Analysis & Insights

Government

GreyEnergy, Sofacy Share Tools and Techniques

22 - 29 January 2019

Recent research has indicated possible linkages between two prolific advanced persistent threat groups that likely operate out of Russia.
Recent research has indicated possible linkages between two prolific advanced persistent threat groups that likely operate out of Russia. GreyEnergy, a group that targeted Industrial Control Systems mainly in Ukraine, is found to have used the same infrastructure as Zebrocy, which is a subset of Sofacy group (aka APT28, Fancy Bear, Sednit). GreyEnergy and Zebrocy not only used the same server to host phishing documents and malware C&C but they also targeted the same Kazakhstan organisation in June 2018. Researchers have previously suspected that GreyEnergy is operating in parallel with the TeleBots group, which is responsible for various destructive ransomware campaigns, including NotPetya. Meanwhile, Zebrocy activities have been detected since 2015 and largely targeted government entities in Middle East, Europe and Asia. 

References:
[1] GreyEnergy’s Overlap with Zebrocy
[2] GreyEnergy’s Overlap with Zebrocy (PDF)
 
 
 
 

More Weekly Cyber Newsanalysis and insights

Government

GreyEnergy, Sofacy Share Tools and Techniques

22 - 29 January 2019

Recent research has indicated possible linkages between two prolific advanced persistent threat groups that likely operate out of Russia.
Recent research has indicated possible linkages between two prolific advanced persistent threat groups that likely operate out of Russia. GreyEnergy, a group that targeted Industrial Control Systems mainly in Ukraine, is found to have used the same infrastructure as Zebrocy, which is a subset of Sofacy group (aka APT28, Fancy Bear, Sednit). GreyEnergy and Zebrocy not only used the same server to host phishing documents and malware C&C but they also targeted the same Kazakhstan organisation in June 2018. Researchers have previously suspected that GreyEnergy is operating in parallel with the TeleBots group, which is responsible for various destructive ransomware campaigns, including NotPetya. Meanwhile, Zebrocy activities have been detected since 2015 and largely targeted government entities in Middle East, Europe and Asia. 

References:
[1] GreyEnergy’s Overlap with Zebrocy
[2] GreyEnergy’s Overlap with Zebrocy (PDF)
 
 
 
 

More Weekly Cyber Newsanalysis and insights