Government

GreyEnergy, Sofacy Share Tools and Techniques

22 - 29 January 2019

Recent research has indicated possible linkages between two prolific advanced persistent threat groups that likely operate out of Russia.
Recent research has indicated possible linkages between two prolific advanced persistent threat groups that likely operate out of Russia. GreyEnergy, a group that targeted Industrial Control Systems mainly in Ukraine, is found to have used the same infrastructure as Zebrocy, which is a subset of Sofacy group (aka APT28, Fancy Bear, Sednit). GreyEnergy and Zebrocy not only used the same server to host phishing documents and malware C&C but they also targeted the same Kazakhstan organisation in June 2018. Researchers have previously suspected that GreyEnergy is operating in parallel with the TeleBots group, which is responsible for various destructive ransomware campaigns, including NotPetya. Meanwhile, Zebrocy activities have been detected since 2015 and largely targeted government entities in Middle East, Europe and Asia. 

References:
[1] GreyEnergy’s Overlap with Zebrocy
[2] GreyEnergy’s Overlap with Zebrocy (PDF)
 
 
 
 

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Solutioning

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence