Something in common: two notorious Russian speaking hacking groups found sharing infrastructure with each other

Dubai : Press Release .

Kaspersky Lab experts have identifiedan overlap in cyberattacks between two infamous threat actors,GreyEnergy– which is believed to be a successor of BlackEnergy – and theSofacycyberespionage group. Both actors used the same servers at the same time, with, however, a different purpose.

BlackEnergyand Sofacyhacking groups are considered to be twoof the majoractors inthe modern cyberthreat landscape. In the past, their activities often led to devastating national level consequences. BlackEnergy inflicted one of the most notorious cyberattacks in history with their actions against Ukrainian energy facilities in 2015, which led to power outages.Meanwhile,Sofacy group caused havoc with multiple attacks against US and European governmental organisations, along with national security and intelligence agencies.It had previously been suspected that there was a connection between the two groups, but has not been proven until now,afterGreyEnergy – BlackEnergy’s successor – was found to be using malware to attack industrial and critical infrastructure targets mainly in Ukraine, anddemonstrated some strong architectural similarities with BlackEnergy.

Kaspersky Lab’sICS CERT department, responsible for industrial systems threats research and elimination, found two servers hosted in Ukraine and Sweden,which were used by both threat actors at the same time in June 2018.GreyEnergy group used servers in their phishing campaignto store a malicious file. This file was downloaded by users as they openeda text document attached to a phishing e-mail. At the same time, Sofacy used the server as acommand and control centrefor their ownmalware.As both groups used the servers for a relatively short time, such a coincidence suggests a shared infrastructure. This was confirmed by the fact that both threat actors were observed to target one company a week after each other with spear phishing emails. What’s more, both groups usedsimilar phishing documentsunder the guise of e-mails from the Ministry of Energy of the Republic of Kazakhstan.

“The compromised infrastructurefound to be sharedby these two threat actors potentially points to the fact that the pairnot only have the Russian language in common, but that they also cooperate with each other. It also provides an idea of their joint capabilities and creates better picture of their plausible goals and potential targets. These findings add another important piece into public knowledge about GreyEnergy and Sofacy. The more the industry knows about their tactics, techniques and procedures, the better security experts can do their job in protecting customers from sophisticated attacks,”said Maria Garnaeva, security researcher at Kaspersky Lab ICS CERT.
To protect businesses from attacks fromsuch groups, Kaspersky Lab suggests customers to:

•    Provide dedicated cybersecurity training for employees, educate them to always check the link address and the sender’s email before clicking anything.
•    Introduce security awareness initiatives, including gamified training with skills assessments and reinforcement through the repetition of simulated phishing attacks.
•    Automate operating systems, application software and security solutions updates on systems that are part of the IT, as well as enterprise’s industrial, network.
•    Deploy a dedicated protection solution, empowered with behavioural-based anti-phishing technologies, as well as anti-targeted attack technologies and threat intelligence, such as the Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies and giving cybersecurity teams full visibility over the network and response automation.