NotPetya linked to the Industroyer attack against energy infrastructure in Ukraine

Three of the most destructive incidents seen in modern cybersecurity are the work of the same APT

The Last year occurred the massive outbreak of NotPetya ransomware, which crippled the operations of organizations around the world. Apparently, this ransomware has direct links with the backdoor Industroyer, which targets industrial control systems (ICS) and toppled the Ukrainian electricity network in Kiev in 2016, as report by specialists in digital forensics.

In fact, the same malicious actors, a group of hackers known as Telebots, seem to be behind BlackEnergy attacks against Ukraine in 2015, which caused massive blackouts, just as Industroyer attack a year later.

NotPetya was unleashed in June of last year, and at first it was believed to be another global ransomware attack, similar to the WannaCry outbreak, but it turned out to be a wiper disguised as ransomware. While this malware has ransomware components, NotPetya cannot decrypt victims’ files, even if the ransom payment is made.

NotPetya claimed thousands of victims around the world, including top-profile companies in its areas, critical infrastructure providers and financial services organizations, attacking giants such as the pharmaceutical company Merck, or Maersk, the most important shipping company in the world.

According to Anton Cherepanov and Robert Lipovsky, experts in digital forensics, the malware BlackEnergy, responsible for the blackouts of 2015 in Ukraine, contains the same component of KillDisk encryption seen in the malware NotPetya, which is a Telebots trading mark.

“In the final stage of their attacks, the Telebots group always used KillDisk malware to overwrite files with specific file extensions on victims’ storage units”, the experts reported. They also discovered that the outbreak began to spread from companies hit by a backdoor of Telebots, after compromising financial software M.E.Doc, widely used in Ukraine.

On the other hand, Industroyer was the code used in the attacks against the Ukrainian electricity grid in December 2016. Both Industroyer and BlackEnergy attacked the same Ukrainian networks. There was no strong evidence linking the two codes with the same APT until the researchers discovered important similarities in the code, linking with Telebots through the analysis of a recent backdoor.

In fact, the most recently malware developed by Telebots, called Win32/Exaramel, appears to be an improved version of the backdoor Industroyer. It was detected while attacking an organization in Ukraine, extracting information. Win32/Exaramel copies files, automatically compresses and encrypts them and sends them to the command and control server (C2).

Analyzed in detail, the Code of WIN32/Exaramel shows the close relation that it saves with Industroyer.

For one, the backdoor Win32/Exaramel is initially implemented thanks to a dropper, which starts a Windows service called “Wsmprovav “, with the description “Windows Check AV”.

“The attackers are grouping their potential victims according to the security solutions they use”, the investigators said in a safety notice. “Similar behavior can be found in the Industroyer toolset, specifically, some of Industroyer’s backdoors also disguised themselves as an AV-related service, implemented with the name Avtask.exe, and the same grouping was used”.

Although researchers preferred not to say that these attacks are financed by some government, digital forensics experts from the International Institute of Cyber Security consider that these attacks could be attributable to the Russian intelligence agencies.