Hacker groups share servers for cyber attacks, says Kaspersky

Jan 25, 2019417

GreyEnergy (which is believed to be the successor to BlackEnergy) and cybercrime group Sofacy, two famous cybercrime groups, share the same servers for different purposes, according to the discovery by cyber security company Kaspersky Lab. overlap in cyberattacks of the two groups.


According to Kaspersky, such groups are considered the two main players in the scenario of modern cyber threats. In the past, its activities have often had devastating consequences. In 2015, BlackEnergy produced one of the most famous cyberattacks in history against Ukrainian electrical installations, which caused several electric blackouts in the country. At the same time, the Sofacy group caused great confusion with several attacks on US and European government, intelligence and national security agencies.


"There was already a suspicion of a connection between the two groups, but this had not been proven until now, after it was discovered that GreyEnergy was using malware to attack industrial and critical infrastructure targets, especially in Ukraine, and that strong similarities of the architecture to BlackEnergy, "the company said in a statement.


The industrial security department (ICS CERT) of Kaspersky Lab, which is responsible for the research and elimination of threats in these systems, found two servers hosted in Ukraine and Sweden that were used simultaneously by both groups in June 2018. GreyEnergy used these servers in a phishing campaign to download a malicious file. This file was run by users who opened a text document attached to a phishing e-mail. At the same time, Sofacy used this same server as a command and control center for its own malware. Because the two groups have used servers for a relatively short time, this coincidence suggests a shared infrastructure. This was confirmed by the fact that the two groups were targeting a company with spearphishing e-mails a few weeks ago. In addition, the two groups used similar phishing documents disguised as e-mails from the Ministry of Energy of the Republic of Kazakhstan.


"The committed infrastructure shared by these two specialized groups possibly indicates that they not only have the Russian language in common but also work in mutual cooperation. It also gives you an idea of ‚Äč‚Äčtheir joint ability and produces a clearer picture of your goals and possible targets. These findings add another important piece to the public about GreyEnergy and Sofacy. The more the industry knows about its tactics, techniques and procedures, the better security experts can work to protect customers from sophisticated attacks, "said Maria Garnaeva, security researcher at Kaspersky Lab ICS CERT.

Related Articles