GreyEnergy has been active at least since 2015, it conducted reconnaissance and cyber espionage activities in Ukraine and Poland, it focused its activities on energy and transportation industries, and other high-value targets.
“Both sets of activity used the same servers at the same time and targeted the same organization”
The GreyEnergy APT group leverages the GreyEnergy malware, a malicious code that implements a modular architecture to extend its capabilities by adding the appropriate modules. Experts pointed out that even if the malware hasn’t modules specifically designed to target ICS, the group has been targeting industrial workstations and SCADA systems.
Experts at Kaspersky Lab have discovered that GreyEnergy and Zebrocy were using the same command and control (C&C) infrastructure, both used the same IP addresses associated with servers in Ukraine and Sweden.
The two malware were used simultaneously in June 2018 and both have been used in attacks aimed at a number of industrial companies in Kazakhstan. One of the attacks was carried out in June 2018.
The spear-phishing messages that were used in the attacks that involved both malware used similar documents that purported to come from Kazakhstan’s Ministry of Energy.
“Though no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as Zebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public analysis,” concludes Kaspersky.
The discovery made by Kaspersky is very important and shows the alleged evolution of the threats.
Sharing information about these APT groups and their