The massive NotPetya ransomware outbreak that crippled organizations around the world last year turns out to have links to the Industroyer backdoor, which targets industrial control systems (ICS) and took down the Ukrainian power grid in Kiev in 2016.
In fact, the same threat actor – dubbed TeleBots (a.k.a. Sandworm) by ESET researchers – appears to be behind NotPetya, the 2015 BlackEnergy attack that also caused blackouts in Ukraine, and the Industroyer campaign a year later.
NotPetya (a.k.a. ExPetr) broke out last June, and was initially believed to be another global ransomware attack on par with WannaCry – but it turned out to be a wiper in disguise. While the malware has a ransomware component, NotPetya can’t decrypt victims’ disk, even if a payment is made.
It claimed thousands of victims worldwide, including some of the highest-profile manufacturers, critical infrastructure providers and financial services organizations – tying up giants like the Merck pharmaceutical company and Maersk, the shipping behemoth.
According to ESET analysts Anton Cherepanov and Robert Lipovsky, the BlackEnergy malware responsible for the 2015 Ukraine blackout contains the same KillDisk encryption component seen in the NotPetya malware, which is a hallmark of the TeleBots group.
“In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks,” they wrote last year. They also discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the financial software M.E.Doc, popular in Ukraine.
Meanwhile, Industroyer (a.k.a. Crash Override) is the code used in attacks against the Ukrainian power grid in Dec. 2016. That attack and the 2015 BlackEnergy offensive targeted the same Ukrainian networks (and together, the 2015 and 2016 incidents are considered the only successful hacks of an energy grid to date); however, no hard evidence has been seen to tie the two to the same APT until ESET researchers this year uncovered strong code similarities, tying them both to TeleBots through an analysis of a recent backdoor.
In fact, TeleBots’ latest malware, dubbed Win32/Exaramel, shows it to be an improved version of the Industroyer backdoor. It was detected at an organization in Ukraine (though not an industrial facility), exfiltrating information. It copies files, automatically compresses and encrypts them and sends them off to the command-and-control (C2) server; and it’s being used with some of TeleBots’ older tools, including a custom password stealer, and a slightly-modified Mimikatz.
A closer look under the hood revealed there are several aspects in the code that show it to be closely related to Industroyer.
For one, the Win32/Exaramel backdoor is initially deployed by a dropper, they found, which starts a Windows service named “wsmprovav,” with the description “Windows Check AV”.
“As can be seen from the first line of the configuration, the attackers are grouping their targets based on the security solutions in use,” ESET researchers said in a posting last week. “Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.”
Once the backdoor is running, it connects to its C2 server and receives various commands to be executed. The code of the command loop and implementations of the first six commands (launch process, launch process under specified Windows user, write data to a file in specified path, copy file into storage sub-directory (Upload file), execute shell command and execute shell command as specified Windows user) are very similar to those found in a backdoor used in the Industroyer toolset, according to ESET.
Both malware families also use a report file for storing the resulting output of executed shell commands and launched processes.
“In case of the Win32/Industroyer backdoor, the report file is stored in a temporary folder under a random filename,” the team explained. “In the case of the Win32/Exaramel backdoor, the report file is named report.txt and its storage path is defined in the backdoor’s configuration file.”
There are other similarities. For instance, in order to redirect standard output (stdout) and standard error (stderr) to the report file, both backdoors set the hStdOutput and hStdError parameters to a handle of the report file.
Meanwhile, the main difference between the backdoor from the Industroyer toolset and the new TeleBots backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format.
“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics,” ESET researchers said. “The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly-presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”
While ESET declined to attempt nation-state attribution for the TeleBots APT, Phil Neray, vice president of Industrial Cybersecurity at CyberX, said that he believes Russian intelligence to be behind this hat-trick of destructive incidents.
“The ESET report is significant because it ties a single group of GRU threat actors to several major cyberattacks, including the first Ukrainian grid attack in 2015 (BlackEnergy), the second grid attack in 2016 (Industroyer), and NotPetya which disabled production facilities worldwide in 2017 and has been called the most devastating cyberattack in history,” he said via email.