying to set up a new backdoor. ESET says this backdoor, known as Win32/Exaramel, is an “improved version” of the “Industroyer” backdoor used in the 2016 attack on the Ukrainian power sector, which knocked out at electrical substation outside of Kiev. The 2015 attack on the Ukrainian grid, using the group’s custom BlackEnergy malware, cut power for some 225,000 people.

The group is also referred to as “Sandworm” by other cybersecurity firms.

The Win32/ Exaramel backdoors were spotted at “an organization that is not an industrial facility,” ESET’s Anton Cherepanov wrote in a blog post Thursday. The company shared its findings with Ukrainian authorities and “thanks to this cooperation the attack was successfully localized and prevented,” he added.

“The main difference between the backdoor from the Industroyer toolset and this new TeleBots backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format,” Cherepanov wrote. The two backdoors have strong similarities in their code, according to ESET.

“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics,”Cherepanov added.

Another TeleBots backdoor was integral to NotPetya, according to ESET. In June 2017, the wiper malware infected accounting software in Ukraine and spread to dozens of countries while disrupting pharmaceutical and shipping companies. NotPetya, for which the U.S. and British governments blamed the Russian military, cost shipping giant Maersk an estimated $300 million.

The ESET research comes a week after the Department of Justice announced charges against seven Russian military officers for hacking operations that targeted anti-doping agencies and a chemical testing lab, among other organizations. Western government officials and security analysts have linked those military officers to the same broad set of Russian hackers covered by the ESET research.

John Hultquist, director of threat intelligence at FireEye, on Thursday said the Sandworm hackers had split their operations into two broad categories in recent years.

“After they cut off the power [in Ukraine] they went two directions: more complex attack on [industrial control systems] and simpler but highly effective ransomware attacks against larger pools of targets,” Hultquist tweeted.