Researchers have found links between the BlackEnergy APT group and threat actors behind the ExPetr malware used in last month’s global attacks. According to researchers at Kaspersky Lab, there are strong similarities between older versions of BlackEnergy’s KillDisk ransomware compared to ExPetr code.
Parallels were first identified in targeted extensions used by both BlackEnergy and ExPetr, researchers said. Kaspersky Lab, working in tandem with researchers from Palo Alto Networks, said they “focused on the similar extensions list and the code responsible for parsing the file system for encryption or wiping.”
“Together, we tried to build a list of features that we could use to make a YARA rule to detect both ExPetr and BlackEnergy wipers,” wrote researchers with Kaspersky Lab’s Global Research and Analysis Team in a post published late Friday. YARA is a forensics tool used to examine disparate files and directories and find signature-based similarities.
“We took the results of automated code comparisons and paired them down to a signature that perfectly fit the mould of both in the hope of unearthing similarities. What we came up with is a combination of generic code and interesting strings that we put together into a cohesive rule to single out both BlackEnergy KillDisk components and ExPetr samples,” wrote researchers.
That careful examination of code used by BlackEnergy in its KillDisk ransomware and ExPetr wiper malware yielded “low confidence” similarities. However, when examined as part of a larger YARA rule similarities become very precise, researchers said.
“Of course, this should not be considered a sign of a definitive link, but it does point to certain code design similarities between these malware families,” they wrote.
The research could prove beneficial at determining who the threat actors behind ExPetr, the wiper malware that sabotaged thousands of PCs, are.
The BlackEnergy APT group has long been known to use zero days, destructive tools and malicious code targeting industrial control systems. It was behind the 2015 attack against a Ukraine power grid and a string of similar destructive attacks that have targeted that country over the past several years.
Over the last several days ExPetr has been likened to wiper malware and not ransomware, as it was initially widely thought to be. While the malware has a ransomware component, ExPetr cannot decrypt victims’ disk, even if a payment was made.
“You can’t call an attack, with no possible way of decrypting files, a ransomware attack,” said Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab, in an webinar with Comae Technologies’ Matt Suiche last week.
Similar research by ESET also found links between ExPetr and BlackEnergy. According to ESET, a group with ties to BlackEnergy called TeleBots was behind the ExPetr outbreak. It said the KillDisk encryption component of the ExPetr malware is a hallmark of of the TeleBots group. “In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks,” they wrote.
Both BlackEnergy and TeleBots have a history of targeting critical infrastructure and banks in the Ukraine. The ExPetr outbreak is believed to have originated from the update mechanism for Ukrainian financial software provider MEDoc. Also as part of the attack, a government website for the Ukrainian city of Bakhmut was compromised and used in a watering hole attack to spread the malware via a drive-by download.
“This low confidence but persistent hunch is what motivates us to ask other researchers around the world to join us in investigating these similarities and attempt to discover more facts about the origin of ExPetr/Petya,” Kaspersky Lab researchers wrote.
Separately, researchers at the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) believe that the ExPetr attacks are likely the work of state actors. In a statement issued June 30, it said, “the global outbreak of NotPetya (or ExPetr) malware on 27 June 2017 hitting multiple organisations in Ukraine, Europe, US and possibly Russia can most likely be attributed to a state actor.”
However, the international cybersecurity arm of NATO said, it is still unclear who exactly is behind the attacks. “There is a lack of a clear coercive element with respect to any government in the campaign, so prohibited intervention does not come into play,” the CCD COE report asserted.
The statement reminds that cyberattacks with real-world consequences can trigger Article 5 of the North Atlantic Treaty, which could include a military response. “However, there are no reports of such effects,” according to the CCD COE statement.